I'm setting up an apache web server to authenticate against the Okta LDAP interface. I want to authorize access based on Okta group membership.

In apache's configuration files, when I configure mod_authnz_ldap to "Require ldap-group <group dn>", authorization fails with this logged (on the apache server):

[authnz_ldap:debug] ... AH01697: auth_ldap authenticate: accepting fred

[authnz_ldap:debug] ... AH01713: auth_ldap authorize: require group: testing for group membership in "cn=IT,ou=groups,dc=mycompany,dc=okta,dc=com"

[authnz_ldap:debug] ... AH01714: auth_ldap authorize: require group: testing for uniqueMember: uid=fred@mycompany.com,ou=users,dc=mycompany,dc=okta,dc=com (cn=IT,ou=groups,dc=mycompany,dc=okta,dc=com)

[authnz_ldap:debug] ... AH01719: auth_ldap authorize: require group "cn=IT,ou=groups,dc=mycompany,dc=okta,dc=com": didn't match with attr Comparison complete [uniqueMember][53 - Server is unwilling to perform]

I came up with a workaround by using "Require valid-user" and filtering the user on "memberOf", but I see the warning in Okta docs that "Querying the memberOf attribute may have impact on the rate limits of your org", because "the LDAP Interface iterates through all pages before returning membership response back to the client." I imagine this means it reads all the group records for each authorzation, and we have around 100 groups.

Here's the apache config directive that specifies the filtering used for our "IT" group.

AuthLDAPURL "ldaps://mycompany.ldap.okta.com:636/ou=users,dc=mycompany,dc=okta,dc=com?shortName?one?(memberOf=*cn=IT*)"

Is rate-limiting going to be a problem?

Does anyone know how to get normal "Require ldap-group" to work against Okta LDAP Interface?

Thanks.