We do the WebDAV SVN/Apache bit around these parts. In the apache config there’s the bit:
AuthLDAPURL ldap://dc.example.com/CN=Users,DC=example,DC=com?sAMAccountName?one?(objectClass=user)
This works with a flat tree, but I recently moved things around and needed the tree to be searched so we moved to:
AuthLDAPURL ldap://dc.example.com/DC=example,DC=com?sAMAccountName?sub?(objectClass=user)
Noting that we’re not looking in the Users folder anymore, and ‘one’ is now ‘sub’.
Unfortunately, everything broke when the change was made so I played around on it for a bit on another box and found that the ldap client was getting confused due to referrals being provided by the ldap server (active directory).
Notes in bug #26538 point to using the global catalog instead on port 3268. There was work on building an option to ignore referrals but it looks like it didn’t get made.
Instead, I put “REFERRALS off” in /etc/openldap/ldap.conf. Note that I tried /etc/ldap.conf and it didn’t work, and I didn’t bother researching the difference.
It may be worth noting that I saw some references to the DNS Zone application partitions when I used wireshark to monitor the ldap requests and that led me down this road.