I'm not an expert on LDAP so I don't know if the differences between the Apache config and your command-line version are relevant? (In particular, -D "DOMAIN\user_id" -W vs. AuthLDAPBindDN "CN=user_id,DC=DOMAIN,DC=com".) mod_authnz_ldap also has a whole bunch more configuration options. Anyway, since you don't appear to be using an encrypted LDAP connection (?), could you try just sniffing it using Wireshark or tcpdump and compare what Apache is doing with what ldapsearch is doing.