We have a scenario where we have an application that only accept client certs for authentication and that setup works well (configured in Apache VHost). However as part new requirement we would like to also check whether that user is part of a certain group in LDAP and if not then the request should get rejected.
Note in the below excerpt we were trying with a separate user being sent in the request header, extracting that and then checking against LDAP, however the logic remains the same.
The problem is that LDAP Search is NOT getting invoked at all.
<LocationMatch ^>
allow from all
SSLOptions +StdEnvVars
SSLRequireSSL
SSLRenegBufferSize 10485760
SSLRequire %{SSL_CLIENT_S_DN_CN} in {"myusername"}
SSLVerifyClient require
SSLVerifyDepth 5
SSLUserName SSL_CLIENT_S_DN_CN
SetEnvIf x-user ".+" X_USER=$0
#AuthName "Apache2 LDAP Check"
#AuthType Basic
AuthBasicProvider ldap
LDAPReferrals Off
AuthLDAPUrl ldap://ldap.corp.orgn.com:389/dc=corp,dc=orgn,dc=com?sAMAccountName?sub?(objectClass=*)
AuthLDAPBindDN "[email protected]"
AuthLDAPBindPassword "asdfg"
Require valid-user
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
#Require ldap-group CN=orgn-users,OU=Standard,OU=Security,OU=Groups,DC=corp,DC=orgn,DC=com
#Require ldap-filter "&(objectClass=user)(sAMAccountName=%{X_USER})(memberof=CN=orgn-users,OU=Standard,OU=Security,OU=Groups,DC=corp,DC=orgn,DC=com)"
RequestHeader set userid "%{X_USER}e"
</LocationMatch>
