Jeff and I were working tonight on some code that needed to search an Active Directory domain at its root, using the python-ldap library. We had a problem wherein our search would work successfully if performed at a base DN below the root of the domain, but not at the top of the domain. The error returned in the python-ldap exception was: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece
Normally, this error indicates that you're attempting to bind anonymously, which Active Directory (sensibly) doesn't allow by default. We were supplying credentials to bind, though, and changing the base DN on the search to a sub-OU was all that was necessary to get the search to work. It turns out that python-ldap was binding anonymously, so the error was only sort of a red herring.
Using a sniffer, we determined that the python-ldap library was chasing referrals being returned by Active Directory to our Configuration, ForestDNSZones, and DomainDNSZones NCs. I think that setting a LDAP_SERVER_DOMAIN_SCOPE_OID server control would have probably stopped Active Directory from returning the referrals in the first place, but it appears that python-ldap doesn't support server controls "yet". As such, we opted for adding the following to our code (right after importing 'ldap') to stop python-ldap from chasing the referrals:
We still get the referrals in our results, but we can wade thru those ourselves.