Topic: require ldap-group not working in .htaccess

[terencewklau]

Hi,

I've installed Apache 2.4.7 on Ubuntu Server 14.04.3 for the purpose of running OpenDCIM.

The .htaccess file has the following config:

AuthName "AD Authentication"
AuthType Basic
AuthBasicProvider file ldap
AuthUserFile /var/www/.htpasswd
AuthLDAPURL "ldap://domain.com/OU=Company Name,DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "CN=OpenDCIM LDAP Bind Service Account (P),OU=OpenDCIM,OU=Robot Users,OU=Users,OU=Company Name,DC=domain,DC=com"
AuthLDAPBindPassword somepassword
Require user dcim
Require ldap-group CN=OpenDCIM Administrators,OU=OpenDCIM,OU=Global Application Security Groups,OU=Security Groups,OU=Company Name,DC=domain,DC=com

The login dialog box appears when navigating to the site and the local dcim user account works. But AD users in the security group "OpenDCIM Administrators" are not working.

Error log says "User user.name not found". I've tried the following username format:

user.name
domain\user.name
user.name@domain.com

And none of them work. If I modify the .htaccess file to:

AuthName "AD Authentication"
AuthType Basic
AuthBasicProvider file ldap
AuthUserFile /var/www/.htpasswd
AuthLDAPURL "ldap://domain.com/OU=Company Name,DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "CN=OpenDCIM LDAP Bind Service Account (P),OU=OpenDCIM,OU=Robot Users,OU=Users,OU=Company Name,DC=domain,DC=com"
AuthLDAPBindPassword somepassword
Require valid-user

Then it works but for all AD users, which is not ideal.

Any advice would be much appreciated.

[James Blond]

Since Require valid-user works, you may try

Require group group-name group2-name

[terencewklau]

Nested groups was the issue. Had to add:

AuthLDAPMaxSubGroupDepth 1
AuthLDAPSubgroupAttribute member
AuthLDAPSubGroupClass group
AuthLDAPGroupAttribute member