[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Is ldap_bind() mandatory before each ldap_search() call?



Shankar Anand R writes:
> I see that most LDAP utilities (openldap included) do a ldap_bind() before
> every ldap_search(). Is this mandatory?

No, not in LDAPv3.  It was mandatory in LDAPv2: You started a session
with bind and ended it with unbind - which is why the latter is
misnamed, it should have been called "close" or something.
BTW, note that ldap_unbind() is also the destructor for the C LDAP*
structure.

> If LDAP descriptor (ld) is valid and can be used for multiple
> ldap_search() calls, when does it become invalid? Is it time based,
> say ld becomes invalid after 10 minutes?

That's up to the server.  Ours has set idletimeout so the server closes
the connection if the client has been passive for some minutes.

>  I have an application which needs to search the LDAP server for some
> specific attributes of users. The user name is taken as input from the
> command line. Is it necessary to do a ldap_bind() before each ldap_search()
> call? Doesn't this make it costly?

Depends on the access controls set in the server.  If the attributes are
publicly available, don't bother to Bind.

>  Can I do ldap_bind() once and call ldap_search() many times? When does my
> "bind" become invalid?

(a) Yes, and (b) if you use Simple Bind, not until you Bind again or the
connection is closed.  Some authentication methods (Kerberos I think)
will time out a Bind after a while, but the descriptior might still
remain useful - presumably you'll have to Bind again, even if just
anonymously.  I haven't tried.

> Can my application do this:
> #1 - bind to a LDAP server during initialization
> #2- then do an ldap_search() whenever required

Yes...

> #3- then invalidate the ld after 10 minutes

Another Bind invalidates the previous Bind, if that's what you mean.

> #4- do a ldap_bind() again and repeat from #2?

Yup.

You should be prepared for losing the connection (LDAP_SERVER_DOWN),
e.g. due to an idletimeout set in the server.  If so, to ldap_unbind,
connect and Bind again, and proceed.

-- 
Hallvard