I have succesfully made Apache 2.2 use the accounts in our Mac OS X Open Directory, instead of a flat text file. I found that the DN (distinguished name) needed an extra element on the front, uid=. But all the examples I had been finding on the web used a DN of this form:

cn=user1,dn=example,dn=com

Once I added uid=USERNAME on the front, and omitted the cn= part, it worked fine:

uid=user1,dn=example,dn=com

I found this out by using the command-line tool ldapsearch:

ldapsearch -h server1.geo.vuw.ac.nz -x -b \
'dc=geo,dc=vuw,dc=ac,dc=nz' '(uid=testaccount1)'

The output line starting with dn: told me all I needed to know:

dn: uid=testaccount1,cn=users,dc=geo,dc=vuw,dc=ac,dc=nz

Here are the directives from my httpd.conf:

AuthType Basic
AuthName "Testing of LDAP auth"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on 
AuthLDAPBindDN uid=testaccount1,cn=users,dc=geo,dc=vuw,dc=ac,dc=nz 
AuthLDAPBindPassword [plaintext password for user 'testaccount1']
AuthLDAPURL ldap://server1.geo.vuw.ac.nz/dc=geo,dc=vuw,dc=ac,dc=nz
require valid-user

And here are some of the other relevant details:

• Server platform: Mac Mini, Mac OS X 10.4.0 (not Server version)
• Webserver: Apache 2.2.6, built from source.
• Browser client used for testing: Safari 2.0.4, Mac OS X 10.4.10, Intei iMac
• Apache build configured like so:
  
  ./configure --enable-dav
  --enable-authnz-ldap
  --enable-ldap
  --enable-so
  --enable-vhost-alias
  --with-ldap
  --enable-ssl
  --enable-rewrite
  --enable-expires

Now I just want to find out how to avoid having to use a plaintext password in httpd.conf. Hope this helps!