Python LDAP and Active Directory issue


I'll try to include as much detail as possible but consider this situation:

For privacy concerns lets say I have an Active Directory infrastructure like the following:
and some child domains:

All user accounts are stored at

I start out my code with the following:

import ldap

(I know I should probably have a certificate for the domain, but what can you do)

I then make a connection like the following:

conn = ldap.initialize("ldaps://")

In my script I am searching for a user account, and I use the following search:

result_id ="DC=microsoft,DC=com",
result_type,result_data = conn.result(result_id,0)

Ok great, so this works….most of the time.
When it does work I get something to the effect of:

[("CN=gates,OU=Users,DC=microsoft,DC=com", {'sAMAccountName':['gates']}])

However, it seems at random, that I will get results like the following:

[(None, ['ldaps://,DC=microsoft,DC=com'])]

While the result makes sense – gates does not exist at he exists at DC – it is still very puzzling because I am under the impression that using OPT_REFERRALS setting to 0 will tell the Python LDAP module to NOT use referrals.
To make things more interesting I also sometimes get results like the following:

[(None, ['ldaps://,DC=microsoft,DC=com'])]

So my question – is there anything I'm doing wrong?

Also, it has been suggested that if I use a search path like "OU=Users,DC=microsoft,DC=com" instead of just searching from the root ( "DC=microsoft,DC=com" ) that the LDAP client module will not attempt to use referrals – is this accurate?


The issue turned out to not be LDAP related but rather a WSGI mis-configuration.
Using the WSGIDaemonProcess solved the cross contamination issue we were experiencing.

Best Answer

Setting ldap.OPT_REFERRALS to 0 tells the server not to "chase" referrals, i.e. not to resolve them.

Results with None as the first element are the server's way of telling you "this is a referral, but you told me not to chase it down." At least that's my understanding.

If you don't want referrals, just ignore results with a first element of None.