Group authentication to AD

[Patricia A Moss <pmoss4@xxxxxxx>]

I am having a problem with apache authenticating
using an ldap group. I have version 2.2.3, of httpd, installed. 

My location block is configured as below:
<Location /test_repo>
dav svn
SVNPath /disk01/home/test_repo
AuthType Basic
AuthName "Subversion Repository"
AuthBasicProvider ldap-FCGNET ldap-VIET
AuthzLDAPAuthoritative on
Require valid-user
Require ldap-group CN=Active_Directory
Group Name,OU=U.S.,OU=Groups,DC=domain,DC=com
#Require ldap-user pmoss
</Location>
 
I've configured my aliases, in my http.conf
file, as follows:
<AuthnProviderAlias ldap ldap-FCGNET>
        AuthLDAPBindDN
FCGNET\account_name
        AuthLDAPBindPassword
xxxxxxxxxx
        AuthLDAPURL
ldap://server.domain.com:3268/DC=domain,DC=com?samAccountName?sub?(objectCategory=person)
</AuthnProviderAlias>
<AuthnProviderAlias ldap ldap-VIET>
        AuthLDAPBindDN
"CN=account_name,OU=Service Accounts,OU=Users,OU=Production,DC=domain,DC=com"
        AuthLDAPBindPassword
xxxxxxxxx
        AuthLDAPURL
ldap://server.domain.com:3268/DC=domain,DC=com?samAccountName?sub?(objectCategory=person)
</AuthnProviderAlias>


My goal(s):
 1. Allow only 1 specific, Active
Directory, group access to the repository.
 2. Simultaneously, allow a single
user account, that is not a member of the group, access to the repository


My attempts:
1. Configuration, as above, allows any
valid user access to the repository; whether they are a member of the group
or not.

2. If I remove "Require valid-user"
then I receive an error when attempting access the repository and the error.log
is as follows:
[Mon Nov 15 14:38:15 2010] [debug] mod_authnz_ldap.c(377):
[client 20.8.xxx.18x] [27994] auth_ldap authenticate: using URL ldap://server.domain.com:3268/DC=domain,DC=com?samAccountName?sub?(objectCategory=person)
[Mon Nov 15 14:38:15 2010] [debug] mod_authnz_ldap.c(474):
[client 20.8.xxx.18x] [27994] auth_ldap authenticate: accepting pmoss
[Mon Nov 15 14:38:15 2010] [crit] [client
20.8.232.187] configuration error:  couldn't check access.  No
groups file?: /test_repo/

3. I tried a "LimitExcept"
block, shown below.
<Location /test_repo>
dav svn
SVNPath /disk01/home/test_repo
AuthType Basic
AuthName "Subversion Repository"
AuthBasicProvider ldap-FCGNET ldap-VIET
AuthzLDAPAuthoritative on
#Require valid-user
# Limit R/W access to specified AD group
<LimitExcept GET PROPFIND OPTIONS
REPORT>
        Require
ldap-group CN=Active_Directory Group Name,OU=U.S.,OU=Groups,DC=domain,DC=com
</LimitExcept>
#Require ldap-user pmoss
</Location>
I could successfully gain access to
the repository, and I am not a member of the group.

4. I uncommented the "Require valid-user"
line and was, again, successful in attempting access; and I am not a member
of the group.

5. If I change the AuthzLDAPAuthoritative
to off, I can still gain access to the repository. 


In my httpd.conf, I have the following
modules:
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule dav_svn_module    
modules/mod_dav_svn.so
LoadModule authz_svn_module   modules/mod_authz_svn.so
LoadModule authn_alias_module modules/mod_authn_alias.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule alias_module modules/mod_alias.so


I've been searching around for answers
but nothing seems to be solving my problem. 

I believe I have all the modules loaded
that need to be there. 
I am not sure what I may be missing
from my configuration or what may be mis-configured.  Hopefully someone
can help me in achieving the goals.

 Thanks in advance.

PATI MOSS
System Engineer Sr. Professional
CSC