python-ldap vs. Active directory

Jens Vagelpohl jens at dataflake.org
Sun May 22 14:16:21 CEST 2005


On May 21, 2005, at 23:26, Michael Ströder wrote:
>> I was getting the exact same error. I fixed the problem by explicitly
>> disabling referral chasing in the OpenLDAP client libraries (for my
>> purposes, I didn't care about referrals).
>>
>> Before you call ldap.initialize, try:
>>
>> ldap.set_option(ldap.OPT_REFERRALS, 0)
>>
>
> This is good advice since IIRC the OpenLDAP libs chase referrals doing
> an anonymous bind. Therefore it's definitely better to get the search
> references (check the result type). Sort them out or chase the  
> referrals
> in your Python application.

For what it's worth, a long time ago I had the same problems with the  
LDAPUserFolder Zope product against AD. Among the resultset returned  
by a query there would always be one record that made everything  
barf. The (not very clean) workaround has been to special-case that  
record and discard it. It is a AD-specific referral.

Another solution has been to connect to the "Global Catalog" port or  
somesuch thing. This port apparently gives you a view on the data  
contained in a forest of AD server instances as one single entity, as  
opposed to single AD instances handing back references to other AD  
instances where a record may be found.

jens






More information about the python-ldap mailing list