Query against port 389 of Microsoft Active Directory gets flummoxed by referrals

[basezen]

INVALIDATED This repository is out of date and has been subsumed into the main project.

Queries on port 389 using the AD domain as the base (not an inner OU) result in referrals returned by AD along with the valid answer. Referrals are chased down by default, but this causes a failure even though all the necessary attributes have been returned: the useless referral queries, unbound to the original DN, fail and cause a cascading failure.

Queries on port 3268 are not necessarily viable because the Global Catalog view does not include the necessary Unix attributes.

The logged result is vague:

LDAP search use DN 'DC=ad,DC=example,DC=com', filter '(&(objectClass=user)([email protected]))' failed: Operations error

On the command line:

ldapsearch -x -H ldap://example.com:389 -D '...' -w '...' -b 'dc=ad,dc=example,dc=com' -s sub '(userPrincipalName=...)'

# User info
dn: CN=...,DC=ad,DC=example,DC=com
userPrincipalName: ...@...
_all necessary info_

# search reference
ref: ldap://ForestDnsZones.ad.example.com/DC=ForestDnsZones,DC=ad,DC=example,DC=com

# search reference
ref: ldap://DomainDnsZones.ad.example.com/DC=DomainDnsZones,DC=ad,DC=basezen,DC=com

# search reference
ref: ldap://ad.example.com/CN=Configuration,DC=ad,DC=example,DC=com

Referencing https://linux.die.net/man/3/ldap_set_option I believe we need LDAP_OPT_REFERRALS off.