Apache LDAP Authentication with AD nested Subgroups

Question

am trying to authenticate using an Active Directory User on a Apache with nested Groups.

Apache 2.4.7 Ubuntu 14.4

I have a Group with Name test in this Group i have a few nested Groups If i put the user in the test goup directly all fine. The user get authenticated. But if i put the user in a nested Group and put the nested Group in the Group test i get the errormessage.

didnt match with attr member [Comparison false (cached)] [5 - Compare false]

authoritation denied for user xyz

My Subgroupdepth is just one.

Anyone a idea ?

Best regards mobios

My Config:

<AuthnProviderAlias ldap users>
AuthLDAPBindDN "CN=ldapbind,OU=Services,OU=Administration,DC=test,DC=tc"
AuthLDAPBindPassword Password
AuthLDAPURL "ldap://10.0.100.1:389/CN=Users,DC=test,DC=tc?sAMAccountName?sub"
</AuthnProviderAlias>


<AuthnProviderAlias ldap project>
AuthLDAPBindDN "CN=ldapbind,OU=Services,OU=Administration,DC=test,DC=tc"
AuthLDAPBindPassword Password
AuthLDAPURL "ldap://10.0.100.1:389/OU=Projects,DC=test,DC=tc?sAMAccountName?sub"
</AuthnProviderAlias>

<AuthzProviderAlias ldap-group test CN=test,CN=Users,,DC=test,DC=tc>
AuthLDAPBindDN "CN=ldapbind,OU=Services,OU=Administration,DC=test,DC=tc"
AuthLDAPBindPassword Password
AuthLDAPURL "ldap://10.0.100.1:389/CN=Users,DC=test,DC=tc?sAMAccountName?sub"
</AuthzProviderAlias>

Alias /production /srv/webdav/production 
<Location "/production">
SSLRequireSSL 
DAV On 
Options None 
AuthType Basic 
AuthUserFile /dev/null 
AuthName "Repository production" 
AuthBasicProvider project users 
AuthLDAPMAxSubGroupDepth 10
AuthLDAPSubGroupAttribute member
AuthLDAPSubGroupClass Group
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN on
Require test
Options Indexes FollowSymLinks MultiViews 
Order Deny,Allow 
</Location>

My active Directory Details are:

test.tc
|
|--(CN)Users--(CN)test
|
|--(OU)Projects--(OU)Group1--(CN)Group1

This are my Details in my active Directory.
(CN)test is the main Group and (CN)Group1 are nested in (CN)test.

Additionally i tried:
Require ldap-filter memberof:1.2.840.113556.1.4.1941:=CN=test,CN=Users,dc=test,dc=tc

unfortunately dont work :(

Can you show the LDAP details of the 'test' group and the subgroup? — covener, Jul 14 '17 at 21:40
If i put the user directly to the Group test all is fine. If i put the group Group1 in the group test nothing works. — mobios, Jul 17 '17 at 06:41

Apache LDAP Authentication with AD nested Subgroups

0 Answers0