AuthLDAPURL "ldap://mydc.foo.com:389/DC=foo,DC=com?sAMAccountName?sub?(objectClass=user)"
...it won't work. You'll get a weird error:
[warn] [client 10.10.10.1] [14343] auth_ldap authenticate: user my-ldap-acct authentication failed; URI /repo-path [ldap_search_ext_s() for user failed][Operations error]
...and yet, binding or searching from the root works from openldap, Apache Directory Studio, and myriad other tools.
Appears to be a bug with mod_authnz_ldap.
The workaround? Make sure your DC's all have the Global Catalog role, and then search on port 3268 instead of port 389! ..or 3269 for SSL/TLS.
Works. (tested on mod_authnz_ldap v 2.2....)
No comments:
Post a Comment