While setting up an Apache server for authenticating users accessing a Subversion repository using mod_authnz_ldap, I came across a problem previously reported by phiroc on the users@httpd mailing list:
Hi,
when I use the following AuthLDAPURL
“ldap://adserver/ou=city1,dc=abc,dc=com?sAMAccountName?sub?(&(objectClass=user)(!(objectClass=computer)))” NONE
I can authenticate any user in “ou” city1.
If I replace the AuthLDPAURL by
“ldap://adserver/dc=abc,dc=com?sAMAccountName?sub?(&(objectClass=user)(!(objectClass=computer)))” NONE
I get an Apache 2.2 internal error and in the error log the following message:
[debug] mod_authnz_ldap.c(379): [client xxxx] [8655] auth_ldap authenticate: using URL ldap://adserver/dc=abc,dc=com?sAMAccountName?sub?(&(objectClass=user)(!(objectClass=computer)))
[info] [client xxxx] [8655] auth_ldap authenticate: user myusername authentication failed; URI /test/ [ldap_search_ext_s() for user failed][Operations error]When I do ldapsearch … -b ‘dc=abc,dc=com’ ‘(&(objectClass=user)(!(objectClass=computer))(samaccountname=myusername)’, the Active Directory server returns data, which seems to imply that there’s something wrong with the mod_authnz_ldap module, or with the way I set it up or use it.
Has anyone encountered this problem before?
Is there a solution?
Many thanks.
Best regards,
p
It turns out that this problem can occur if the Active Directory has been partitioned among several domain servers in a so-called forest. The solution appears to be to query the Global Catalog instead of the domain server. To do this, access the domain server using TCP port 3268 instead of the standard port 389. Continuing the example given by phiroc, the AuthLDAPURL should be changed to:
“ldap://adserver:3268/dc=abc,dc=com?sAMAccountName?sub?(&(objectClass=user)(!(objectClass=computer)))” NONE
