After spending several hours of debugging into an Apache Active Directory LDAP authentication issue, I finally found the hint I was looking for. The error I was constantly getting in the error.log was:
[debug] mod_authnz_ldap.c(379): [client 192.168.182.23] [29481] auth_ldap authenticate: using URL ldap://dc001.mydomain.local:389/DC=mydomain,DC=local?sAMAccountName?sub?(objectClass=*)
[info] [client 192.168.182.23] [29481] auth_ldap authenticate: user tuxevara authentication failed; URI / [ldap_search_ext_s() for user failed][Operations error]
and regarding to some other sites [ldap_search_ext_s() for user failed][Operations error]
must be related to authnz_ldap not handling referrals. The solution to this was just too obvious: Changing the LDAP port to 3268 (Global Catalog) solved it.
Here is the content of the htaccess file only grants access to members of a specific group:
AuthBasicProvider ldap
AuthType Basic
AuthName "Protected"
AuthLDAPURL "ldap://dc001.mydomain.local:3268/DC=mydomain,DC=local?sAMAccountName?sub?(objectClass=*)"
AuthzLDAPAuthoritative on
AuthLDAPBindDN "svc-apache@mydomain.local"
AuthLDAPBindPassword "thisissupposedtobesecret"
AuthLDAPGroupAttributeIsDN on
require ldap-group CN=Support,OU=Groups,DC=mydomain,DC=local
Thanks for tip, it worked for me perfectly!!!
Thanks for this, I’ve been banging my head all morning about this. What’s interesting is it worked yesterday afternoon, but this morning it was giving me a 500 error. I just slapped in the new port and it worked wonderfully.
Thanks from me, too! Worked like a charm.
Nice guide. Thanks for taking the time to write it and its helped me a lot.
Thank you! Saved the day.
Many thanks, helped me too 🙂
Cool… it worked for me… thanks 😉