Hi. I'm trying to get a setup working where kerberos does authentication and ldap does authorization based on an Active Directory group. Alone the kerberos stuff works excellent. Even with a "Require group something" from a group file. But going to the LDAP configuration something goes wrong: --- config --- AuthType Kerberos AuthName "SPNEGO" KrbAuthRealms REALM KrbMethodNegotiate on KrbMethodK5Passwd off KrbStripRealm on Krb5Keytab /etc/val.keytab KrbServiceName <service> AuthLDAPBindDN "Jesper@domain" AuthLDAPBindPassword SECRET AuthzLDAPAuthoritative off AuthLDAPUrl "ldap://<AD-URI>?sAMAccountName" Require ldap-group CN=TestGroup,OU=Groups,OU=Company require valid-user --------------- When Im' in the group.. it logs: [Fri Dec 05 21:18:40 2008] [debug] mod_authnz_ldap.c(730): [client 10.194.134.5] [24636] auth_ldap authorise: require group : authorisation successful (attribute member) [Comparison true (cached)][Compare True And when I not in the group it logs: [Fri Dec 05 22:27:44 2008] [debug] mod_authnz_ldap.c(847): [client 10.194.134.5] [28497] auth_ldap authorise: declining to authorise .. Which both seems correct. The problem is that in both cases I end up getting the pages served. Why dont I get a 401 in the second situation? Thanks. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx