6

I'll try to include as much detail as possible but consider this situation:

For privacy concerns lets say I have an Active Directory infrastructure like the following:

microsoft.com
and some child domains:
csharp.microsoft.com
vb.microsoft.com

All user accounts are stored at microsoft.com.

I start out my code with the following:

import ldap
ldap.set_option(ldap.OPT_REFERRALS,0)
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT,ldap.OPT_X_TLS_NEVER)

(I know I should probably have a certificate for the domain, but what can you do)

I then make a connection like the following:

conn = ldap.initialize("ldaps://microsoft.com:636")
conn.simple_bind_s("user","pass")

In my script I am searching for a user account, and I use the following search:

result_id = conn.search("DC=microsoft,DC=com",
                                ldap.SCOPE_SUBTREE,
                                "(&(CN=gates)(!(objectClass=contact)))",
                                None)
result_type,result_data = conn.result(result_id,0)

Ok great, so this works....most of the time.
When it does work I get something to the effect of:

[("CN=gates,OU=Users,DC=microsoft,DC=com", {'sAMAccountName':['gates']}])

However, it seems at random, that I will get results like the following:

[(None, ['ldaps://csharp.microsoft.com/DC=csharp,DC=microsoft,DC=com'])]

While the result makes sense - gates does not exist at csharp.microsoft.com he exists at microsoft.com DC - it is still very puzzling because I am under the impression that using OPT_REFERRALS setting to 0 will tell the Python LDAP module to NOT use referrals. To make things more interesting I also sometimes get results like the following:

[(None, ['ldaps://ForestDnsZones.microsoft.com/DC=ForestDnsZones,DC=microsoft,DC=com'])]

So my question - is there anything I'm doing wrong?

Also, it has been suggested that if I use a search path like "OU=Users,DC=microsoft,DC=com" instead of just searching from the root ( "DC=microsoft,DC=com" ) that the LDAP client module will not attempt to use referrals - is this accurate?

Edit

The issue turned out to not be LDAP related but rather a WSGI mis-configuration. Using the WSGIDaemonProcess solved the cross contamination issue we were experiencing.

Natalie Adams
  • 1,841
  • 22
  • 27

1 Answers1

5

Setting ldap.OPT_REFERRALS to 0 tells the server not to "chase" referrals, i.e. not to resolve them.

Results with None as the first element are the server's way of telling you "this is a referral, but you told me not to chase it down." At least that's my understanding.

If you don't want referrals, just ignore results with a first element of None.

John Gordon
  • 29,573
  • 7
  • 33
  • 58
  • That's what I have read in different articles, however, there only seems to be one reply - the referral. Which, if I ignored that result, then naturally there would be no results. Perhaps, I'm using the wrong methods? – Natalie Adams Mar 02 '12 at 01:54
  • Is there a load-balancer on the server you're connecting to? Perhaps that could be the issue. – John Gordon Mar 02 '12 at 03:13
  • There is a load balancer involved, but it shouldn't be affecting LDAP systems as it is designed to load balance between two LAMP servers. The LDAP query could be coming from one of those two LAMP servers to one of two AD servers (the two AD servers each have an A record for Microsoft.com). – Natalie Adams Mar 02 '12 at 20:05
  • Can you connect directly to the two LAMP servers instead of going through the load balancer? If so, try your code on both servers and see what results you get. (My suspicion is that one of the servers is returning the "good" results and the other server is returning the referrals.) – John Gordon Mar 02 '12 at 21:36
  • After about a weeks worth of debugging - we found an issue which is what could be the problem. These LDAP calls were coming from an Django application using WSGI. After some hair pulling debugging - it looks like we are experiencing cross contamination of environment variables. The LDAP connect credentials and search paths are stored in environment variables. I'll update my original question when I get more information. – Natalie Adams Mar 03 '12 at 05:14