[users@httpd] apache ldap authentication: groups with spaces and negation in ldap-filter

[Vieri Di Paola <vi...@gmail.com>]

Hi,

I'm running Apache HTTP on a Linux server and authenticating via LDAP
with an Active Directory server.

I've encountered two difficulties.

1) I can't seem to allow access for members of a group which name
contains spaces.

My config lines are:

            AuthLDAPBindDN "CN=ldapbind,CN=Users,DC=mydomain,DC=org"
            AuthLDAPBindPassword "mysecret"
            AuthLDAPURL
"ldaps://myADserver/cn=Users,dc=mydomain,dc=org?sAMAccountName?sub?(objectClass=*)"
            AuthType Basic
            AuthName "requires authentication"
            AuthBasicProvider ldap
            AuthUserFile /dev/null
            Options None
            require ldap-filter
memberof:1.2.840.113556.1.4.1941:=CN=my
group,CN=Users,DC=mydomain,DC=org

Authentication works as expected if I create a new group "mygroup" in
AD which contains the member "my group", and I replace the last config
line with:

            require ldap-filter
memberof:1.2.840.113556.1.4.1941:=CN=mygroup,CN=Users,DC=mydomain,DC=org

I tried adding " or ' after ldap-filter, but they don't seem to make
any difference.
How are spaces dealt with?

2) I am unable to "allow all members of mygroup but exclude one
particular user myuser".

I tried the following config line, but it seems to block access to everyone:

            require ldap-filter
(&(memberof:1.2.840.113556.1.4.1941:=CN=mygroup,CN=Users,DC=mydomain,DC=org)(!(CN=myuser)))

I'm not too familiar with the LDAP filter format, but where's my mistake?
Does Active Directory support ! "not" in the expression?

Vieri

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org