Skip to main content

Apache 2.2 - authnz_ldap - Active Directory

The other day I had to authenticate web clients on apache 2.2 (debian etch) to our corporate Active Directory (Windows 2003R2) and I constantly kept getting an error like the following:

[Wed Jun 06 19:08:56 2007] [warn] [client 10.10.1.2] [3574] auth_ldap authenticate: user foo authentication failed; URI /secret [ldap_search_ext_s() for user failed][Operations error]

Only after a couple of google searches, a couple of network sniffs (which all seemed to go well - bind and then search both successful) and a bit of trial and error I found out that I had to turn off referrals in /etc/ldap/ldap.conf :

REFERRALS off

For the record this is the configuration snippet in apache:

<Directory /var/www/secret>
AuthBasicProvider ldap
AuthType Basic
AuthName "Ldap Test Area"
AuthLDAPURL "ldap://pdc.domain.msft:389/DC=DOMAIN,DC=MSFT?sAMAccountName?sub?(objectClass=user)" NONE
AuthLDAPBindDN "LDAPROUser@DOMAIN"
AuthLDAPBindPassword "foo"
require ldap-attribute objectClass=user
</Directory>