httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dave Hartburn" <>
Subject [users@httpd] LDAP authentication against AD
Date Thu, 15 Mar 2007 09:53:21 GMT

Can anyone advise on a problem I have authenticating Apache on Linux
against an
Active Directory server? I can not authenticate for all users in the domain,
only users in specific branches.

I've found a few resources on line that suggest the following config is
LoadModule ldap_module modules/
LoadModule auth_ldap_module modules/

<Directory /usr/local/www/htdoc/helpdesk>
  AuthLDAPURL ldap://gciad01/OU=Bldg800,DC=Galleon,DC=local?sAMAccountName
  AuthLDAPBindDN CN=Support,CN=Users,DC=Galleon,DC=local
  AuthLDAPBindPassword password_removed
  AuthType Basic
  AuthName "Helpdesk"
  require valid-user

The good news is this works for all users in the organisation unit Bldg800,
which is one of the branches under the top level domain Galleon.local.
Users are
burried down a subtree, so it can search through an number of levels of

My active directory has a number of branches under the top level domain,
one being a container 'Users'. As I would expect, you can not login as a
user in
'Users', as it is not part of the Bldg800 OU.

If I change the URL to:
  AuthLDAPURL ldap://gciad01/CN=Users,DC=Galleon,DC=local?sAMAccountName
then people in 'Users' can login, users in Bldg800 can not. Again as I
would expect.

I thought the next logical step was to set the URL a level higher:
  AuthLDAPURL ldap://gciad01/DC=Galleon,DC=local?sAMAccountName
However, with this set, nobody can login. The apache error log reports:
[Wed Mar 14 17:12:47 2007] [warn] [client] [5559] auth_ldap
authenticate: user support authentication failed; URI
/helpdesk/phpinfo.php [ldap_search_ext_s() for user failed][Invalid DN

Does anyone know what this error means? It suggests it can not search down
whole subtree, is this the case?

Or, is there a general trick to tell LDAP to check all sub-branches of the
under the top level directory, something like Galleon.local.*. If not, is it
possible to specify more than one URL?

Any help appreciated.



The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message