Require ldap-group fails with Kerberos authentication and AuthLDAPSearchAsUser

Solution Verified - Updated -

Issue

  • We are trying to configure a private zone with apache modules auth_gssapi to SSO and authnz_ldap to restrict access by LDAP group, but it doesn't work. Our configuration is:

    <Location "/mypath">
        AuthType GSSAPI
        AuthName "Kerberos Login"
        GssapiAllowedMech krb5
        GssapiCredStore keytab:/etc/httpd/conf/httpd.keytab
    
        AuthLDAPSearchAsUser on
        AuthLDAPGroupAttribute member
        AuthLDAPUrl ldap://ldap.org:389/dc=myorg,cg=org?userPrincipalName?sub
        Require ldap-group cn=mygroup,ou=groups,dc=myorg
    </Location>
    

    However, even though the user authenticates correctly and is correctly assigned to the group, the authorization fails.

    [Wed Oct 20 14:05:56.771442 2021] [authz_core:debug] [pid 118552:tid 140552636970752] mod_authz_core.c(820): [client 10.1.1.3:1551] AH01626: authorization result of Require ldap-group cn=mygroup,ou=groups,dc=myorg: denied, referer: http://myweb.org/login/
    

Environment

  • Red Hat Enterprise Linux (RHEL)
    • 7
    • 8
  • Red Hat JBoss Enterprise Application Portal
    • 7
  • Red Hat JBoss Web Server
    • 3
    • 5
  • Red Hat JBoss Core Services (JBCS) Apache httpd
    • 2.4

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content