After spending several hours of debugging into an Apache Active Directory LDAP authentication issue, I finally found the hint I was looking for. The error I was constantly getting in the error.log was:
[debug] mod_authnz_ldap.c(379): [client 192.168.182.23] [29481] auth_ldap authenticate: using URL ldap://dc001.mydomain.local:389/DC=mydomain,DC=local?sAMAccountName?sub?(objectClass=*)
[info] [client 192.168.182.23] [29481] auth_ldap authenticate: user tuxevara authentication failed; URI / [ldap_search_ext_s() for user failed][Operations error]
and regarding to some other sites [ldap_search_ext_s() for user failed][Operations error] must be related to authnz_ldap not handling referrals. The solution to this was just too obvious: Changing the LDAP port to 3268 (Global Catalog) solved it.
Here is the content of the htaccess file only grants access to members of a specific group:
AuthBasicProvider ldap
AuthType Basic
AuthName "Protected"
AuthLDAPURL "ldap://dc001.mydomain.local:3268/DC=mydomain,DC=local?sAMAccountName?sub?(objectClass=*)"
AuthzLDAPAuthoritative on
AuthLDAPBindDN "svc-apache@mydomain.local"
AuthLDAPBindPassword "thisissupposedtobesecret"
AuthLDAPGroupAttributeIsDN on
require ldap-group CN=Support,OU=Groups,DC=mydomain,DC=local
