Authenticate only group users in LDAP

Question

I am trying to setup LDAP authentication.

Group Informatin:

ldapsearch -x -h ldap-corporate -b "o=example.com,c=us" "cn=Security "
# extended LDIF
#
# LDAPv3
# base <o=example.com,c=us> with  scope subtree
# filter: cn=Security 
# requesting: ALL
#

# Security , lm8100, example.com, US
dn: cn=Security , ou=lm8100, o=example.com, c=US
businessCategory: secadm
cn: Security 
objectClass: groupOfUniqueNames
objectClass: epicGroup
objectClass: top
uniqueMember: cn=Kim Ldaf + uid=CLKM9876,ou=lm8100,o=example.com,c=US
uniqueMember: cn=HLK MNOIL+uid=DKL06, ou=lm8100,o=example.com,c=us
uniqueMember: cn=TREKS DNKO+uid=RIK02, ou=lm8100,o=example.com,c=US

This is my configuration and it is accepting all valid LDAP users but my requirement is need accept only valid users for that particular group:

We have different OU's with in a group.

<Directory "/opt/hd/wsvr/docs/support/helpdesk">

  AllowOverride None
  Order deny,allow
  Allow from all
  AuthType Basic
  AuthName "Protected"
  Require valid-user
  AuthBasicAuthoritative Off
  AuthzLDAPAuthoritative Off
  AuthBasicProvider ldap
  AuthLDAPUrl ldap://HOST/o=example.com,c=us?uid?sub
  Require ldap-group cn=SC HelpDesk,o=example.com,c=US
</Directory>

Answer 1

You have two Require directives which have contradictory meanings.

As @bodgit mentioned, you have Require valid-user, which allows everyone who is a valid user. You also have Require ldap-group cn=SC HelpDesk,o=example.com,c=US, which allows only members of your SC HelpDesk group. However, as long as either of these requirements are met, the access will be allowed. You should remove the Require valid-user directive.

Answer 2

You have Require valid-user in your configuration which lets any user in if they successfully authenticate.