Comment #2 on issue 1641 by bryan.weingarten: Required LDAP OPT_REFERRALS option

FAQ #13 from

Basically we require turning off "chasing referrels" for our ldap client to work. The line to turn off referrals just goes immediately after each ldapo.initialize(). I'm sure many people would not require or want this, so it's best to add this as an option to "Disable referrals" in the LDAP settings. I don't know anything about LDAP either. LDAP in Review Board was not working for me and I had to experiment with python-ldap and a lot of googling to figure this out. Then when I looked at Review Board code, it was obvious that it was missing this one line of code. When I added
it, Review Board was able to successfully authenticate for us.

Q: My script bound to MS Active Directory but a a search operation results in an exception ldap.OPERATIONS_ERROR with the diagnostic messages text "In order to perform this operation a successful bind must be completed on the connection.".
What's happening here?

A: When searching from the domain level MS AD returns referrals (search
continuations) for some objects to indicate to the client where to look for these objects. Client-chasing of referrals is a broken concept since LDAPv3 does not specify which credentials to use when chasing the referral. Windows clients are supposed to simply use their Windows credentials but this does not work in general
when chasing referrals received from and pointing to arbitrary LDAP servers.
Therefore per default libldap automatically chases the referrals internally with an
anonymous access which fails with MS AD.
So best thing is to switch this behaviour off:

l = ldap.initialize('ldap://foobar')

You received this message because you are subscribed to the Google Groups 
"reviewboard-issues" group.
To post to this group, send email to
To unsubscribe from this group, send email to
For more options, visit this group at

Reply via email to