I have two example of .htaccess configuration for this one is OK : AuthName "test" AuthType Basic AuthBasicProvider ldap AuthLDAPURL ldap://xxx/ou=people,dc=xxx,dc=fr Require ldap-group cn=xxx,ou=groups,dc=xxx,dc=fr for this one is not OK with a provider alias <AuthnProviderAlias ldap ldap-test> AuthLDAPURL ldap://xxx/ou=people,dc=xxx,dc=fr </AuthnProviderAlias> AuthName "test" AuthType Basic AuthBasicProvider ldap-test Require ldap-group cn=xxx,ou=groups,dc=xxx,dc=fr It seems that the authentification is not ok with a decalaration of provider alias for a group or a user (with require valid-user its OK for two configuration) Thanks in advance.
This is actually working as designed. Authentication and autorization are two different functions. Since the LDAP URL was specified in an <AuthnProviderAlias> section, the directives in that section only apply to authentication or Authn. They do not apply to authorization or authz. Therefore, an LDAP URL still needs to be defined if the authorization functionality requires it such as in an 'require ldap-group xxx' situation. The unfortunate thing is that this is not intuitive in apache 2.2. It will make a little more sense in Apache 2.4 when the directive section <RequireAlias ... > is introduced. This will allow both the authentication and authorization functionality to be independently configured with separate LDAP information if desired. An equivalent <RequireAlias> would appear as: <RequireAlias ldap-group my-ldap-group cn=xxx,ou=groups,dc=xxx,dc=fr> AuthLDAPURL ldap://xxx/ou=people,dc=xxx,dc=fr ... </RequireAlias> <Directory ..> ... Require my-ldap-group </Directory>