[SOLVED] Require LDAP-based basic authentication for one Apache location and specific group membership for a sub-location

Require LDAP-based basic authentication for one Apache location and specific group membership for a sub-location

I have Apache 2.4.7 running on Ubuntu 14. I installed slapd and created two people, uid=wilma,ou=People,dc=mysite,dc=com and uid=betty,ou=People,dc=mysite,dc=com. They both have object classes inetOrgPerson, posixAccount, and shadowAccount. (I would ultimately like to use the LDAP UID and password for single login.) I have LDAP-based authentication working so that only LDAP-authenticated users can access /. This authentication on / is only until the site goes live. However, I have an application that I want to permanently use LDAP-based authentication for with location /my-app, and I want to limit access to that application to a specific group of people. I created a POSIX group in LDAP called my-app-users. I added uid=wilma,ou=People,dc=mysite,dc=com to that group.

Disclaimer: I am not highly experience with Apache and brand new to LDAP. I'm not committed to using a POSIX group if that's wrong. (I did pick that object type because I think this group might need to SSH into the server once in a while. Again, brand new!)

The problem is that LDAP authentication is letting both Wilma and Betty into /my-app, but I just want Wilma because of her membership in my-app-users.

I've tried putting a few variations of this in different places.

AuthType Basic 
AuthBasicProvider ldap
AuthName "Access to My App is Restricted"
AuthLDAPInitialBindAsUser on
AuthLDAPInitialBindPattern (.*) uid=$1,ou=people,dc=mysite,dc=com
AuthLDAPURL ldap://localhost/DC=myside,DC=com?uid
require valid-user
Require ldap-group cn=super-my-app-users,ou=Groups,dc=mysite,dc=com

Here:

# my-app.conf for my app.
<IfModule mod_alias.c>
    Alias /my-app /usr/share/my-app/htdocs
</IfModule>

# default.conf
<VirtualHost *:443>
    <Location /my-app>
        # Here
    </Location>
</VirtualHost>

Then here (after removing it from the previous place):

<Directory /usr/share/my-app/htdocs/>
    # Here
</Directory>

I've done a bunch of web searches to figure this out, but I keep ending up with both users getting in.

Thanks in advance!

Solution

The issue is the 2 require directives. Your users will get in if they are a "valid-user" before the group check. Remove the first one.