LDAP supports multi-valued entries. In almost all common cases ldap_first_attribute / ldap_next_attribute return an attribute once. In very rare cases like FreeIPA's ipaAllowedToPerform;write_keys, an entry can appear more than once in the result. python-ldap accumulates the multi-entry attribute in a single list.

However the implementation has a reference counting bug. It uses PyDict_GetItem and treats the object as owned object. However PyDict_GetItem only returns a borrowed reference. Application code must either Py_INCREF the reference to own it or never Py_DECREF the result.

The bug was never noticed before, because our tests don't trigger this particular behavior with OpenLDAP server. Although I tried, I wasn't able to reproduce the issue with OpenLDAP. But 389-DS can return an attribute multiple times, which causes python-ldap to segfault. Under Python 2, it doesn't segfault but the list is garbage.