require group; satisfy any; allows group members in addition to any authenticated user under url.

[willjp]

Thank you very much for writing this module! I believe I may have encountered a bug.

Example of Issue

http {
ldap_server  employees {
    url       "ldap://localhost/ou=people,dc=example,dc=com?cn?sub?(objectClass=person)";
    binddn                          "cn=admin,dc=example,dc=com";
    binddn_password         "some_password";
    group_attribute             uniqueMember;
    group_attribute_is_dn   on;
    require                          "cn=employees,ou=groups,dc=example,dc=com";
    satisfy                           all;
}

server {
    auth_ldap                "Some Documentation";
    auth_ldap_servers   employees;

    # ... remainder of server config
}
}

Using the above server configuration, any authenticated (objectClass=person) under ou=people,dc=example,dc=com is allowed to access the content - regardless of whether or not they are added as a uniqueMember on the groupOfUniqueNames: cn=employees,ou=groups,dc=example,dc=com.

I noticed that if I add require user "cn=some_user"; satisfy any; this behaviour is corrected (only the group members are allowed through ).

I'm wondering if this might have something to do with the configuration defaulting to require valid_user;.

[manas86]

hi can you share me the complete config with [ require user "cn=some_user...." ]