Authenticating Apache HTTPd against multiple LDAP servers with expired accounts
Solution 1:
The AuthzLDAPAuthoritative off
directive will let authentication fall through to the next module only if the user cannot be matched to a DN in the query. Currently even though the user is expired, it seems that their account will still be returned as a result when the LDAP query is performed.
I don't know enough about the ActiveDirectory LDAP schema to give a definite answer here, but if you could add a filter to your AuthLDAPURL
directive that filters out expired accounts it should result in the username not matching any DN in the query. This should result in the authentication falling through to the next module.