How to log in with Apache against an LDAP domain server using a multivalued attribute?


I am making the Apache server authenticate users in my company using the LDAP domain server we have.

In principle, I was planning to use the attribute of the email account (mail) as login, which in the Apache configuration file would look like this:

AuthType Basic
AuthName "Authentication system: please insert e-mail and password"
AuthBasicProvider ldap
LDAPReferrals default
AuthLDAPURL ldap://host:port/basedn?mail?sub?(objectClass=user)
AuthLDAPBindDN "CN=usrbind,CN=Users,DC=company,DC=es"
AuthLDAPBindPassword usrbindpassword
Require valid-user

In this way, Apache is able to correctly authenticate users.

The issue is that in this company each worker has several email accounts (some more and others less, almost all differentiated by domain), and now the user wants to be able to log in with any of those emails, not only with the main that is in the mail attribute.

On the LDAP server, we have an attribute called proxyAddresses that contains all the emails associated with each user. It is a multivalued attribute (each mail is a value). If I change the URL LDAP in the configuration file to this:

AuthLDAPURL ldap://host:port/basedn?proxyAddresses?sub?(objectClass=user)

I can no longer login. Cannot find the user.

For what is this? Can't authenticate a user against LDAP using a multivalued attribute, even if it is unique (no one else has any of my various emails)? And if it can, how is it done? What am I failing at?


I think it is not exactly what you are looking for, but maybe it can help you Authentication in Apache with Windows Active Directory

Scroll to Top