LDAP authentication vs. AD: problems with referrals
I was having difficulties setting up Lighttpd to authenticate users against a Windows 2008 domain controler (LDAP). Anonymous browsing is not permitted, but I'm not sure if that changes anything.
By default, the ldap_search_ext_s function, which is used in mod_authn_ldap_search, will follow LDAP refferals. The referral queries seem to be done anonymously, regardless if the first bind was authenticated (ref. ldap_set_option(3)).
In my case, the first, authenticated ldap search will succeed in finding the one user object that is expected, but the subsequent binds initiated to follow referrals fail. Even if not because of the failed binding, there wouldn't be a matching object in the referral scopes, and I expect that would be the case for most configurations in this context.
Because of the way LDAP authentication is currently (as of 1.4.48) implemented in mod_authn_ldap, the last referral query, resulting in either an error or empty result, seems to take over the first successful reply.
I fail to see a good reason to enable the following of LDAP referrals here, so disabling referral tracking by setting the following in mod_authn_ldap_host_init seems to solve the issue:
ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
Also available in: Atom