Hey Tony, Well, I was testing with a lot of possibilites... When it was working, is was without quotes, like this: Require ldap-group CN=group_access, OU=Group, DC=domain, DC=com I did a lot of tests, put the quotes, remove the quotes.... It doesn't work anyway... Im still looking for a solution.. Thanks ________________________________________ De: Bennett, Tony [Bennett.Tony@xxxxxxxxxxx] Enviado: quarta-feira, 31 de agosto de 2011 14:14 Para: users@xxxxxxxxxxxxxxxx Assunto: RE: apache + AD auth Diego, Not sure about 2.2.3, but the current version of the documentation for the " Require ldap-group" directive (http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#reqgroup) Says: Require ldap-group This directive specifies an LDAP group whose members are allowed access. It takes the distinguished name of the LDAP group. Note: Do not surround the group name with quotes. For example, assume that the following entry existed in the LDAP directory: dn: cn=Administrators, o=Airius objectClass: groupOfUniqueNames uniqueMember: cn=Barbara Jenson, o=Airius uniqueMember: cn=Fred User, o=Airius The following directive would grant access to both Fred and Barbara: Require ldap-group cn=Administrators, o=Airius Behavior of this directive is modified by the AuthLDAPGroupAttribute and AuthLDAPGroupAttributeIsDN directives. Note the comment about NOT surrounding the group's DN with quotes... ...you surrounded yours with quotes: Require ldap-group "CN=group_access, OU=Group, DC=domain, DC=com" Don't know if that's the problem (probably not), but it is a deviation from the specs. -tony -----Original Message----- From: Diego Maciel Gomes [mailto:diego.gomes@xxxxxxxxxxxxxx] Sent: Wednesday, August 31, 2011 9:33 AM To: users@xxxxxxxxxxxxxxxx Subject: RES: apache + AD auth Anynone? ________________________________________ De: Diego Maciel Gomes [diego.gomes@xxxxxxxxxxxxxx] Enviado: terça-feira, 30 de agosto de 2011 15:08 Para: users@xxxxxxxxxxxxxxxx Assunto: apache + AD auth Hello All... I have auth against AD... It was working fine, in a good day, it stops to work, and I have no idea why it doesnt work now... So, Im using windows 2008 R2 for windows and httpd-2.2.3-53 red hat OK? this is my conf inside the virtualhost: AuthBasicProvider ldap AuthType Basic AuthzLDAPAuthoritative off AuthName "*** Cuidado - Acesso Restrito ***" AuthLDAPURL "ldap://domain.com:389/dc=domain,dc=com?sAMAccountName?sub?(objectClass=*)" AuthLDAPBindDN "CN=user_read_ad, OU=People, DC=domain, DC=com" AuthLDAPBindPassword pass_user_above Require ldap-group "CN=group_access, OU=Group, DC=domain, DC=com" I know that need to set this value below inside the /etc/openldap/ldap.conf : REFERRALS off when I access the directory, its calling the auth. I put my user that have privileges, and I get the error: "500 Internal Server Error" and in the log, i have this: [Tue Aug 30 14:55:23 2011] [warn] [client 192.168.1.1] [32013] auth_ldap authenticate: user my_user authentication failed; URI /files [ldap_search_ext_s() for user failed][Operations error] Anyone have any idea?? Thanks anyway, Diego -- Esta mensagem foi verificada pelo sistema de antivirus e acredita-se estar livre de perigo. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx -- Esta mensagem foi verificada pelo sistema de antivirus e acredita-se estar livre de perigo. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx -- Esta mensagem foi verificada pelo sistema de antivirus e acredita-se estar livre de perigo. -- Esta mensagem foi verificada pelo sistema de antivirus e acredita-se estar livre de perigo. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx