Problems with python and ldap through TLS

Question

first of all I'm sorry for my english.

I'm trying to query some data to a LDAPS servers but i'm getting some problems.

I have two Samba4 DC controllers working as the same domain. I had the two DC on different subdomains like for example:

• dc.domain.com
• dc2.domain.com

and i've this python script to query some data to that ldap servers:

#!/usr/bin/env python2
# -*- coding: utf-8 -*-

import ldap, ldapurl, subprocess, sys, shlex, os

GrupoLDAP = "Domain Users" #Grupo a recuperar
CACert = '/etc/ssl/ca.cert.pem' #Certificado CA

ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, CACert)
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_HARD)

proto = 'ldaps' #Protocolo
server = 'domain.com' #Dirección del servidor (mismo nombre del Certificado)
port = 636 #Puerto seguro para ldaps

try:
    url = ldapurl.LDAPUrl(urlscheme=proto, hostport="%s:%s" % (server, str(port))).initializeUrl()
    ldap_obj = ldap.initialize(url)
    ldap_obj.simple_bind_s('user@domain,com','_PassWd_')

    base = 'DC=domain,DC=com' #Ruta y UO del grupo

    scope = ldap.SCOPE_SUBTREE

    query = '(&(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))'

    res_attrs = ['sAMAccountName', 'cn']
    #res_attrs = ['*']
    res = ldap_obj.search_s(base, scope, query, res_attrs)
except ldap.LDAPError as Error:
    print "Ha ocurrido un error al conectar o realizar la query al servidor LDAP:\n\n%s" % Error
    sys.exit(1)

print res

This script was working perfectly until i've joined both servers in same dns entrie to allow redundancy. Now both servers works on domain.com.

The problems seems to be base DN with ldaps, because if i change the base to:

    base = 'OU=Users,DC=domain,DC=com'

or i use ldap instead ldaps, then it works perfectly. The problem is that i need to query the root of the server without any OU.

I can use the standard ldap channel, but i want to use a secure channel to get the data.

The error that i get is:

{'info': '00002020: Operation unavailable without authentication', 'desc': 'Operations error'}

And of course i'm using authentication and i've updated the certs on both servers to change the CN to "domain.com", and seems to be working perfectly with Owncloud and Prosody (using Saslauth) but with python is failing.

Someone knows what can be happening?

Thanks!!

Answer 1

Finally i've found the way to fix the problem. I've added this line to the python script:

ldap.set_option(ldap.OPT_REFERRALS, 0)

And now is working perfect.

Greetings!!