We are trying to allow Apache to authenticate users to a certain site based on being in one of 3 OU designations in AD. 3. A specific client OU (Client ABC in our example) 1. Service Accounts 2. Internal Support
We have set up 3 "AuthnProviderAlias" directives. Notably, all the alias definitions use the same AuthLDAPBindDN, AuthLDAPBindPassword and only slight changes to the " AuthLDAPURL" specifying the OU for each grouping. <AuthnProviderAlias ldap CLIENT_ABC> AuthLDAPBindDN "<Same as above>" AuthLDAPBindPassword "test" AuthLDAPURL "ldap://util.joesgarage.com:3268/OU=Client ABC,OU=External,OU=ALL_Users,DC=joesgarage,DC=com?sAMAccountName?sub?(objectClass=user)" </AuthnProviderAlias> <AuthnProviderAlias ldap SERVICE_ACCOUNTS> AuthLDAPBindDN "<An admin user DN that can bind/search>" AuthLDAPBindPassword "test" AuthLDAPURL ldap://util.joesgarage.com:3268/OU=SERVICE ACCOUNTS,OU=Internal,OU=ALL_Users,DC=joesgarage,DC=com?sAMAccountName?sub?(objectClass=user)" </AuthnProviderAlias> <AuthnProviderAlias ldap INTERNAL_SUPPORT> AuthLDAPBindDN "<Same as above>" AuthLDAPBindPassword "test" AuthLDAPURL "ldap://util.joesgarage.com:3268/OU=INTERNAL SUPPORT,OU=Internal,OU=ALL_Users,DC=joesgarage,DC=com?sAMAccountName?sub?(objectClass=user)" </AuthnProviderAlias> Our "Directory" directive is set to try each of these aliases (different OUs in the same directory) in order until a match is found: <Directory "/var/www/html/Client_ABC/"> ... AuthBasicProvider CLIENT_ABC SERVICE_ACCOUNTS INTERNAL_SUPPORT AuthType Basic AuthName "Client ABC Login" AuthzLDAPAuthoritative off Require valid-user </Directory> This doesn't seem to work. I know your thinking - "why not just use groups"? Ans: Simply because we don't want to have to maintain groups for our many clients. We would like to rely on the client user's presence in the OU (and allow our service accounts and support personnel at the same time to all sites) Is this a bug or is there a better way to accomplish this? Regards, Brian
