--- auth.php.orig   2015-05-18 00:16:05.298179556 +0100
+++ auth.php    2015-05-18 00:33:34.622177357 +0100
@@ -52,7 +52,7 @@
                throw new RackTablesError ('', RackTablesError::NOT_AUTHENTICATED);
            $remote_username = $_SERVER['PHP_AUTH_USER'];
            break;
-       case 'httpd' == $user_auth_src:
+       case ('httpd' == $user_auth_src) or ('httpdldap' == $user_auth_src):
            if
            (
                ! isset ($_SERVER['REMOTE_USER']) or
@@ -97,9 +97,9 @@
            if (authenticated_via_database ($userinfo, $_SERVER['PHP_AUTH_PW']))
                return; // success
            break; // failure
-       case 'ldap' == $user_auth_src:
+       case ('ldap' == $user_auth_src) or ('httpdldap' == $user_auth_src):
            $ldap_dispname = '';
-           if (! authenticated_via_ldap ($remote_username, $_SERVER['PHP_AUTH_PW'], $ldap_dispname))
+           if (! authenticated_via_ldap ($remote_username, (isset($_SERVER['PHP_AUTH_PW']) ? $_SERVER['PHP_AUTH_PW'] : ''), $ldap_dispname))
                break; // failure
            $remote_displayname = strlen ($userinfo['user_realname']) ? // local value is most preferred
                $userinfo['user_realname'] :
@@ -465,7 +465,7 @@
 //
 function queryLDAPServer ($username, $password)
 {
-   global $LDAP_options;
+   global $LDAP_options, $user_auth_src;

    if(extension_loaded('ldap') === FALSE)
        throw new RackTablesError ('LDAP misconfiguration. LDAP PHP Module is not installed.', RackTablesError::MISCONFIGURED);
@@ -531,7 +531,23 @@
    }
    else
        throw new RackTablesError ('LDAP misconfiguration. Cannon build username for authentication.', RackTablesError::MISCONFIGURED);
-   $bind = @ldap_bind ($connect, $auth_user_name, $password);
+
+    // With httpdldap, we took the username from the webserver, but we have no password
+    // so reconnect with the search_bind_* details to find the user's group membership
+    if ('httpdldap' == $user_auth_src) {
+        if (
+            !isset ($LDAP_options['search_bind_rdn']) or
+            !strlen ($LDAP_options['search_bind_rdn']) or
+            !isset ($LDAP_options['search_bind_password']) or
+            !strlen ($LDAP_options['search_bind_password'])
+        ) {
+            throw new RackTablesError ('To use httpdldap auth, you must specify search_bind_rdn and search_bind_password.', RackTablesError::MISCONFIGURED);
+        }
+        $bind = @ldap_bind ($connect, $LDAP_options['search_bind_rdn'], $LDAP_options['search_bind_password']);
+    } else {
+        $bind = @ldap_bind ($connect, $auth_user_name, $password);
+    }
+
    if ($bind === FALSE)
        switch (ldap_errno ($connect))
        {

