[python-ldap] Querying Active Directory excessively slower than querying eDirectory

Thorsten Kampe thorsten at thorstenkampe.de
Tue May 17 17:10:11 CEST 2011

* Michael Ströder (2011-05-17 16:54 +0200)
> Thorsten Kampe wrote:
> > * Cornelius Kölbel (2011-05-17 14:55 +0200)
> >> Am 17.05.2011 14:34, schrieb Thorsten Kampe:
> >>> In the Active Directory case it is the root of the domain partition
> >>> (/dc=conto
> >>> so,dc=com) in the eDirectory case it is the root of the tree. But that
> >>> shouldn't matter since the response with the query data comes within
> >>> sixty milliseconds. The filter is the default ((objectClass=*)).
> > 
> >> I do not know eDirectory that good.
> >> But in Active Directory you will also find the configuration partition
> >> underneath dc=contoso,dc=com, where you might habe no read access!
> >> Maybe this slows some things down?
> >> Do you also get slow results when using another search base like
> >>    ou=myOrga,dc=contoso,dc=com ?
> > 
> > As I wrote, this is not a connectivity issue. AD and eDir return the
> > result over the network within less than a tenth of a second.
> Cornelius gives a valuable hint (as I did before) because of the
> referrals
> returned by MS AD (e.g. for the configuration partition). Please re-read
> my
> message and try turning off automatic referral chasing.
> connection.set_option(ldap.OPT_REFERRALS,0)

That solves the issue, thanks.

Please note that "hints" are only useful if the "hinted one" is on the
same level knowledgewise as the one who gives the hint. I did not know
that python-ldap actively tries to follow the referrals and I did not
know how to turn it off. I wasn't even aware of the connection attempts
since I filtered on port 50385 and not on 389.


More information about the python-ldap mailing list