I've had some mixed success with Apache and LDAP. First, it is working.. but not entirely.
So, a basic LDAP config, it looks like this:
AuthLDAPBindDN "omitting this"
AuthLDAPBindPassword "passwordyeah!"
AuthLDAPURL "ldap://DOMAIN.COM/ou=stuff,dc=domain,dc=com?userPrincipalName?sub?(objectClass=user)"
LDAPReferrals Off
AuthType Basic
AuthName "Use your email address to connect."
AuthBasicProvider ldap
AuthUserFile /dev/null
This is actually fine. Here's where things get strange. If I put this:
Require user my@email.com
I can authenticate. I can use multiple users, and it's fine.
If I put
Require valid-user
Authentication doesn't work.
If I try Domain Users, I get failures. (which all users are part of)
Require ldap-group CN=Domain Users,CN=Users,DC=DOMAIN,DC=COM
However, if I point to a smaller group, it works.
So, when I authenticate with just require user my@email.com I see this:
AH01697: auth_ldap authenticate: accepting my@email.com
When I put "Require valid-user" I get the exact same message. However, the authentication dialog box comes up repeatedly. Each time, the authentication is successful (according to the logs)
For log purposes. When i require ldap "Domain users" I get this in the logs:
didn't match with attr member [Comparison false (adding to cache)][5 - Compare False]
(Understand this group is huge, as well)
When I use a smaller group, the logs show me success like this:
authorization successful (attribute member) [Comparison true (adding to cache)][6 - Compare True]
I'm just not really sure what is going on here. But I would really like "valid-user" to just work.
Best Answer
I think that the search base is ou=stuff,dc=domain,dc=com prevents objects in other containers from being found. Try setting the base only to dc=domain,dc=com
You can drop the objectclass=user filter too. According to https://msdn.microsoft.com/en-us/library/windows/desktop/ms680857%28v=vs.85%29.aspx userprincipalname is only used in the user class, so it's implicit. In that same page you can read that it's available throught the global catalog port, so you can use that instead of the normal ldap binding (should be faster).
So your AuthLDAPURL would then be:
AuthLDAPURL ldap://DOMAIN.COM:3268/dc=domain,dc=com?userPrincipalName?sub
Which looks a lot like the example in the 'Using Active Directory' section of the mod_authnz_ldap module: https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html
A last word of caution: you use the domain.com srv host notation (kuddos!), but Apache has not knowledge of AD sites. So if you have several sites and the network latencies are high, you could be querying a ldap server far away and taking a long time for authenticating.