You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wiki-changes@httpd.apache.org by Apache Wiki <wi...@apache.org> on 2007/05/23 22:56:36 UTC

[Httpd Wiki] Trivial Update of "ScratchPad/ModAuthAndActiveDirectory2003" by ChrisPepper

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.

The following page has been changed by ChrisPepper:
http://wiki.apache.org/httpd/ScratchPad/ModAuthAndActiveDirectory2003

The comment on the change is:
Typo

------------------------------------------------------------------------------
  
  This issue is listed in [http://issues.apache.org/bugzilla/show_bug.cgi?id=26538 Bug 26538]. A patch has been posted there to allow control of how mod_auth_ldap handles referrals by adding a {{{AuthLDAPFollowReferrals}}} config option. This wiki page is a start at collecting the information threaded from the above bug. It is unclear when or if the referenced patch will be merged into a release.
  
- ''Disclaimer: non-expert explination''
+ ''Disclaimer: non-expert's explanation''
- The core problem is that if one queries LDAP on AD at a top, or root, level the normal process is for the LDAP server to return referrals for the possible sub-tree OU nodes to be searched. The client should then re-query each of OU nodes. Mod_auth_ldap does not follow these referals.
+ The core problem is that if one queries LDAP on AD starting at at top ("root") of the directory tree, the normal process is for the LDAP server to return referrals for the possible sub-tree OU nodes to be searched. The client should then re-query each OU nodes as necessary. Mod_auth_ldap does not follow these referals.
  
  == Workaround ==
- Beyond building httpd using the patch, there are a few configuration workaround. 
+ Aside from building httpd using this patch, there are a few configuration workarounds. 
  
    1. Query the Global Catalog on port 3268. The Global Catalog AD server (a specific role of one Active Directory server in a typical Windows 2003 managed network) will not issue referrals when queried on port 3268. 
  
    1. Don't do queries that will require referals. 
  
- To quote from the thread:
+ To quote from the bug report commentary:
    {{{
  Most of the time this can be worked around by changing the AuthLDAPURL to start
  searching deeper down in the tree, thereby avoiding the referrals.