Referral question

[cro]

Greetings,

We have an application that performs LDAP lookups against Active Directory. For one customer we are seeing the following in the logs (names sanitized):

ERROR:invalid server address for <ldaps://host .subdomain.com:636 - 
   ssl - user: CN=svc domain-join,OU=XXX,DC=HOST,DC=SUBDOMAIN,DC=COM -
   not lazy - unbound - closed - <no socket> - tls not started - not listening -
   SyncStrategy - internal decoder>

Note the space between host and the .subdomain.

Further log reading reveals this message appears when we are getting an LDAP referral, because the host above is not the host we are sending the query against. This has been verified via DNS lookup, the IP addresses are different between the two hosts.

My question is if there is a switch or configuration option anywhere in ldap3 that would strip spaces from the referral server addresses. They are not valid, and while I understand the "right" solution would be to fix the Active Directory so it reports valid referral hostnames, the customer is saying "it works for all our other LDAP applications", so I am wondering if other interface libraries do this already.

Thanks.

[cannatag]

Hi C. R. Oldham, ldap3 by default follows referrals in the response message. You can disable this behavior with auto_referrals=False in the Connection object. Then you will find the referrals in the response and can fix the name if you want to follow them.Bye,GiovanniIl giorno 18 ott 2022, alle ore 18:47, C. R. Oldham ***@***.***> ha scritto: Greetings, We have an application that performs LDAP lookups against Active Directory. For one customer we are seeing the following in the logs (names sanitized): ERROR:invalid server address for <ldaps://host .subdomain.com:636 - ssl - user: CN=svc domain-join,OU=XXX,DC=HOST,DC=SUBDOMAIN,DC=COM - not lazy - unbound - closed - <no socket> - tls not started - not listening - SyncStrategy - internal decoder> Note the space between `host` and the `.subdomain`. Further log reading reveals this message appears when we are getting an LDAP referral, because the host above is not the host we are sending the query against. This has been verified via DNS lookup, the IP addresses are different between the two hosts. My question is if there is a switch or configuration option anywhere that would strip spaces from the referral server addresses. They are not valid, and while I understand the "right" solution would be to fix the Active Directory so it reports valid referral hostnames, the customer is saying "it works for all our other LDAP applications", so I am wondering if other interface libraries do this already. Thanks. —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>