Dear Wiki user, You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.
The following page has been changed by MattWarren: http://wiki.apache.org/httpd/ScratchPad/ModAuthAndActiveDirectory2003 New page: mod_auth_ldap has a problem with LDAP referrals as returned by Windows 2003 Active Directory. The AD behavior changed from 2000 to 2003 and thus a previously working mod_auth_ldap configuration could stop working when the queried AD server is upgraded to 2003. This issue is listed in [http://issues.apache.org/bugzilla/show_bug.cgi?id=26538 Bug 26538]. A patch has been posted there to allow control of how mod_auth_ldap handles referrals by adding a {{{AuthLDAPFollowReferrals}}} config option. This wiki page is a start at collecting the information threaded from the above bug. It is unclear when or if the referenced patch will be merged into a release. ''Disclaimer: non-expert explination'' The core problem is that if one queries LDAP on AD at a top, or root, level the normal process is for the LDAP server to return referrals for the possible sub-tree OU nodes to be searched. The client should then re-query each of OU nodes. Mod_auth_ldap does not follow these referals. == Workaround == Beyond building httpd using the patch, there are a few configuration workaround. 1. Query the Global Catalog on port 3268. The Global Catalog AD server (a specific role of one Active Directory server in a typical Windows 2003 managed network) will not issue referrals when queried on port 3268. 1. Don't do queries that will require referals. To quote from the thread: {{{ Most of the time this can be worked around by changing the AuthLDAPURL to startsearching deeper down in the tree, thereby avoiding the referrals. eg: cn=Users,dc=<DOMAIN>,dc=com OR ou=something,dc=<DOMAIN>,dc=com Unfortunately however, when you need to search two OUs, eg: ou=A,dc=<DOMAIN>,dc=com AND ou=B,dc=<DOMAIN>,dc=com you have no choice but to start search at the top of the tree. }}}
