Why does python-ldap code raise the Exception ldap.REFERRALS?

Question

I'm trying to use the python-ldap library to connect to an Active Directory Server. I'm using the code found in this link.

Authentication by simple bind

The following code works correctly:

con = ldap.initialize(uri, bytes_mode=False)
con.protocol_version = ldap.VERSION3
con.set_option(ldap.OPT_REFERRALS, 0)  # required for AD authentication
con.simple_bind_s(bindDN, bindPW)
print("Bind success!")

With correct credentials (in the variables bindDN and bindPW) the execution of the code allow a simple bind to the AD Server present in my company and prints the successfully message Bind success! that is the last instruction of the previous snippet of code.

REFERRAL Exception in the query execution

When I try to execute the code below, the last instruction con.result3, raise the ldap.REFERRAL Exception.

# optional, but reduce the number of supported control, since only this one will be parsed
known_ldap_resp_ctrls = {
    SimplePagedResultsControl.controlType: SimplePagedResultsControl,
}

# instantiate the control that will make the paged results
# it carries the page cookie (initially empty, to request the first page)
req_ctrl = SimplePagedResultsControl(
    criticality=True,
    size=pagesize,
    cookie=''
)

# query next page, asynchronous
msgid = con.search_ext(
    baseDN,
    ldap.SCOPE_SUBTREE,
    filterstr,
    attrlist=attrlist,
    serverctrls=[req_ctrl]
)

try:
    con.result3(msgid, timeout=timeout, resp_ctrl_classes=known_ldap_resp_ctrls)
except ldap.REFERRAL as ex:
    print("REFERRAL Exception --> " + str(ex))

When the Exception is raised the catch block of ldap.REFERRAL Exception, prints the following message:

REFERRAL Exception --> {'msgtype': 101, 'msgid': 2, 'result': 10, 'desc': 'Referral', 'ctrls': [('1.2.840.113556.1.4.319', 0, b'0\x84\x00\x00\x00\x05\x02\x01\x00\x04\x00')], 'info': 'Referral:\nldap://domain.local/DC=domain,DC=local'}

I'm completely stuck on this Exception.

Someone could help me to find where is the problem?

Answer 1

The Exception ldap.REFERRALS is due to an incorrect baseDN

In the code shown in the question there is the following mistake:

the variable baseDN is set equal to DC=domain,DC=local which is an example value not usable with the real LDAP Server present in my company.

baseDN variable is used by the function search_ext(). Here is a portion of the code already shown in my question which uses baseDN:

# query next page, asynchronous
msgid = con.search_ext(
  baseDN,
  ldap.SCOPE_SUBTREE,
  filterstr,
  attrlist=attrlist,
  serverctrls=[req_ctrl]
)

In fact the content of the field info of the Exception message reported in the question is:

'info': 'Referral:\nldap://domain.local/DC=domain,DC=local'

In this part of the error message I have noted the valuesDC=domain,DC=local.

Because I'm doing my tests by interaction with the AD of my company the correct baseDN value is something like DC=laboratory,DC=mycompany, so by setting the correct value of the variable baseDN, the LDAP server of my company responds to the query with the data requested.

A bit of confusion around the LDAP referral concept

Find the solution of this problem (which appears as a inattention) was not easy because looking for information about the LDAP referral concept I have found for example this oracle document which links LDAP referral to alias.

Instead this is a useful link: https://confluence.atlassian.com/crowdkb/ldap-integration-fails-with-ldap-error-code-10-658735957.html which has suggested me where to search the problem; in this link is written that the REFERRALS error is caused by an invalid base DN, and thanks to this information I have found the solution of my problem.