I can connect to an Active Directory server using the ldap port and SASL (using gssapi to do kerberos) as follows:
import ldap, ldap.sasl, sys
server = 'ldap://server.domain.tld'
sasl_auth = ldap.sasl.sasl({} ,'GSSAPI')
conn = ldap.initialize(server, trace_level=0)
conn.set_option(ldap.OPT_REFERRALS,0) # for AD servers, don't chase referrals via anonymous bind
conn.protocol_version = ldap.VERSION3 # Set protocol version to LDAPv3 to enable SASL bind!
conn.sasl_interactive_bind_s("", sasl_auth)
All of that works as desired. (Error checking left out for brevity.) But if I want to instead connect to the SSL port by changing the server string to:
server = 'ldaps://server.domain.tld'
the bind succeeds but my connection is reported as closed when I tried to do the next thing such as:
print('Result of Who Am I? ext. op:',repr(conn.whoami_s()))
I get:
ldap.SERVER_DOWN: {'desc': "Can't contact LDAP server", 'errno': 5, 'info': 'Input/output error'}
even though the bind didn't raise any exceptions. "ldap://" works. "ldaps://" doesn't.
Does this only work via regular port + TLS, or am I missing some part of the incantation that is necessary for the ldaps port when doing kerberos?
Thanks.
