Hello, I've been banging my head on this one for days now. Are nested AD groups supported with mod_auth_pam? I've googled this issue but it appears not many admins are using this and/or it could possibly be a bug in the apache module. Config ------ Red Hat Enterprise Linux Server release 5.5 (Tikanga) Server version: Apache/2.2.3 svn, version 1.6.12 (r955767) Windows 2008 R2 It appears that we cannot use Active Directory Permissions Groups with the s-svn server for Subversion repository authentication and authorization but yet AD Role groups work just fine. subversion.conf config for "puppet" repository ------------------------------------------------ #================puppet repo=================================== <Location /puppet> DAV svn SVNPath /repos/puppet AuthPAM_Enabled on AuthType Basic AuthName "Subversion Authentication to AD" # Limit R/W access to certain role groups <LimitExcept GET PROPFIND OPTIONS REPORT> # Require group SVN-Puppet-ReadWrite-P Require group IT-InfrastructureTeam-SystemAdministrator-R </LimitExcept> # Limit R/O access to certain role group <Limit GET PROPFIND OPTIONS REPORT> # Require group SVN-Puppet-ReadWrite-P Require group IT-InfrastructureTeam-SystemAdministrator-R </Limit> </Location> The interesting thing is that AD Role Groups appear to work fine within the Location directive config above which shows the role group for which I'm a member. If the above config is changed to use the Permissions group shown commented out, authentication doesn't work and when that happens I'm seeing the following error in ssl_error_log. [Fri Nov 12 13:10:18 2010] [error] [client 172.16.4.7] GROUP: dpb not in required group(s). So, even though the following User > Role > Permissions > Resource association exists, the group with '-P' in it above won't allow dpb to authenticate for repo access. dpb is a member of IT-InfrastructureTeam-SystemAdministrator-R and IT-InfrastructureTeam-SystemAdministrator-R is a member of SVN-Puppet-ReadWrite-P AD group Any help would be greatly appreciated. -------- Dale Bohl Sr. Systems Administrator Mason Companies, Inc. dbohl@xxxxxxxxxxxxxxxxxxxxx (715)-720-4382 --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx