apache, mod_authnz_ldap, AD and that other port

I was trying to adjust an AuthLDAPURL to include a user from another part of a tree that lived in AD. As part of that I adjusted the basedn by removing to levels of OU pieces from something like:




I tested this with ldapsearch and everything was working well using a single conditional to return the user name.

When I made the change to my apache config and tried the newly included user

I got a server error and the logs contained:

auth_ldap authenticate: user XXXXXX authentication failed; URI /xxxxx.cgi [ldap_search_ext_s() for user failed][Operations error]

I finally stumpled across this post and learned that AD listens on more than one port and depending which port you query you end up with different results.

So I changed the port from the classic 389 to 3268 and everything started to work.

I did a little more digging and compared the output of the ldapsearch runs against each of the ports and found that what seems to be causing the issue is that apache dislikes referrals. They show up when the search is run against 389 but not 3268. It looks like that:

# search reference
ref: ldap://ForestDnsZones.domain.com/DC=ForestDnsZones,DC=domain,DC=com
# search reference
ref: ldap://DomainDnsZones.domain.com/DC=DomainDnsZones,DC=domain,DC=com
# search reference
ref: ldap://domain.com/CN=Configuration,DC=domain,DC=com

Bottom line seems to be that Apache has a hard time with the references ....