Checking for disabled users with python ldap3

I’ve read Q&A: How can I identify a deactivated user. This works with univention-ldapsearch, but I’m not able to get it running with pythons ldap3:

search(search_base=LDAP_BASE_DN,
                       search_scope=ldap3.SUBTREE,
                       search_filter="(&(objectCategory=user)(memberOf={}))".format(groupDN),
                       attributes= ["displayName","shadowExpire","sambaAcctFlags","krb5KDCFlags"])

returns error “ldap3.core.exceptions.LDAPAttributeError: invalid attribute type sambaAcctFlags”, same for krb5KDCFlags. Only shadowExpire is accepted, but always returns an empty list.

If I exclude sambaAcctFlags and krb5KDCFlags from ldap3 attribute check, the query is accepted, but both
attributes return empty lists too.

Does anyone know how to get this running?

Thanks,
Mathias

I figured it out: connection was to port 636 (samba), switching to 7636 (slapd) solved this issue.

Mastodon