apache + ldap + group

i'm having a problem getting apache to authenticate using an ldap
group. Using httpd 2.2.3 and openldap 2.3.25.

<Location /viewvc>
AuthType basic
AuthName ViewVC
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL ldap://127.0.0.1:389/dc=mycompany
#required valid-user
#require group cn=MyGroup,ou=Groups,dc=mycompany
#require ldap-group cn=MyGroup,ou=Groups,dc=mycompany
Order allow,deny
Allow from all
</Location>

1. If I use valid-user, Apache correctly validates using my username
and password. [required valid-user]. Peachy.

2. If I use require ldap-group, error_log shows a message that says
"require directives present and no Authoritative handler". [require
ldap-group]

3. If i use require group, I get the same as #2 above [require group].

In my httpd.conf, I have authnz_ldap_module (and a bunch of other
ones).

I've been searching around for answers but nothing seems to be solving
my problem. If I change the AuthzLDAPAuthoritative to on, the error_log
says that my password doesn't match (I'll read up on why later). I
believe I compiled apache with the appropriate switches, and as far as
I can tell, I have the modules loaded that need to be there. Hopefully
I am wrong and there is a really easy solution that one of you fine
folks can help point me towards.

Thanks in advance.

Looks like I got it.

First off, setting the LogLevel in httpd.conf to debug proved
invaluable. It was showing exactly where the authentication was going
wrong. In a nutshell:

I want my authentication to be strictly by LDAP so I believe I needed
to change: AuthzLDAPAuthoritative to "on".

The "require directives present and no Authoritative handler" error was
because with LDAPAuthoritative set to Off, authentication was passing
down to the GroupFile (or similar) mechanism, and the handler for that
was not set. Setting the LDAPAuthoritative to on basically forced LDAP
to do all the work (and avoids having to have "backup" authentication
mechanisms).

With LDAP doing all the work, I could see that I needed to fix some
things with my ldap groups (specifically, uniqueMembers needed
uid=myname,ou=whatever,dc=whatever).

Also, it looks like require user should be require ldap-user username1,
username2 with the AuthzLDAPAuthoritative set to on.

Good times.

coloradowebdev@hotmail.com wrote:
> i'm having a problem getting apache to authenticate using an ldap
> group. Using httpd 2.2.3 and openldap 2.3.25.
>
> <Location /viewvc>
> AuthType basic
> AuthName ViewVC
> AuthBasicProvider ldap
> AuthzLDAPAuthoritative off
> AuthLDAPURL ldap://127.0.0.1:389/dc=mycompany
> #required valid-user
> #require group cn=MyGroup,ou=Groups,dc=mycompany
> #require ldap-group cn=MyGroup,ou=Groups,dc=mycompany
> Order allow,deny
> Allow from all
> </Location>
>
> 1. If I use valid-user, Apache correctly validates using my username
> and password. [required valid-user]. Peachy.
>
> 2. If I use require ldap-group, error_log shows a message that says
> "require directives present and no Authoritative handler". [require
> ldap-group]
>
> 3. If i use require group, I get the same as #2 above [require group].
>
> In my httpd.conf, I have authnz_ldap_module (and a bunch of other
> ones).
>
> I've been searching around for answers but nothing seems to be solving
> my problem. If I change the AuthzLDAPAuthoritative to on, the error_log
> says that my password doesn't match (I'll read up on why later). I
> believe I compiled apache with the appropriate switches, and as far as
> I can tell, I have the modules loaded that need to be there. Hopefully
> I am wrong and there is a really easy solution that one of you fine
> folks can help point me towards.
>
> Thanks in advance.