Unable to connect to ldaps on windows server 2016 from python-ldap

Question

I have successfully used python-ldap to connect to a windows 2012 R2 server over ldaps in the past. The procedure I used for this was as follows:

python code:

import ldap
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
ldap.set_option(ldap.OPT_DEBUG_LEVEL, 255)
ip = '<redacted>'
url = "%s://%s:%d" % ('ldaps', ip, 636)
ld = ldap.initialize(url)
ld.protocol_version = 3
ld.set_option(ldap.OPT_REFERRALS, ldap.OPT_OFF)
user = '<redacted>'
passwd = '<redacted>'
ld.simple_bind_s('<redacted>\%s' % user, passwd)

And on the windows server, I used the 'server manager' to add a 'AD CS' role, and created a root certificate. I do not care about verifying the certificate, just using some encryption. After creating the root certificate, LDAPS was enabled on the server, and this code runs without error.

Now, I have followed the exact same procedure on windows server 2016, and the results are not so nice. I have managed to get a few errors from the same script. Usually either 'A TLS packet with unexpected length was received.' or 'Error in the push function.'. I have searched for a few hours but I have not been able to find a solution. Does anyone know if extra steps are needed for configuration on the windows server, or if something about my script is incorrect?

The client I am testing with is using python 2.7 and ubuntu 14.04. pip2.7 has updated the python-ldap library to the latest version. Lere is an example of the failed script run:

ldap_create
ldap_url_parse_ext(ldaps://<redacted>:636)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP <redacted>:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying <redacted>:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: can't connect: Error in the push function..
ldap_err2string
Traceback (most recent call last):
  File "test_ldap.py", line 13, in <module>
    ld.simple_bind_s('<redacted>\%s' % user, passwd)
  File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 228, in simple_bind_s
    msgid = self.simple_bind(who,cred,serverctrls,clientctrls)
  File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 222, in simple_bind
    return self._ldap_call(self._l.simple_bind,who,cred,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls))
  File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 108, in _ldap_call
    result = func(*args,**kwargs)
ldap.SERVER_DOWN: {'info': 'Error in the push function.', 'errno': 104, 'desc': "Can't contact LDAP server"}

Answer 1

So it seems that this is one of those windows things which I just do not understand. After coming into work on the next day, the same code above just started working. It seems that windows server may require many hours in order to allow LDAPS to become available to connect to.