Apache htaccess/Authentication

I’m trying to restrict access to certain folders under httpd. I created /etc/httpd/conf/passwd file and added user1 & user2. In httpd.conf, I added:

AllowOverride AuthConfig
AuthName “Apache Web Server”
AuthType Basic
AuthUserFile /etc/httpd/conf/passwd
require valid-user

This works fine, but I want only user1 to have access to /var/www/private. So I created a .htaccess file in private and put require user1. However user2 also can access this folder. Any ideas?
Thanks