require valid-user != require ldap-user

Apache authnz_ldap is soo braindead - It offers a require ldap-user which essentially expects a userlist afterwards. It is not necessary to enter one which essentially renders the whole authentications void because there is no user which could possibly satisfy the authentication request. If you'll accept ANY user in the ldap use "require valid-user". "require ldap-user" fails with an obscure ldap protocol error because there is no list of usernames the authnz module passes to the ldap. Hard to debug - hard to find. Broken software. Usability broken by design.