Apache LDAP Authentication and Require ldap-group

I was able to get htauth againt ldap and restricting against groups using:

<Location /protected>
    # Ldap auth access
    AuthType Basic
    AuthName "Restricted"
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative on
    AuthLDAPURL "ldap://ldap.linuxweblog.com/ou=People,dc=linuxweblog,dc=com"
    Require ldap-group cn=web,ou=group,dc=domain,dc=tld
    AuthLDAPGroupAttributeIsDN off
    AuthLDAPGroupAttribute memberUid
</Location>

Here is what the ldap search entry looks like:

# ldapsearch -x 'cn=web'
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: cn=web
# requesting: ALL
#

# web, group, linuxweblog.com
dn: cn=web,ou=group,dc=linuxweblog,dc=com
objectClass: posixGroup
gidNumber: 10002
cn: web
description: access to web protected folders
memberUid: user1

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

It is essential to enter "AuthLDAPGroupAttributeIsDN off" and "AuthLDAPGroupAttribute memberUid" for it to get to the member attribute.

Reference: mod_authnz_ldap

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
htauth logout

When testing, you can easily log out of htauth sessions via:

http://logout@domain.tld/protected/

This should invalidate current logged in session and prompt to login again.

Comment