You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Vieri Di Paola <vi...@gmail.com> on 2020/04/04 23:30:40 UTC
[users@httpd] apache ldap authentication: groups with spaces and negation in ldap-filter
Hi,
I'm running Apache HTTP on a Linux server and authenticating via LDAP
with an Active Directory server.
I've encountered two difficulties.
1) I can't seem to allow access for members of a group which name
contains spaces.
My config lines are:
AuthLDAPBindDN "CN=ldapbind,CN=Users,DC=mydomain,DC=org"
AuthLDAPBindPassword "mysecret"
AuthLDAPURL
"ldaps://myADserver/cn=Users,dc=mydomain,dc=org?sAMAccountName?sub?(objectClass=*)"
AuthType Basic
AuthName "requires authentication"
AuthBasicProvider ldap
AuthUserFile /dev/null
Options None
require ldap-filter
memberof:1.2.840.113556.1.4.1941:=CN=my
group,CN=Users,DC=mydomain,DC=org
Authentication works as expected if I create a new group "mygroup" in
AD which contains the member "my group", and I replace the last config
line with:
require ldap-filter
memberof:1.2.840.113556.1.4.1941:=CN=mygroup,CN=Users,DC=mydomain,DC=org
I tried adding " or ' after ldap-filter, but they don't seem to make
any difference.
How are spaces dealt with?
2) I am unable to "allow all members of mygroup but exclude one
particular user myuser".
I tried the following config line, but it seems to block access to everyone:
require ldap-filter
(&(memberof:1.2.840.113556.1.4.1941:=CN=mygroup,CN=Users,DC=mydomain,DC=org)(!(CN=myuser)))
I'm not too familiar with the LDAP filter format, but where's my mistake?
Does Active Directory support ! "not" in the expression?
Vieri
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org