Httpd cannot require ldap-group

jhutchins · July 6, 2023, 2:51pm

I notice that you have this ticket on your support page (Okta Help Center (Lightning)) discussing that the standard “Require ldap-group” syntax in httpd does not work. We are attempting to setup Apache httpd for a customer and are running into the same issue. When debug logs are enabled, we get the following in the error logs (sanitized for privacy).

[Wed Jun 28 03:16:28.361106 2023] [authnz_ldap:debug] [pid 1180986:tid 140300198569728] mod_authnz_ldap.c(571): [client 10.136.78.245:56620] AH01691: auth_ldap authenticate: using URL ldaps://XXX.ldap.okta.com:636/ou=users,dc=XXX,dc=okta,dc=com?uid?sub
[Wed Jun 28 03:16:31.570738 2023] [authnz_ldap:debug] [pid 1180986:tid 140300198569728] mod_authnz_ldap.c(656): [client 10.136.78.245:56620] AH01697: auth_ldap authenticate: accepting XXX@XXX.com
...
[Wed Jun 28 03:16:32.846413 2023] [authnz_ldap:debug] [pid 1180986:tid 140300198569728] mod_authnz_ldap.c(1313): [client 10.136.78.245:56620] AH01719: auth_ldap authorize: require group "cn=XXX,ou=groups,dc=XXX,dc=okta,dc=com": didn't match with attr uniqueMember [Comparison complete][53 - Server is unwilling to perform]

How can we get “require ldap-group” working?

Thanks for your time.

Post		Replies	Views
Using mod_authnz_ldap with the Okta LDAP interface Questions	5	4090	January 8, 2021
Testing LDAP interface with ldapsearch SAML	4	10794	September 28, 2019
Apache mod_auth_openidc integration Questions	4	6838	July 11, 2022
HTTP 405 on GET /api/v1/groups endpoint API	1	37	December 6, 2024
Okta internal group sync Questions	2	2606	March 8, 2022

Httpd cannot require ldap-group

Related topics