In case anyone is still hitting their heads against the wall on this, here's a way to get "require valid-user" and "require group xxx" working:
Enable modules:
auth_basic
auth_pam
auth_sys_group:
Config:
<Directory "/local/www">
AuthType Basic
AuthName "Private Access"
AuthPAM_Enabled On
AuthGROUP_Enabled on
Require valid-user
Require group web
AuthUserFile /dev/null
AuthBasicAuthoritative Off
</Directory>
