If the user you're binding with has the right in AD to search the whole
subtree you can start searching at the domain-level.
^^^^^^^^^^^^
Just for the records: A simple bind with userPrincipalName only works on
AD. It's not a LDAPv3 compliant bind request then (which requires a full
DN).
It should work. I'm doing this quite often.
What does "it breaks" mean? Any exception raised by python-ldap?
Nope.

Ciao, Michael.

BTW: This blog entry claims that LDAP_SERVER_DOMAIN_SCOPE_OID control
cannot be used with python-ldap. But support for such simple LDAPv3
extended controls was added to python-ldap way back in 2005.

Actually it's easy (relevant code excerpt):

----------------------------------------------------------------
import ldap
from ldap.controls import BooleanControl
LDAP_SERVER_DOMAIN_SCOPE_OID='1.2.840.113556.1.4.1339'
[..]
l = ldap.initialize(ldap_uri,trace_level=trace_level)
# Switch off chasing referrals within OpenLDAP's libldap
l.set_option(ldap.OPT_REFERRALS, 0)
# Simple bind with user's DN and password
l.simple_bind_s(dn,password)
res = l.search_ext_s(
'DC=dom,DC=example,DC=com',
ldap.SCOPE_ONELEVEL,
'(objectClass=subentry)',
['*'],
serverctrls = [
BooleanControl(
LDAP_SERVER_DOMAIN_SCOPE_OID,
criticality=0,controlValue=1
)
]
)
----------------------------------------------------------------

Strange enough it has no effect. And setting criticality=1 raises an
error indicating that this control is not supported although this
control is explicitly mentioned in attribute 'supportedControl' of the
server's rootDSE:

ldap.UNAVAILABLE_CRITICAL_EXTENSION: {'info': '00000057: LdapErr:
DSID-0C09068F, comment: Error processing control, data 0, vece', 'desc':
'Critical extension is unavailable'}

Might depend on the domain functional level AD is running with...

Ciao, Michael.

Uumh, yes. I'm always switching off OpenLDAP client lib's internal
referral chasing.

But be prepared to also handle (at least ignore) the search
continuations (LDAP URL) in the search results you will probably
receive. These are not regular search entries.

Ciao, Michael.

I am attempting to pull info from an LDAP server (Active Directory),
but cannot specify an OU. In other words, I need to search users in
all OU's, not a specific one.

Here is what works:

con = ldap.initialize("ldap://server.local")
con.simple_bind_s('user at domain', pass)
result = con.search_ext_s(
'OU=some office, DC=server, DC=local',
ldap.SCOPE_SUBTREE,
"sAMAccountName=username", ['mail']
)[0][1]

for i in result:
print "%s = %s" (i, result[i])

But i really need it to not require an OU. When I remove that part, it
breaks. Or it just won't find the user. Is there a proper syntax for
this that I'm missing? Maybe a different search function?