Something is wrong.
Instagram token error.

Apache LDAP Authentication, Require ldap-group, OpenLDAP server, AND YOU!

Posted: March 20th, 2011 | Author: | Filed under: LDAP, Linux | Tags: , , , , , | 2 Comments »

OK peoples, this one frustrated me for a bit, but because I’m stubborn I figured it out.

I have a webservice that I want to protect by using LDAP authentication within Apache from our OpenLDAP server. However, you want to make sure that the user belongs to a specific LDAP group. If you’re like me your groups look something like this:

bart:~ jordan$ ldapsearch -h ldap.shop.lan -x -b "dc=shop,dc=lan" cn=fgstaff
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: cn=fgstaff
# requesting: ALL
#

# fgstaff, Groups, shop.lan
dn: cn=fgstaff,ou=Groups,dc=shop,dc=lan
cn: fgstaff
gidNumber: 1022
description: Staff
objectClass: posixGroup

memberUid: jordan

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

So to make it work you need a few things inside of your Directory tag for the virtual host config file. First, here’s mine:


Options FollowSymLinks
AllowOverride None
AuthName "FG Staff ONLY!"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL "ldap://1.1.1.1/ou=People,dc=shop,dc=lan?uid"
require ldap-group cn=fgstaff,ou=Groups,dc=shop,dc=lan
AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute memberUid

The trick for me was putting in the require ldap-group plus the whole path including container, org unit, and the dc’s. Then AuthLDAPGroupAttributeIsDN. This is big because if it is on then apache will check if “memberUid=uid=jordan ou=People” is part of the fgstaff group and not just “jordan”

Once I set this, it all worked. I’m hoping this will help any others out there.


2 Comments on “Apache LDAP Authentication, Require ldap-group, OpenLDAP server, AND YOU!”

  1. 1 Kurt said at 6:08 pm on October 25th, 2014:

    Thanks Jordan! The “AuthLDAPGroupAttributeIsDN off” did the trick for me.

  2. 2 Kedar said at 9:33 am on September 3rd, 2017:

    Hi Jordan,
    My LDIF is
    version: 1

    dn: uid=sssd_random_3,ou=users,dc=sprint,dc=com
    objectClass: organizationalPerson
    objectClass: person
    objectClass: inetOrgPerson
    objectClass: top
    objectClass: posixAccount
    cn: cn_sssd_random_3
    gidNumber: 500
    homeDirectory: /
    sn: sn_sssd_random_3
    uid: sssd_random_3
    uidNumber: 1000
    userPassword::

    dn: uid=sssd_random_uid,ou=users,dc=sprint,dc=com
    objectClass: organizationalPerson
    objectClass: person
    objectClass: inetOrgPerson
    objectClass: top
    objectClass: posixAccount
    cn: cn_sssd_random_uid
    gidNumber: 1000
    homeDirectory: /
    sn: sn_sssd_random_uid
    uid: sssd_random_uid
    uidNumber: 500
    userPassword::

    dn: cn=Admin,ou=groups,dc=sprint,dc=com
    objectClass: groupOfNames
    objectClass: top
    cn: Admin
    member: uid=sssd_pb,cn=Admin,ou=groups,dc=sprint,dc=com

    dn: uid=sssd_1,ou=users,dc=sprint,dc=com
    objectClass: organizationalPerson
    objectClass: person
    objectClass: inetOrgPerson
    objectClass: top
    objectClass: posixAccount
    cn: cn_sssd_1
    gidNumber: 2
    homeDirectory: /home/qns
    sn: sn_sssd_1
    uid: sssd_1
    uidNumber: 2
    userPassword::

    dn: uid=admin,ou=users,dc=sprint,dc=com
    objectClass: account
    objectClass: simpleSecurityObject
    objectClass: top
    uid: admin
    userPassword::

    dn: dc=sprint,dc=com
    objectclass: top
    objectclass: domain
    dc: sprint

    dn: uid=sssd_su,ou=users,dc=sprint,dc=com
    objectClass: organizationalPerson
    objectClass: person
    objectClass: inetOrgPerson
    objectClass: top
    objectClass: posixAccount
    cn: cn_sssd_su
    gidNumber: 481
    homeDirectory: /home/qns-su
    sn: sn_sssd_su
    uid: sssd_su
    uidNumber: 501
    userPassword::

    dn: uid=sssd_pb,ou=users,dc=sprint,dc=com
    objectClass: organizationalPerson
    objectClass: person
    objectClass: inetOrgPerson
    objectClass: top
    objectClass: posixAccount
    cn: cn=Admin,ou=groups,dc=sprint,dc=com
    gidNumber: 491
    homeDirectory: /home/qns-svn
    sn: sn_sssd_pb
    uid: sssd_pb
    uidNumber: 491
    userPassword::

    dn: uid=sssd_su_1,ou=users,dc=sprint,dc=com
    objectClass: organizationalPerson
    objectClass: person
    objectClass: inetOrgPerson
    objectClass: top
    objectClass: posixAccount
    cn: cn_sssd_su_1
    gidNumber: 501
    homeDirectory: /
    sn: sn_sssd_su_1
    uid: sssd_su_1
    uidNumber: 500
    userPassword::

    dn: ou=groups,dc=sprint,dc=com
    objectClass: organizationalUnit
    objectClass: top
    ou: groups

    dn: uid=sssd_random,ou=users,dc=sprint,dc=com
    objectClass: organizationalPerson
    objectClass: person
    objectClass: inetOrgPerson
    objectClass: top
    objectClass: posixAccount
    cn: cn_sssd_random
    gidNumber: 1000
    homeDirectory: /
    sn: sn_sssd_random
    uid: sssd_random
    uidNumber: 1000
    userPassword::

    dn: uid=sssd_pb,cn=Admin,ou=groups,dc=sprint,dc=com
    objectClass: organizationalPerson
    objectClass: person
    objectClass: inetOrgPerson
    objectClass: top
    objectClass: posixAccount
    cn: cn_sssd_pb
    gidNumber: 491
    homeDirectory: /home/qns-svn
    sn: sn_sssd_pb
    uid: sssd_pb
    uidNumber: 491
    userPassword::

    dn: uid=sssd_root,ou=users,dc=sprint,dc=com
    objectClass: organizationalPerson
    objectClass: person
    objectClass: inetOrgPerson
    objectClass: top
    objectClass: posixAccount
    cn: cn_sssd_root
    gidNumber: 0
    homeDirectory: /root
    sn: sn_sssd_root
    uid: sssd_root
    uidNumber: 0
    userPassword::

    dn: cn=User,ou=groups,dc=sprint,dc=com
    objectClass: groupOfUniqueNames
    objectClass: top
    cn: User
    uniqueMember: uid=sssd_pb,ou=users,dc=sprint,dc=com

    dn: ou=users,dc=sprint,dc=com
    objectClass: organizationalUnit
    objectClass: top
    ou: users
    userPassword::

    dn: cn=Roles,ou=groups,dc=sprint,dc=com
    objectClass: posixGroup
    objectClass: top
    cn: Roles
    gidNumber: 491
    memberUid: uid=sssd_pb_2,ou=users,dc=sprint,sc=com

    dn: uid=sssd_qns,ou=users,dc=sprint,dc=com
    objectClass: organizationalPerson
    objectClass: person
    objectClass: inetOrgPerson
    objectClass: top
    objectClass: posixAccount
    cn: cn=User,ou=groups,dc=sprint,dc=com
    gidNumber: 500
    homeDirectory: /home/qns
    sn: sn_sssd_qns
    uid: sssd_qns
    uidNumber: 500
    userPassword::

    dn: uid=sssd_ro,ou=users,dc=sprint,dc=com
    objectClass: organizationalPerson
    objectClass: person
    objectClass: inetOrgPerson
    objectClass: top
    objectClass: posixAccount
    cn: cn_sssd_ro
    gidNumber: 505
    homeDirectory: /usr/bin/sudosh
    sn: sn_sssd_ro
    uid: sssd_ro
    uidNumber: 485
    userPassword::

    I want to offer access to ‘uid=sssd_pb,cn=Admin,ou=groups,dc=sprint,dc=com’ user. May I know what should be values for ‘AuthLDAPURL’ (base dn, filter) and ‘AuthLDAPGroupAttribute’.


Leave a Reply