Apache Lounge



Forum Index Downloads Search Register Log in  RSS Apache Lounge

Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.



A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.

Apache 2.4 how to authenticate multiple ldap OUs

Post new topic   Reply to topic    Apache Forum Index -> Apache

View previous topic :: View next topic  
Author Message

Joined: 12 Dec 2018
Posts: 2
Location: Providence

PostPosted: Thu 13 Dec '18 21:21    Post subject: Apache 2.4 how to authenticate multiple ldap OUs Reply with quote


Does anyone have any idea how to authenticate a user against two different OUs on the same AD server?

I am using Apache 2.4 on Ubuntu 18.04.
Server version: Apache/2.4.18 (Ubuntu)
Server built: 2018-06-07T19:43:03

The user could be in "ABC User" or "XYZ user".
AD OUs are:
AuthLDAPURL "ldap://adx.ABC.org:389/OU=ABC Users,DC=ABC,DC=org?sAMAccountName?sub?(objectClass=*)"
AuthLDAPURL "ldap://adx.ABC.org:389/OU=XYZ Users,DC=ABC,DC=org?sAMAccountName?sub?(objectClass=*)"

Part of the current conf file:
<Location />
AuthName "ABC Intranet"
AuthBasicProvider ldap

AuthType Basic
AuthLDAPURL "ldap://adx.ABC.org:389/OU=ABC Users,DC=ABC,DC=org?sAMAccountName?sub?(objectClass=*)"

# login to AD
AuthLDAPBindDN "CN=ldap_ABCweb,OU=ABC Service Accounts,DC=ABC,DC=org"
AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute memberUid

# tried this and failed
# Require ldap-filter (&(memberOf='OU=XYZ Users,DC=ABC,DC=org?sAMAccountName?sub?(objectClass=*')|(memberOf='OU=ABC Users,DC=ABC,DC=org?sAMAccountName?sub?(objectClass=*'))

# tried this and failed
# <RequireAny>
# Require ldap-filter (&(memberOf='OU=ABC Users,DC=ABC,DC=org?sAMAccountName?sub?(objectClass=*'))
# Require ldap-filter (&(memberOf='OU=XYZ Users,DC=ABC,DC=org?sAMAccountName?sub?(objectClass=*'))
# </RequireAny>

# require any is implied
require any
Require valid-user
Require ip 10.46
Require ip 130.44
Require ip 10.44

I have a userid supplied by the user via a user/password prompt supplied by Apache. In order for the user to login they need to be in either of these OUs:
"ldap://adx.ABC.org:389/OU=ABC Users,DC=ABC,DC=org?sAMAccountName?sub?(objectClass=*)"
"ldap://adx.ABC.org:389/OU=XYZ Users,DC=ABC,DC=org?sAMAccountName?sub?(objectClass=*)".

I donít know how to configure the auth module in Apache 2.4 to validate against more than one OU.

Back to top
James Blond

Joined: 19 Jan 2006
Posts: 6604
Location: Germany, Next to Hamburg

PostPosted: Fri 14 Dec '18 12:05    Post subject: Reply with quote

If you need to add multiple OU= values in the LDAP url you must have separate LDAP urls and utilize AuthnProviderAlias to check both LDAP searches.


LoadModule authn_alias_module modules/mod_authn_alias.so
<AuthnProviderAlias ldap ldap-alias1>
AuthLDAPBindDN cn=youruser,o=ctx
AuthLDAPBindPassword yourpassword
AuthLDAPURL ldap://ldap.host/o=ctx
<AuthnProviderAlias ldap ldap-other-alias>
AuthLDAPBindDN cn=yourotheruser,o=dev
AuthLDAPBindPassword yourotherpassword
AuthLDAPURL ldap://other.ldap.host/o=dev?cn
Alias /secure /webpages/secure
<Directory /webpages/secure>
Order deny,allow
Allow from all
AuthBasicProvider ldap-other-alias ldap-alias1
AuthType Basic
AuthName LDAP_Protected_Place
AuthzLDAPAuthoritative off
Require valid-user

See https://httpd.apache.org/docs/trunk/mod/mod_authn_core.html
Back to top

Joined: 12 Dec 2018
Posts: 2
Location: Providence

PostPosted: Tue 18 Dec '18 22:00    Post subject: Reply with quote


It works! Thank you very much for your help. I really appreciated it!

Back to top

Post new topic   Reply to topic    Apache Forum Index -> Apache
Page 1 of 1