1

I have implemented LDAP Authentication in Apache 2.4 (RHEL 8.5) with Active Directory Backend. The setup works perfectly with a basic "Require valid-user" directive. Now I need to restrict authentication to a specific group of Active Directory users with "Require ldap-group" directive but authentication is now denied when trying to authenticate with a user member of the authorized group.

Using a basic "Require valid-user" authentication works like a charm, but when using "Require ldap-group" id doesn't. Also I tried "Require ldap-filer" without success.

  • Active Directory group: my_group (CN=my_group,OU=BAR,OU=FOO,DC=domain,DC=tld)
  • Active Directory user: my_user, member of "my_group"

Apache Log (DEBUG)

[Xxx Xxx XX xx:xx:xx.xx 20XX] [authnz_ldap:debug] [pid 90767:tid 13975006511XXXX] mod_authnz_ldap.c(620): [client XX.XX.XX.XX:40388] AH01697: auth_ldap authenticate: accepting my_user
[Xxx Xxx XX xx:xx:xx.xx 20XX] [authz_core:debug] [pid 90767:tid 13975006511XXXX] mod_authz_core.c(820): [client XX.XX.XX.XX:40388] AH01626: authorization result of Require ldap-group CN=my_group,OU=BAR,OU=FOO,DC=domain,DC=tld: denied
[Xxx Xxx XX xx:xx:xx.xx 20XX] [authz_core:debug] [pid 90767:tid 13975006511XXXX] mod_authz_core.c(820): [client XX.XX.XX.XX:40388] AH01626: authorization result of <RequireAny>: denied
[Xxx Xxx XX xx:xx:xx.xx 20XX] [authz_core:error] [pid 90767:tid 13975006511XXXX] [client XX.XX.XX.XX:40388] AH01631: user my_user: authorization failure for "/app/":

Apache configuration file "ad.conf":

<AuthnProviderAlias ldap mydc01>
        AuthLDAPBindDN bind@domain.tld
        AuthLDAPBindPassword XXXXXXXXXXXXXX
        AuthLDAPURL ldaps://mydc01.domain.tld/DC=domain,DC=tld?sAMAccountName?sub?(objectClass=*)
</AuthnProviderAlias>

<AuthnProviderAlias ldap mydc02>
        AuthLDAPBindDN bind@domain.tld
        AuthLDAPBindPassword XXXXXXXXXXXXXX
        AuthLDAPURL ldaps://mydc02.domain.tld/DC=domain,DC=tld?sAMAccountName?sub?(objectClass=*)
</AuthnProviderAlias>

<Directory /var/www/app>
        AuthName "AD authentication"
        AuthBasicProvider mydc01 mydc02
        AuthType Basic
        AuthLDAPGroupAttribute member
        AuthLDAPGroupAttributeIsDN off

        # OK
        # Require valid-user

        # Not working
        Require ldap-group CN=my_group,OU=BAR,OU=FOO,DC=domain,DC=tld

        # Not working
        # Require ldap-filter (memberOf=CN=my_group,OU=BAR,OU=FOO,DC=domain,DC=tld)

        # Not working
        # Require ldap-atttibute memberOf="CN=my_group,OU=BAR,OU=FOO,DC=domain,DC=tld"

</Directory>
donmelchior
  • 893
  • 3
  • 13
  • 31
  • AuthLDAPBindDN is not configured properly. It should point to a branch in your ldap under which your group is found. Look at https://serverfault.com/questions/813932/apache-user-authentication-based-on-ldap-group-memberships-not-working for a working example. – Nic3500 Mar 08 '22 at 05:35
  • @Nic3500: In the example you mentionned AuthLDAPBindDN and group are not within the same branch: Bind user identified by AuthLDAPBindDN is "CN=apache,OU=Accounts,DC=example,DC=com" and group is "CN=example,OU=Groups,DC=example,DC=com". I already tried to set AuthLDAPBindDN to its complete DN and move it within the same LDAP branch as the inclusion group without success: Denied – donmelchior Mar 08 '22 at 09:24
  • I also tried to set "AuthLDAPGroupAttributeIsDN" to off allow group membership check based on SamAccountName of user and not its DN, same issue occurs: Denied. Additionnaly I tried to use Require ldap-attribute without success either – donmelchior Mar 09 '22 at 14:12
  • Of course I doubled checked my test user LDAP attributes with ldapsearch and memberOf attribute is there with relevant group DN: memberOf: CN=my_group,OU=BAR,OU=FOO,DC=domain,DC=tld) which is puzzling – donmelchior Mar 09 '22 at 14:24

0 Answers0