We have an AD forest with user accounts in one domain (domain_u) and group memberships for the same user accounts in a second domain (domain_g). I need to authenticate users against domain_u and use the returned distinguished name to authorize users based on group memberships in domain_g.
I can successfully authenticate users against domain_u with a config that looks like this:
<AuthnProviderAlias ldap ldap-domain_u>
AuthLDAPBindDN "cn=….."
AuthLDAPBindPassword …..
AuthLDAPURL "ldap://.……"
</AuthnProviderAlias>
<AuthnProviderAlias ldap ldap-domain_g>
AuthLDAPBindDN "cn=….."
AuthLDAPBindPassword …..
AuthLDAPURL "ldap://.……"
</AuthnProviderAlias>
<Directory "${SRVROOT}/htdocs/test">
AllowOverride none
AuthType Basic
AuthBasicProvider ldap-domain_u
AuthLDAPGroupAttributeIsDN on
LDAPReferrals Off
<RequireAll>
Require valid-user
</RequireAll>
</Directory>
This authentication against domain_u works however, I cannot figure out how to authorize authenticated users against groups in domain_g. When I look at group members in domain_g using my ldap browser I see distinguished names that look exactly like the distinguished name set by apache as an environment variable after a successful authentication:
CN=S-1-5-..-……….-……….-……….-……,CN=ForeignSecurityPrincipals,DC=domain_u,DC=edu
Note that this distinguished name exists in domain_g in the ForeignSecurityPrincipals container and specifies a SID instead of a samaccountname.
I have tried many different permutations of config options underneath the <Directory> directive but cannot get apache to use a second AuthnProviderAlias (ldap-domain_g) to verify group membership for the distinguished name in domain_g. I've also done numerous google searches focusing on ad foreignsecurityprincipals, Active Directory and Apache configuration and have not yet found the magic post I've been looking for.
Is what I would like to do even possible and if so could someone please respond with the correct configuration to make this work?
Also, please note that if I set the LDAPReferrals to 'On' my browser displays 'Internal Server Error' and the apache error log contains the message:
[ldap:error] … (70023) This function has not been implemented on this platform: AH01277: LDAP: Unable to add rebind cross reference entry. Out of memory?
Thank you in advance,
Theresa