svn / ldap / apache / active directory

Leave a reply

We do the WebDAV SVN/Apache bit around these parts. In the apache config there’s the bit:

AuthLDAPURL ldap://dc.example.com/CN=Users,DC=example,DC=com?sAMAccountName?one?(objectClass=user)

This works with a flat tree, but I recently moved things around and needed the tree to be searched so we moved to:

AuthLDAPURL ldap://dc.example.com/DC=example,DC=com?sAMAccountName?sub?(objectClass=user)

Noting that we’re not looking in the Users folder anymore, and ‘one’ is now ‘sub’.

Unfortunately, everything broke when the change was made so I played around on it for a bit on another box and found that the ldap client was getting confused due to referrals being provided by the ldap server (active directory).

Notes in bug #26538 point to using the global catalog instead on port 3268. There was work on building an option to ignore referrals but it looks like it didn’t get made.

Instead, I put “REFERRALS off” in /etc/openldap/ldap.conf. Note that I tried /etc/ldap.conf and it didn’t work, and I didn’t bother researching the difference.

It may be worth noting that I saw some references to the DNS Zone application partitions when I used wireshark to monitor the ldap requests and that led me down this road.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.