[Zope] LDAPUserFolder and Micro$oft AD (ugh!)

Jens Vagelpohl jens@zope.com
Fri, 14 Mar 2003 17:04:14 -0500 

as always, a full traceback might shed more light on the issue...

jens


On Thursday, Mar 13, 2003, at 17:18 US/Eastern,=20
larry_prikockis@natureserve.org wrote:

> Greetings fellow Zope-addicts :-)
>
> First-- no need to remind me that LDAPUserFolder isn't in any way=20
> designed specifically to interoperate properly with Active=20
> Directory... I'm stuck with AD for the moment.
>
> I'm running Zope 2.6.1 on Linux (RH 7.1).=A0 I have the latest version=20=

> of LDAPUserFolder, python-ldap, open-ldap, etc. installed.=A0 For the=20=

> most part, everything works as advertised.=A0 However- there's a weird=20=

> glitch that crops up, apparently in the process of searching through=20=

> certain portions of my Active Directory structure (over which I have=20=

> no direct control- despite my fervent desire to reorganize it more=20
> sensibly)
>
> Basically, the structure looks like this:
>
> Dc=3Dmydir,dc=3Dorg
> =A0=A0=A0=A0=A0=A0=A0 ou=3Ddivision1
> =A0=A0=A0=A0=A0=A0=A0 ou=3Ddivision2
> =A0=A0=A0=A0=A0=A0=A0 ou=3Ddivision3
> =A0=A0=A0=A0=A0=A0=A0 cn=3DConfiguration=A0 (lots of other junk under =
here ?!!)
>
> User entries can be located under any of the various division ou's, so=20=

> I need to use a base DN: dc=3Dmydir,dc=3Dorg and "subtree" for the =
scope=20
> setting.
>
> What I get, when searching for a user entry is the following:
>
> Error:
> {'desc': "Can't contact LDAP server", 'info':=20
> 'Referral:\nldap://mydir.org/CN=3DConfiguration,DC=3Dmydir,DC=3Dorg'}
>
> If I specify a user base DN of, e.g., ou=3Ddivision1,dc=3Dmydir,dc=3Dorg=
,=20
> then all is well (though of course, I'm not really searching the full=20=

> scope of records I want to search).
>
> Any ideas on how to tell where this error might be occurring (it=20
> strikes me that it's probably related to something in python-ldap or=20=

> open-ldap, rather than the LDAPUser folder, but I don't know.)
>
> Or is there some way I can tell modify the code to ignore the=20
> CN=3Dconfiguration portion of the directory tree? (since that seems to=20=

> be the root of the problem for whatever reason and it's not something=20=

> I need to look at for user authentication anyway).
>
> Sorry for the long-winded message, but this has been driving me batty=20=

> and I'm hoping it'll ring a bell with someone out there.
>
> Thanks much...
> Larry Prikockis
>