Apache LDAP authentication and Active Directory

I needed to authenticate users in Apache against Active Directory using mod_authnz_ldap.  Normally I would have set the URL and base DN like this:

ldaps://example.com
ou=CompanyPeople,dc=example,dc=com

In this case, however, the users spanned two different top-level containers or “domains”:

ou=CompanyPeople,dc=example,dc=com
ou=OtherPeople,dc=example,dc=com

So, I tried setting the base DN to the top level:

dc=example,dc=com

but authentication failed with this ugly error in the log:

[ldap_search_ext_s() for user failed][Operations error]

It took some hunting, but I finally found that if you want to query the Active Directory “Global Catalog” (GC) via LDAP, you have to use port 3268 or 3269 (LDAPS) instead of the usual default port 389 or 636. So, the working URL and base DN are:

ldaps://example.com:3269
dc=example,dc=com

Advertisements

,

  1. #2 by websites on December 21, 2012 - 2:53 pm

    As a Newbie, I am constantly browsing online for articles that can help me.
    Thank you