On Tue, Nov 9, 2010 at 1:46 PM, Hallvard B Furuseth <firstname.lastname@example.org>
Shankar Anand R writes:No, not in LDAPv3. It was mandatory in LDAPv2: You started a session
> I see that most LDAP utilities (openldap included) do a ldap_bind() before
> every ldap_search(). Is this mandatory?
with bind and ended it with unbind - which is why the latter is
misnamed, it should have been called "close" or something.
BTW, note that ldap_unbind() is also the destructor for the C LDAP*
If the client does a ldap_search() without doing a ldap_bind() how / where does it present its credentials to the server? When I tried a ldap_search() without doing a ldap_bind() I got an error that said "A successful bind should have been done before this operation". This was with an OpenLDAP client and Active directory 2008 server.
That's up to the server. Ours has set idletimeout so the server closes
> If LDAP descriptor (ld) is valid and can be used for multiple
> ldap_search() calls, when does it become invalid? Is it time based,
> say ld becomes invalid after 10 minutes?
the connection if the client has been passive for some minutes.
Can you kindly tell me the minimum, default and maximum timeout values? Or point me to documentation that talks about them?
> I have an application which needs to search the LDAP server for someDepends on the access controls set in the server. If the attributes are
> specific attributes of users. The user name is taken as input from the
> command line. Is it necessary to do a ldap_bind() before each ldap_search()
> call? Doesn't this make it costly?
publicly available, don't bother to Bind.
(a) Yes, and (b) if you use Simple Bind, not until you Bind again or the
> Can I do ldap_bind() once and call ldap_search() many times? When does my
> "bind" become invalid?
connection is closed. Some authentication methods (Kerberos I think)
will time out a Bind after a while, but the descriptior might still
remain useful - presumably you'll have to Bind again, even if just
anonymously. I haven't tried.
> Can my application do this:
> #1 - bind to a LDAP server during initialization
> #2- then do an ldap_search() whenever required
Another Bind invalidates the previous Bind, if that's what you mean.
> #3- then invalidate the ld after 10 minutes
> #4- do a ldap_bind() again and repeat from #2?
You should be prepared for losing the connection (LDAP_SERVER_DOWN),
e.g. due to an idletimeout set in the server. If so, to ldap_unbind,
connect and Bind again, and proceed.
Is there any way (for example, a part of bind reply) for the LDAP
client to get to know about the session timeout so that the client can
try to unbind and bind again before session expiry? Or does the client know about
session expiry only after one of its LDAP operations fail with LDAP_SERVER_DOWN?