We're having trouble getting Apache LDAP authentication on Fedora to
work against Active Directory.
<Location /repos2>
AuthType Basic
AuthName "SVN Repository"
AuthBasicProvider ldap
AuthLDAPBindDN "cn=zzzzzz,ou=zzzzz,dc=zzz,dc=troux,dc=com"
AuthLDAPBindPassword ********
AuthLDAPURL
"ldap://ldap.troux.com/dc=zzz,dc=troux,dc=com?samAccountName?sub?(&(obje
ctCategory=Person)(objectClass=User)(memberOf=CN=Development,
OU=Distribution Groups,DC=zzz,DC=troux,DC=com))"
AuthzLDAPAuthoritative off
Require valid-user
</Location>
With the above (somewhat redacted) data as arguments to ldapsearch we
get the expected results, a list of all user objects that are members of
the Development distribution group. These user objects may come from
several different subtrees in A/D.
When we try to use this configuration with Apache however, we get an
"Operations Failure" response.
I captured the port 389 traffic and examined it, and we see that the
Base DN actually transmitted is
CN=Configuration,dc=zzz,dc=troux,dc=com
If we change the base DN to
CN=Users,dc=zzz,dc=troux,dc=com
The query works, but we want to search starting one level higher in the
directory.
Why is Apache adding CN=Configuration to the BaseDN? Is there a way to
force it to use the BaseDN we specify?
IMPORTANT NOTICE:
This message may contain confidential information. If you have received this
e-mail in error, do not use, copy or distribute it. Do not open any
attachments. Delete it immediately from your system and notify the sender
promptly by e-mail that you have done so. Thank you.
