Today I worked on our new SVN server. I wanted it to do authentication to our AD and to an AD group. I created the AD group, stuck my users in it, and swapped out the "Require valid-user" with Require ldap-group DN=foo,OU=Bar,DC=Myco,DC=Local.
It didn't work.
So I fired up Wireshark and the ldap DN compareRequest was failing. wtf?!
So I fired up my handy-dandy LdapAdmin tool and pointed it at the ldap server and...
At this point I should mention that my Apache ldap configuration is pointed at the Global Catalog port, not the regular LDAP port.
... the ldap browser showed there were NO members in the group. I verified they were in there via the AD users and computers tool, but not in the Global Catalog server.
Why you ask? Because Global and Domain Local group memberships are NOT replicated to the Global catalogs. The fix is to either a.) connect to the true ldap port in AD or b.) convert the group to a universal group.
I chose b.