[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Is ldap_bind() mandatory before each ldap_search() call?



Thanks for the reply. Queries inline.

On Tue, Nov 9, 2010 at 1:46 PM, Hallvard B Furuseth <h.b.furuseth@usit.uio.no> wrote:
Shankar Anand R writes:
> I see that most LDAP utilities (openldap included) do a ldap_bind() before
> every ldap_search(). Is this mandatory?

No, not in LDAPv3.  It was mandatory in LDAPv2: You started a session
with bind and ended it with unbind - which is why the latter is
misnamed, it should have been called "close" or something.
BTW, note that ldap_unbind() is also the destructor for the C LDAP*
structure.

If the client does a ldap_search() without doing a ldap_bind() how / where does it present its credentials to the server? When I tried a ldap_search() without doing a ldap_bind() I got an error that said "A successful bind should have been done before this operation". This was with an OpenLDAP client and Active directory 2008 server.
 

> If LDAP descriptor (ld) is valid and can be used for multiple
> ldap_search() calls, when does it become invalid? Is it time based,
> say ld becomes invalid after 10 minutes?

That's up to the server.  Ours has set idletimeout so the server closes
the connection if the client has been passive for some minutes.


Can you kindly tell me the minimum, default and maximum timeout values? Or point me to documentation that talks about them?
 
>  I have an application which needs to search the LDAP server for some
> specific attributes of users. The user name is taken as input from the
> command line. Is it necessary to do a ldap_bind() before each ldap_search()
> call? Doesn't this make it costly?

Depends on the access controls set in the server.  If the attributes are
publicly available, don't bother to Bind.

>  Can I do ldap_bind() once and call ldap_search() many times? When does my
> "bind" become invalid?

(a) Yes, and (b) if you use Simple Bind, not until you Bind again or the
connection is closed.  Some authentication methods (Kerberos I think)
will time out a Bind after a while, but the descriptior might still
remain useful - presumably you'll have to Bind again, even if just
anonymously.  I haven't tried.

> Can my application do this:
> #1 - bind to a LDAP server during initialization
> #2- then do an ldap_search() whenever required

Yes...

> #3- then invalidate the ld after 10 minutes

Another Bind invalidates the previous Bind, if that's what you mean.

> #4- do a ldap_bind() again and repeat from #2?

Yup.

You should be prepared for losing the connection (LDAP_SERVER_DOWN),
e.g. due to an idletimeout set in the server.  If so, to ldap_unbind,
connect and Bind again, and proceed.


Is there any way (for example, a part of bind reply) for the LDAP client to get to know about the session timeout so that the client can try to unbind and bind again before session expiry? Or does the client know about session expiry only after one of its LDAP operations fail with LDAP_SERVER_DOWN?

 
--
Hallvard