Apache LDAP Authentication with AD Subgroup

Question

I am trying to authenticate using an Active Directory User on a Website running on Apache.

My Setup

Active Directory: User "steven" is a member of the group "staff". User "cindy" is a member of the group "finances" which is a member of "staff" (= cindy is a member of a subgroup of the "staff" group).

Apache: Apache 2.4 with mod_authnz_ldap

My Apache site config:

AuthName "Please enter your login data."

AuthType Basic
AuthBasicProvider ldap

AuthLDAPBindDN account@domain.local
AuthLDAPBindPassword "userpassword"

AuthLDAPURL "ldap://dc.domain.local/DC=domain,DC=local?sAMAccountName?sub?(objectClass=*)"

Require ldap-group CN=Staff,OU=Groups,OU=Accounts,DC=domain,DC=local

Problem

Steven (or any other user that would be a direct member of the "staff" group) authenticates successfully, however members of sub groups, such as cindy will not authenticate.

I have already tried adding "AuthLDAPMaxSubGroupDepth 10" (10 should be the default value anyway) but that did not help either.

Anyone who might be able to help?

score 2 · Accepted Answer · edited Apr 13 '17 at 12:14

2

I haven't had occasion to use the AuthLDAPMaxSubGroupDepth directive. I've always used the LDAP_MATCHING_RULE_IN_CHAIN search control instead. You might have a look at that. It should perform better, in terms of network traffic between the DC and Apache, because the DC itself will resolve the nested groups.

edited Apr 13 '17 at 12:14

Community

1

answered Jun 26 '14 at 15:40

Evan Anderson

141,071
19
191
328

Apache LDAP Authentication with AD Subgroup

1 Answers1