Why does python-ldap code raise the Exception ldap.REFERRAL?
Question:
I’m trying to use the python-ldap library to connect to an Active Directory Server.
I’m using the code found in this link.
The following code works correctly:
con = ldap.initialize(uri, bytes_mode=False)
con.protocol_version = ldap.VERSION3
con.set_option(ldap.OPT_REFERRALS, 0) # required for AD authentication
con.simple_bind_s(bindDN, bindPW)
print("Authentication success!")
With correct credentials (in the variables bindDN and bindPW) the execution of the code enables the connection to my AD server so it prints the successfully message Authentication success! that is the last instruction of the previous snippet of code.
When I try to execute the code below, the last instruction con.result3, raise the ldap.REFERRAL Exception.
# optional, but reduce the number of supported control, since only this one will be parsed
known_ldap_resp_ctrls = {
SimplePagedResultsControl.controlType: SimplePagedResultsControl,
}
# instantiate the control that will make the paged results
# it carries the page cookie (initially empty, to request the first page)
req_ctrl = SimplePagedResultsControl(
criticality=True,
size=pagesize,
cookie=''
)
# query next page, asynchronous
msgid = con.search_ext(
baseDN,
ldap.SCOPE_SUBTREE,
filterstr,
attrlist=attrlist,
serverctrls=[req_ctrl]
)
try:
con.result3(msgid, timeout=timeout, resp_ctrl_classes=known_ldap_resp_ctrls)
except ldap.REFERRAL as ex:
print("REFERRAL Exception --> " + str(ex))
When the Exception is raised the catch block of ldap.REFERRAL Exception, prints the following message:
REFERRAL Exception --> {'msgtype': 101, 'msgid': 2, 'result': 10, 'desc': 'Referral', 'ctrls': [('1.2.840.113556.1.4.319', 0, b'0x84x00x00x00x05x02x01x00x04x00')], 'info': 'Referral:nldap://domain.local/DC=domain,DC=local'}
I’m completely stuck on this Exception.
Someone could help me to find where is the problem?
Thanks
If I execute the same query by the utility ldapsearch, it works correctly and the AD Server sends the requested data.
Answers:
In previous code I have done a mistake in the setting of variable baseDN which had the wrong example value DC=domain,DC=local.
baseDN variable is used by the function search_ext(). Here is a portion of the code already shown in my question which uses baseDN:
# query next page, asynchronous
msgid = con.search_ext(
baseDN,
ldap.SCOPE_SUBTREE,
filterstr,
attrlist=attrlist,
serverctrls=[req_ctrl]
)
In fact the content of the field info of the Exception message reported in the question is:
'info': 'Referral:nldap://domain.local/DC=domain,DC=local'
In this part of the error message I have noted the valuesDC=domain,DC=local.
Setting the correct value of the variable baseDN, the LDAP server responds to the query with the data requested.
A bit of confusion around the LDAP referral concept
Find the solution of this problem (which appears as a inattention) was not easy because looking for information about the LDAP referral concept I have found for example this oracle document which links LDAP referral to alias.
Instead this is a useful link: https://confluence.atlassian.com/crowdkb/ldap-integration-fails-with-ldap-error-code-10-658735957.html which has suggested me where to search the problem.
I’m trying to use the python-ldap library to connect to an Active Directory Server.
I’m using the code found in this link.
The following code works correctly:
con = ldap.initialize(uri, bytes_mode=False)
con.protocol_version = ldap.VERSION3
con.set_option(ldap.OPT_REFERRALS, 0) # required for AD authentication
con.simple_bind_s(bindDN, bindPW)
print("Authentication success!")
With correct credentials (in the variables bindDN and bindPW) the execution of the code enables the connection to my AD server so it prints the successfully message Authentication success! that is the last instruction of the previous snippet of code.
When I try to execute the code below, the last instruction con.result3, raise the ldap.REFERRAL Exception.
# optional, but reduce the number of supported control, since only this one will be parsed
known_ldap_resp_ctrls = {
SimplePagedResultsControl.controlType: SimplePagedResultsControl,
}
# instantiate the control that will make the paged results
# it carries the page cookie (initially empty, to request the first page)
req_ctrl = SimplePagedResultsControl(
criticality=True,
size=pagesize,
cookie=''
)
# query next page, asynchronous
msgid = con.search_ext(
baseDN,
ldap.SCOPE_SUBTREE,
filterstr,
attrlist=attrlist,
serverctrls=[req_ctrl]
)
try:
con.result3(msgid, timeout=timeout, resp_ctrl_classes=known_ldap_resp_ctrls)
except ldap.REFERRAL as ex:
print("REFERRAL Exception --> " + str(ex))
When the Exception is raised the catch block of ldap.REFERRAL Exception, prints the following message:
REFERRAL Exception --> {'msgtype': 101, 'msgid': 2, 'result': 10, 'desc': 'Referral', 'ctrls': [('1.2.840.113556.1.4.319', 0, b'0x84x00x00x00x05x02x01x00x04x00')], 'info': 'Referral:nldap://domain.local/DC=domain,DC=local'}
I’m completely stuck on this Exception.
Someone could help me to find where is the problem?
Thanks
If I execute the same query by the utility ldapsearch, it works correctly and the AD Server sends the requested data.
In previous code I have done a mistake in the setting of variable baseDN which had the wrong example value DC=domain,DC=local.
baseDN variable is used by the function search_ext(). Here is a portion of the code already shown in my question which uses baseDN:
# query next page, asynchronous
msgid = con.search_ext(
baseDN,
ldap.SCOPE_SUBTREE,
filterstr,
attrlist=attrlist,
serverctrls=[req_ctrl]
)
In fact the content of the field info of the Exception message reported in the question is:
'info': 'Referral:nldap://domain.local/DC=domain,DC=local'
In this part of the error message I have noted the valuesDC=domain,DC=local.
Setting the correct value of the variable baseDN, the LDAP server responds to the query with the data requested.
A bit of confusion around the LDAP referral concept
Find the solution of this problem (which appears as a inattention) was not easy because looking for information about the LDAP referral concept I have found for example this oracle document which links LDAP referral to alias.
Instead this is a useful link: https://confluence.atlassian.com/crowdkb/ldap-integration-fails-with-ldap-error-code-10-658735957.html which has suggested me where to search the problem.