mod-vhost-ldap is an Apache 2.x module for storing and configuring virtual hosts from LDAP. It supports DocumentRoot, ScriptAlias, ServerName, ServerAlias, ServerAdmin, and SuexecUserGroup directives. It's built on top of mod_ldap, so it uses its caching capabilities and can be used with a threaded Apache httpd.

mod_ldap warning

There are several moderately critical bugs in mod_ldap in 2.0.54. If you want to use this module in production you should be aware of:


You can download latest release.

Source Code

Source code is stored in Git. Read-only git repository can be found at:



VhostLDAPBindDN Directive

An optional DN used to bind to the server when searching for entries. If not provided, mod_vhost_ldap will use an anonymous bind.

VhostLDAPBindPassword Directive

A bind password to use in conjunction with the bind DN. Note that the bind password is probably sensitive data, and should be properly protected. You should only use the VhostLDAPBindDN and VhostLDAPBindPassword if you absolutely need them to search the directory.

VhostLDAPDereferenceAliases Directive

This directive specifies when mod_vhost_ldap will de-reference aliases during LDAP operations. The default is always.

VhostLDAPFallback Directive

Set to default virtual host which will be used when requested virtual host is not found by mod_vhost_ldap in LDAP database.

VhostLDAPUrl Directive

An RFC 2255 URL which specifies the LDAP search parameters to use. The syntax of the URL is


For regular ldap, use the string ldap. For secure LDAP, use ldaps instead. Secure LDAP is only available if Apache was linked to an LDAP library with SSL support.


The name/port of the ldap server (defaults to localhost:389 for ldap, and localhost:636 for ldaps). To specify multiple, redundant LDAP servers, just list all servers, separated by spaces. mod_vhost_ldap will try connecting to each server in turn, until it makes a successful connection.

Once a connection has been made to a server, that connection remains active for the life of the httpd process, or until the LDAP server goes down.

If the LDAP server goes down and breaks an existing connection, mod_vhost_ldap will attempt to re-connect, starting with the primary server, and trying each redundant server in turn. Note that this is different than a true round-robin search.


The DN of the branch of the directory where all searches should start from. At the very least, this must be the top of your directory tree, but could also specify a subtree in the directory.


The attribute to search for. Don't change search attributes in mod_vhost_ldap or you will break module.


The scope of the search. Can be either one or sub. Note that a scope of base is also supported by RFC 2255, but is not supported by this module. If the scope is not provided, or if base scope is specified, the default is to use a scope of sub.


A valid LDAP search filter. If not provided, defaults to (|(apacheServername=vhost)(apacheServerAlias=vhost)). Filters are limited to approximately 8000 characters (the definition of MAX_STRING_LEN in the Apache source code). This should be than sufficient for any application. Don't change filter unless you know what you are doing.

EnableVhostLDAP Directive

Set to off to disable mod_vhost_ldap in certain virtual hosts. This is useful if you have mod_vhost_ldap enabled at or near the top of your tree, but want to disable it completely in certain virtual hosts.

NOTE: Due method which apache uses to choose virtual host (ServerName and ServerAlias) only first virtual host for particular IP address will be used by Apache.


Year 2005, Version 0.2.x

Version 0.2.x development was funded by ACTIVE 24 as a part of global european webhosting project.

Year 2010, Version 2.0.0

Version 2.0.0 development was kindly sponsored by Advantage Interactive for their webhosting brand LCN.

Autor Ondřej Surý