Return-Path: 
 <users-return-83932-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-users-archive@www.apache.org
Received: (qmail 6730 invoked from network); 21 Oct 2008 20:10:40 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 21 Oct 2008 20:10:40 -0000
Received: (qmail 48188 invoked by uid 500); 21 Oct 2008 20:10:34 -0000
Delivered-To: apmail-httpd-users-archive@httpd.apache.org
Received: (qmail 47871 invoked by uid 500); 21 Oct 2008 20:10:33 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
List-Post: <mailto:users@httpd.apache.org>
List-Id: <users.httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 47860 invoked by uid 99); 21 Oct 2008 20:10:33 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 21 Oct 2008 13:10:33 -0700
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of covener@gmail.com designates
 66.249.92.173 as permitted sender)
Received: from [66.249.92.173] (HELO ug-out-1314.google.com) (66.249.92.173)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 21 Oct 2008 20:09:24 +0000
Received: by ug-out-1314.google.com with SMTP id j3so1190507ugf.23
        for <users@httpd.apache.org>; Tue, 21 Oct 2008 13:09:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:received:received:message-id:date:from:to
         :subject:in-reply-to:mime-version:content-type
         :content-transfer-encoding:content-disposition:references;
        bh=8ha3qQ7VHiSn1tYhSxw6tSJQ5XxIC85PPM0oEK/33jI=;
        b=gO+UpiGusYJ0T8exQa64W4/QwAe2xniVlsqaOOqLhvByRlXRUTlQEIXiKYkofHkMeP
         cZxu6fftUqVqNNAeNFp+S6fe1AecuQWFxJAWd5CI+8l6X5pnJ70PUHGCYLt14Dr9e4ED
         La8Z7Lm6kxAiv7BGpvLAVIpc9773deUlTjck0=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=message-id:date:from:to:subject:in-reply-to:mime-version
         :content-type:content-transfer-encoding:content-disposition
         :references;
        b=pu0g+87OYKb6/u6+IbF4gKXtKFL5xnHCpdAmONg0WTfrhUzuZhfmnU/G0HKxoH5BiQ
         oJLub3F7T0eMc7wTQkbxEJ4gpKDAswQ1sDFYszj3T9Ysd0+H4UyjmAcUyH+j2oemX2pO
         uDCHhoYd0XZQcwoT6v5rhRsPfaby5qiHgCC74=
Received: by 10.67.28.14 with SMTP id f14mr2998352ugj.2.1224619798470;
        Tue, 21 Oct 2008 13:09:58 -0700 (PDT)
Received: by 10.66.217.8 with HTTP; Tue, 21 Oct 2008 13:09:58 -0700 (PDT)
Message-ID: <1404e5910810211309j14250a88w4ec9d62024fa3e01@mail.gmail.com>
Date: Tue, 21 Oct 2008 16:09:58 -0400
From: "Eric Covener" <covener@gmail.com>
To: users@httpd.apache.org
In-Reply-To: <48FE14B6.2000608@ice-sa.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
References: <a548f35b0810210959x587b7e38wcb00e5fda2a7338c@mail.gmail.com>
	 <1404e5910810211027l1f01cd5hd5f86804b989ff47@mail.gmail.com>
	 <48FE14B6.2000608@ice-sa.com>
X-Virus-Checked: Checked by ClamAV on apache.org
Subject: Re: [users@httpd] mod_authnz_ldap module and Microsoft AD LDAP Server

On Tue, Oct 21, 2008 at 1:43 PM, Andr=E9 Warnier <aw@ice-sa.com> wrote:
> Eric Covener wrote:
>>
>> On port 389, MSAD might send you on a lengthy wild goose-chase of LDAP
>> referrals.
>>
> Eric, can you elaborate a bit on that, or direct me/us to some additional
> information ?
> This is not directly related to the OP's issue, but I'm doing a lot of AA=
A
> related stuff these days, and like to learn these things.


LDAP has a notion of referrals, like HTTP redirects.  When you have a
complicated AD domain, you might talk to what you think of as the
master AD server, but it may send you to go ask other servers (dept.
x, dept y,  AD servers from some remote site, recent acquisitions,
etc).  I don't know if it is misconfiguration, but I've seen some
where conceptually none of the referrals seem to be needed based on
the user you're looking up (and may take you across some slow links)

When you use that high port, you're talking to the "global catalog"
where all info across the "forest" is aggregated on one LDAP server
and you just get a regular/direct result if you query or try to login.
If you use unusual data for authz, i believe you have to tell it what

MS also has a tool called ADAM (AD Application Mode) that frontends AD
for traditional LDAP applications:
http://www.microsoft.com/windowsserver2003/adam/default.mspx


--=20
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org