When doing AuthType Basic authentication against an LDAP server, Apache first binds to search for the DN of the user, then binds with that DN to test the user's password. The challenge is that with AD, you typically can not perform an anonymous bind. So, you have to set AuthLDAPBindDN.
But, I say, I already know the DN! I don't have to bind-search-bind, I can just bind as cn=_username_,OU=Employees,DC=megacorp,DC=com!
This does not appear to be possible, but I thought I would ask: can I convince Apache to skip the bind-and-search-for-DN-to-use-for-bind by simply constructing a DN on the fly, or do I have to talk to the local bureaucracy for a special account with which I may bind to search for the user I wish to authenticate?
Thanks!
-danny
Best Answer
Unfortunately, it seems that mod_auth_ldap insists on building and executing a search instead of just attempting the bind with a DN that you give it. It's in the majority, in my experience; most applications that hit active directory via ldap (as opposed to, say, using the native NT user APIs) would rather search-then-bind instead of just trying to bind.
On the plus side (if you can call it that), a user account with no rights of any kind should satisfy your needs as long as there's nothing hectic going on permissions-wise in your ldap tree; membership in Authenticated Users should be enough to do all your search user needs to do. It can even be stripped out of Domain Users and assigned a different primary group; that should soften up the local bureaucracy a bit.