Python LDAP and Active Directory issue

Question

I'll try to include as much detail as possible but consider this situation:

For privacy concerns lets say I have an Active Directory infrastructure like the following:

microsoft.com
and some child domains:
csharp.microsoft.com
vb.microsoft.com

All user accounts are stored at microsoft.com.

I start out my code with the following:

import ldap
ldap.set_option(ldap.OPT_REFERRALS,0)
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT,ldap.OPT_X_TLS_NEVER)

(I know I should probably have a certificate for the domain, but what can you do)

I then make a connection like the following:

conn = ldap.initialize("ldaps://microsoft.com:636")
conn.simple_bind_s("user","pass")

In my script I am searching for a user account, and I use the following search:

result_id = conn.search("DC=microsoft,DC=com",
                                ldap.SCOPE_SUBTREE,
                                "(&(CN=gates)(!(objectClass=contact)))",
                                None)
result_type,result_data = conn.result(result_id,0)

Ok great, so this works....most of the time.
When it does work I get something to the effect of:

[("CN=gates,OU=Users,DC=microsoft,DC=com", {'sAMAccountName':['gates']}])

However, it seems at random, that I will get results like the following:

[(None, ['ldaps://csharp.microsoft.com/DC=csharp,DC=microsoft,DC=com'])]

While the result makes sense - gates does not exist at csharp.microsoft.com he exists at microsoft.com DC - it is still very puzzling because I am under the impression that using OPT_REFERRALS setting to 0 will tell the Python LDAP module to NOT use referrals. To make things more interesting I also sometimes get results like the following:

[(None, ['ldaps://ForestDnsZones.microsoft.com/DC=ForestDnsZones,DC=microsoft,DC=com'])]

So my question - is there anything I'm doing wrong?

Also, it has been suggested that if I use a search path like "OU=Users,DC=microsoft,DC=com" instead of just searching from the root ( "DC=microsoft,DC=com" ) that the LDAP client module will not attempt to use referrals - is this accurate?

Edit

The issue turned out to not be LDAP related but rather a WSGI mis-configuration. Using the WSGIDaemonProcess solved the cross contamination issue we were experiencing.

Answer 1

Setting ldap.OPT_REFERRALS to 0 tells the server not to "chase" referrals, i.e. not to resolve them.

Results with None as the first element are the server's way of telling you "this is a referral, but you told me not to chase it down." At least that's my understanding.

If you don't want referrals, just ignore results with a first element of None.