How to restrict authentication to members of a specific group in Apache with mod_authnz_ldap?

Question

I have implemented LDAP Authentication in Apache 2.4 (RHEL 8.5) with Active Directory Backend. The setup works perfectly with a basic "Require valid-user" directive. Now I need to restrict authentication to a specific group of Active Directory users with "Require ldap-group" directive but authentication is now denied when trying to authenticate with a user member of the authorized group.

Using a basic "Require valid-user" authentication works like a charm, but when using "Require ldap-group" id doesn't. Also I tried "Require ldap-filer" without success.

• Active Directory group: my_group (CN=my_group,OU=BAR,OU=FOO,DC=domain,DC=tld)
• Active Directory user: my_user, member of "my_group"

Apache Log (DEBUG)

[Xxx Xxx XX xx:xx:xx.xx 20XX] [authnz_ldap:debug] [pid 90767:tid 13975006511XXXX] mod_authnz_ldap.c(620): [client XX.XX.XX.XX:40388] AH01697: auth_ldap authenticate: accepting my_user
[Xxx Xxx XX xx:xx:xx.xx 20XX] [authz_core:debug] [pid 90767:tid 13975006511XXXX] mod_authz_core.c(820): [client XX.XX.XX.XX:40388] AH01626: authorization result of Require ldap-group CN=my_group,OU=BAR,OU=FOO,DC=domain,DC=tld: denied
[Xxx Xxx XX xx:xx:xx.xx 20XX] [authz_core:debug] [pid 90767:tid 13975006511XXXX] mod_authz_core.c(820): [client XX.XX.XX.XX:40388] AH01626: authorization result of <RequireAny>: denied
[Xxx Xxx XX xx:xx:xx.xx 20XX] [authz_core:error] [pid 90767:tid 13975006511XXXX] [client XX.XX.XX.XX:40388] AH01631: user my_user: authorization failure for "/app/":

Apache configuration file "ad.conf":

<AuthnProviderAlias ldap mydc01>
        AuthLDAPBindDN [email protected]
        AuthLDAPBindPassword XXXXXXXXXXXXXX
        AuthLDAPURL ldaps://mydc01.domain.tld/DC=domain,DC=tld?sAMAccountName?sub?(objectClass=*)
</AuthnProviderAlias>

<AuthnProviderAlias ldap mydc02>
        AuthLDAPBindDN [email protected]
        AuthLDAPBindPassword XXXXXXXXXXXXXX
        AuthLDAPURL ldaps://mydc02.domain.tld/DC=domain,DC=tld?sAMAccountName?sub?(objectClass=*)
</AuthnProviderAlias>

<Directory /var/www/app>
        AuthName "AD authentication"
        AuthBasicProvider mydc01 mydc02
        AuthType Basic
        AuthLDAPGroupAttribute member
        AuthLDAPGroupAttributeIsDN off

        # OK
        # Require valid-user

        # Not working
        Require ldap-group CN=my_group,OU=BAR,OU=FOO,DC=domain,DC=tld

        # Not working
        # Require ldap-filter (memberOf=CN=my_group,OU=BAR,OU=FOO,DC=domain,DC=tld)

        # Not working
        # Require ldap-atttibute memberOf="CN=my_group,OU=BAR,OU=FOO,DC=domain,DC=tld"

</Directory>