I have got authentication working on my Apache 2.4 webserver, if I require a specific user. However, I would like to require one or more specific groups. I have tried the example given in the documentation: Require ldap-group with no group name specified.
I get this result in my log files: [Wed Jan 12 13:13:52.676003 2022] [authnz_ldap:debug] [pid 23541] mod_authnz_ldap.c(899): [client 10.14.0.18:36914] AH01713: auth_ldap authorize: require group: testing for group membership in "" [Wed Jan 12 13:13:52.841650 2022] [authnz_ldap:debug] [pid 23541] mod_authnz_ldap.c(926): [client 10.14.0.18:36914] AH01719: auth_ldap authorize: require group "": didn't match with attr Comparison complete [memberOf][53 - Server is unwilling to perform] [Wed Jan 12 13:13:52.841690 2022] [authnz_ldap:debug] [pid 23541] mod_authnz_ldap.c(943): [client 10.14.0.18:36914] AH01716: auth_ldap authorise: require group "": failed [Comparison complete][53 - Server is unwilling to perform], checking sub-groups [Wed Jan 12 13:13:52.842761 2022] [authnz_ldap:debug] [pid 23541] mod_authnz_ldap.c(966): [client 10.14.0.18:36914] AH01718: auth_ldap authorise: require group (sub-group) "": didn't match with attr DN failed group verification. [memberOf][53 - Server is unwilling to perform] I have tried the following in the configuration: Require ldap-group cn=accounts Require ldap-group accounts with AuthLDAPGroupAttributeIsDN set to both "on" and "off". Neither work: [Wed Jan 12 14:02:47.588735 2022] [authnz_ldap:debug] [pid 7443] mod_authnz_ldap.c(907): [client 10.14.0.18:38342] AH01714: auth_ldap authorize: require group: testing for memberOf: uid=testuser,cn=users,cn=accounts,dc=ipa,dc=bluepearlsoftware,dc=com (cn=accounts) [Wed Jan 12 14:02:47.753521 2022] [authnz_ldap:debug] [pid 7443] mod_authnz_ldap.c(926): [client 10.14.0.18:38342] AH01719: auth_ldap authorize: require group "cn=accounts": didn't match with attr Comparison complete [memberOf][32 - No such object] [Wed Jan 12 14:02:47.753562 2022] [authnz_ldap:debug] [pid 7443] mod_authnz_ldap.c(943): [client 10.14.0.18:38342] AH01716: auth_ldap authorise: require group "cn=accounts": failed [Comparison complete][32 - No such object], checking sub-groups [Wed Jan 12 14:02:47.754391 2022] [authnz_ldap:debug] [pid 7443] mod_authnz_ldap.c(966): [client 10.14.0.18:38342] AH01718: auth_ldap authorise: require group (sub-group) "cn=accounts": didn't match with attr DN failed group verification. [memberOf][32 - No such object] [Wed Jan 12 14:02:47.754422 2022] [authnz_ldap:debug] [pid 7443] mod_authnz_ldap.c(899): [client 10.14.0.18:38342] AH01713: auth_ldap authorize: require group: testing for group membership in "accounts" [Wed Jan 12 14:02:47.754426 2022] [authnz_ldap:debug] [pid 7443] mod_authnz_ldap.c(907): [client 10.14.0.18:38342] AH01714: auth_ldap authorize: require group: testing for memberOf: uid=testuser,cn=users,cn=accounts,dc=ipa,dc=bluepearlsoftware,dc=com (accounts) [Wed Jan 12 14:02:47.764320 2022] [authnz_ldap:debug] [pid 7443] mod_authnz_ldap.c(926): [client 10.14.0.18:38342] AH01719: auth_ldap authorize: require group "accounts": didn't match with attr Comparison complete [memberOf][32 - No such object] [Wed Jan 12 14:02:47.764358 2022] [authnz_ldap:debug] [pid 7443] mod_authnz_ldap.c(943): [client 10.14.0.18:38342] AH01716: auth_ldap authorise: require group "accounts": failed [Comparison complete][32 - No such object], checking sub-groups [Wed Jan 12 14:02:47.765169 2022] [authnz_ldap:debug] [pid 7443] mod_authnz_ldap.c(966): [client 10.14.0.18:38342] AH01718: auth_ldap authorise: require group (sub-group) "accounts": didn't match with attr DN failed group verification. [memberOf][32 - No such object] I would appreciate any help to get this working. I am running on a fully updated CentOS 7 VM. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure