DevHeads.net

Need help restricting LDAP authorization to subdirectory

hi,
We are working on a new intranet page for our office and I'm having trouble getting one specific thing working.

Our old intranet was strictly static content in file system directories and permissions were set exclusively on directories. Unfortunately even though this is a new development, I'm currently stuck on Apache 2.2 on CentOS 6.

This works on the old one (Apache 2.2 on Solaris 11)
<Directory /data/www-root/intranet>
AuthType cas
AuthLDAPURL ldap://ctg-ldap/o=ncic-ctg?uid?sub
AuthzLDAPAuthoritative on
require ldap-group cn=.all-users,ou=Groups,o=ctg.queensu.ca,o=ncic-ctg
</Directory>

<Directory /data/www-root/intranet/restricted>
AuthType cas
AuthLDAPURL ldap://ctg-ldap/o=ncic-ctg?uid?sub
AuthzLDAPAuthoritative on
require ldap-group cn=.restricted-group,ou=Groups,o=ctg.queensu.ca,o=ncic-ctg
</Directory>

The issue is on the new one is using a CMS and we are hoping to restrict access based on Locations, not Directory blocks.

My block is similar to below but it doesn't seem to be taking effect. It seems because the user has access to that directory that it's passing on the Location restriction. Am I doing something wrong?

This is running on Apache 2.2 on CentOS 7.
<Directory /data/www-root/intranet2>
AuthType cas
AuthLDAPURL ldap://ctg-ldap/o=ncic-ctg?uid?sub
AuthzLDAPAuthoritative on
require ldap-group cn=.all-users,ou=Groups,o=ctg.queensu.ca,o=ncic-ctg
</Directory>

<Location /restricted>
AuthType cas
AuthLDAPURL ldap://ctg-ldap/o=ncic-ctg?uid?sub
AuthzLDAPAuthoritative on
require ldap-group cn=.restricted-group,ou=Groups,o=ctg.queensu.ca,o=ncic-ctg
</Directory>