Apache, authnz_ldap and Active Directory


After spending several hours of debugging into an Apache Active Directory LDAP authentication issue, I finally found the hint I was looking for. The error I was constantly getting in the error.log was:

[debug] mod_authnz_ldap.c(379): [client] [29481] auth_ldap authenticate: using URL ldap://dc001.mydomain.local:389/DC=mydomain,DC=local?sAMAccountName?sub?(objectClass=*)
[info] [client] [29481] auth_ldap authenticate: user tuxevara authentication failed; URI / [ldap_search_ext_s() for user failed][Operations error]

and regarding to some other sites [ldap_search_ext_s() for user failed][Operations error] must be related to authnz_ldap not handling referrals. The solution to this was just too obvious: Changing the LDAP port to 3268 (Global Catalog) solved it.

Here is the content of the htaccess file only grants access to members of a specific group:

AuthBasicProvider ldap
AuthType Basic
AuthName "Protected"
AuthLDAPURL "ldap://dc001.mydomain.local:3268/DC=mydomain,DC=local?sAMAccountName?sub?(objectClass=*)"
AuthzLDAPAuthoritative on

AuthLDAPBindDN "svc-apache@mydomain.local"
AuthLDAPBindPassword "thisissupposedtobesecret"

AuthLDAPGroupAttributeIsDN on
require ldap-group CN=Support,OU=Groups,DC=mydomain,DC=local

7 thoughts on “Apache, authnz_ldap and Active Directory

  1. Greg

    Thanks for this, I’ve been banging my head all morning about this. What’s interesting is it worked yesterday afternoon, but this morning it was giving me a 500 error. I just slapped in the new port and it worked wonderfully.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.