I have a requirement to change some Apache 2.4 authentication so that most users can access the website from anywhere, but certain users (who can be identified in a number of ways, but an LDAP group would be the easiest) can only be permitted access from a certain IP address subnet. (Authentication is via OIDC module plus ldap groups.)
(A simplified version of what) the current Apache config is
Require claim aud:apache123.company.com
Require ldap-attribute companyMemberOf="ALL_USERS_OF_THIS_TOOL"
I'm not sure how best to implement this negative clause for a certain group.
I had to use the workaround discussed here with a dummy
Require all granted clause to avoid the
RequireAll directive contains only negative authorization directives error.
I think adding this would do it but I'd appreciate the feedback. Because with this kind of thing I can easily imagine somebody writing "you'd think that would work but it doesn't because...", or "yes that works, but it's really not the right way to do it because..."
RequireNone ldap-attribute companyMemberOf="RESTRICTED_GROUP"
# Just to keep Apache happy
Require all granted