httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Theresa Hilding <>
Subject [users@httpd] How to configure authentication and authorization in <Directory> directive against 2 Active Directory domains
Date Thu, 19 Dec 2013 21:31:00 GMT
We have an AD forest with user accounts in one domain (domain_u) and group
memberships for the same user accounts in a second domain (domain_g). I
need to authenticate users against domain_u and use the returned
distinguished name to authorize users based on group memberships in

I can successfully authenticate users against domain_u with a config that
looks like this:

<AuthnProviderAlias ldap ldap-domain_u>
  AuthLDAPBindDN "cn=….."
  AuthLDAPBindPassword …..
  AuthLDAPURL "ldap://.……"

<AuthnProviderAlias ldap ldap-domain_g>
  AuthLDAPBindDN "cn=….."
  AuthLDAPBindPassword …..
  AuthLDAPURL "ldap://.……"

<Directory "${SRVROOT}/htdocs/test">
  AllowOverride none
  AuthType Basic
  AuthBasicProvider ldap-domain_u
  AuthLDAPGroupAttributeIsDN on
  LDAPReferrals Off
    Require valid-user

This authentication against domain_u works however, I cannot figure out how
to authorize authenticated users against groups in domain_g. When I look at
group members in domain_g using my ldap browser I see distinguished names
that look exactly like the distinguished name set by apache as an
environment variable after a successful authentication:


Note that this distinguished name exists in domain_g in the
ForeignSecurityPrincipals container and specifies a SID instead of a

I have tried many different permutations of config options underneath the
<Directory>  directive but cannot get apache to use a second
AuthnProviderAlias (ldap-domain_g) to verify group membership for the
distinguished name in domain_g. I've also done numerous google searches
focusing on ad foreignsecurityprincipals, Active Directory and Apache
configuration and have not yet found the magic post I've been looking for.

Is what I would like to do even possible and if so could someone please
respond with the correct configuration to make this work?

Also, please note that if I set the LDAPReferrals to 'On' my browser
displays 'Internal Server Error' and the apache error log contains the
[ldap:error] … (70023) This function has not been implemented on this
platform: AH01277: LDAP: Unable to add rebind cross reference entry. Out of

Thank you in advance,

View raw message