1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Apache 2.4 how to authenticate a user against two different OUs

Discussion in 'Apache' started by Daniel Pelton, Dec 12, 2018.

  1. #2
    Does anyone have any idea how to authenticate a user against two different OUs on the same AD server?
    I am using Apache 2.4 on Ubuntu 18.04.
    Server version: Apache/2.4.18 (Ubuntu)
    Server built: 2018-06-07T19:43:03
    The user could be in "ABC User" or "XYZ user".
    AD OUs are:
    AuthLDAPURL "ldap://adx.ABC.org:389/OU=ABC Users,DC=ABC,DC=org?sAMAccountName?sub?(objectClass=*)"
    AuthLDAPURL "ldap://adx.ABC.org:389/OU=XYZ Users,DC=ABC,DC=org?sAMAccountName?sub?(objectClass=*)"
    Part of the current conf file:
    <Location />
    AuthName "ABC Intranet"
    AuthBasicProvider ldap
    AuthType Basic
    AuthLDAPURL "ldap://adx.ABC.org:389/OU=ABC Users,DC=ABC,DC=org?sAMAccountName?sub?(objectClass=*)"
    # login to AD
    AuthLDAPBindDN "CN=ldap_ABCweb,OU=ABC Service Accounts,DC=ABC,DC=org"
    AuthLDAPGroupAttributeIsDN off
    AuthLDAPGroupAttribute memberUid
    # tried this and failed
    # Require ldap-filter (&(memberOf='OU=XYZ Users,DC=ABC,DC=org?sAMAccountName?sub?(objectClass=*')|(memberOf='OU=ABC Users,DC=ABC,DC=org?sAMAccountName?sub?(objectClass=*'))
    # tried this and failed
    # <RequireAny>
    # Require ldap-filter (&(memberOf='OU=ABC Users,DC=ABC,DC=org?sAMAccountName?sub?(objectClass=*'))
    # Require ldap-filter (&(memberOf='OU=XYZ Users,DC=ABC,DC=org?sAMAccountName?sub?(objectClass=*'))
    # </RequireAny>
    # require any is implied
    require any
    Require valid-user
    Require ip 10.46
    Require ip 130.44
    Require ip 10.44
    Would something like this work using the same AD server?
    <AuthzProviderAlias ldap-group ldap-group-alias1 "cn=my-group,o=ctx">
    AuthLDAPBindDN "cn=youruser,o=ctx"
    AuthLDAPBindPassword yourpassword
    AuthLDAPUrl "ldap://ldap.host/o=ctx"
    <AuthzProviderAlias ldap-group ldap-group-alias2 "cn=my-other-group,o=dev">
    AuthLDAPBindDN "cn=yourotheruser,o=dev"
    AuthLDAPBindPassword yourotherpassword
    AuthLDAPUrl "ldap://other.ldap.host/o=dev?cn"
    Daniel Pelton, Dec 12, 2018 IP