Apache LDAP authentication and Active Directory

I needed to authenticate users in Apache against Active Directory using mod_authnz_ldap.  Normally I would have set the URL and base DN like this:


In this case, however, the users spanned two different top-level containers or “domains”:


So, I tried setting the base DN to the top level:


but authentication failed with this ugly error in the log:

[ldap_search_ext_s() for user failed][Operations error]

It took some hunting, but I finally found that if you want to query the Active Directory “Global Catalog” (GC) via LDAP, you have to use port 3268 or 3269 (LDAPS) instead of the usual default port 389 or 636. So, the working URL and base DN are:



  1. #2 by websites on December 21, 2012 - 2:53 pm

    As a Newbie, I am constantly browsing online for articles that can help me.
    Thank you