xref: /illumos-gate/usr/src/man/man3ldap/ldap_bind.3ldap (revision dd72704bd9e794056c558153663c739e2012d721)
te
Copyright (C) 1990, Regents of the University of Michigan. All Rights Reserved.
Portions Copyright 2004, Sun Microsystems, Inc. All Rights Reserved.
The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
LDAP_BIND 3LDAP "Jan 14, 2004"
NAME
ldap_bind, ldap_bind_s, ldap_sasl_bind, ldap_sasl_bind_s, ldap_simple_bind, ldap_simple_bind_s, ldap_unbind, ldap_unbind_s, ldap_unbind_ext, ldap_set_rebind_proc, ldap_sasl_interactive_bind_s - LDAP bind functions
SYNOPSIS

cc [ flag... ] file... -lldap [ library... ]
#include <lber.h>
#include <ldap.h>

int ldap_bind(LDAP *ld, char *who, char *cred, int method);

int ldap_bind_s(LDAP *ld, char *who, char *cred, int method);

int ldap_simple_bind(LDAP *ld, char *who, char *passwd);

int ldap_simple_bind_s(LDAP *ld, char *who, char *passwd);

int ldap_unbind(LDAP *ld);

int ldap_unbind_s(LDAP *ld);

int ldap_unbind_ext(LDAP *ld, LDAPControl **serverctrls,
 LDAPControl **clientctrls);

void ldap_set_rebind_proc(LDAP *ld, int (*rebindproc);

int ldap_sasl_bind(LDAP *ld, char *dn, char *mechanism,
 struct berval **serverctrls, LDAPControl **clientctrls,
 int *msgidp);

int ldap_sasl_bind_s(LDAP *ld, char *dn, char *mechanism,
 struct berval *cred, LDAPControl **serverctrls,
 LDAPControl **clientctrls);

int ldap_sasl_interactive_bind_s(LDAP *ld, char *dn,
 char *saslMechanism, LDAPControl **sctrl, LDAPControl **cctrl,
 LDAPControl **unsigned flags, LDAP_SASL_INTERACT_PROC *callback,
 void *defaults);
DESCRIPTION

These functions provide various interfaces to the LDAP bind operation. After a connection is made to an LDAP server, the ldap_bind() function returns the message ID of the request initiated. The ldap_bind_s() function returns an LDAP error code.

"Simple Authentication"

The simplest form of the bind call is ldap_simple_bind_s(). The function takes the DN (Distinguished Name) of the dn parameter and the userPassword associated with the entry in passwd to return an LDAP error code. See ldap_error(3LDAP).

The ldap_simple_bind() call is asynchronous. The function takes the same parameters as ldap_simple_bind_s() but initiates the bind operation and returns the message ID of the request sent. The result of the operation can be obtained by a subsequent call to ldap_result(3LDAP).

"General Authentication"

The ldap_bind() and ldap_bind_s() functions are used to select the authentication method at runtime. Both functions take an extra method parameter to set the authentication method. For simple authentication, the method parameter is set to LDAP_AUTH_SIMPLE. The ldap_bind() function returns the message id of the request initiated. The ldap_bind_s() function returns an LDAP error code.

"SASL Authentication"

The ldap_sasl_bind() and ldap_sasl_bind_s() functions are used for general and extensible authentication over LDAP through the use of the Simple Authentication Security Layer. The routines both take the DN to bind as the authentication method. A dotted-string representation of an OID identifies the method, and the berval structure holds the credentials. The special constant value LDAP_SASL_SIMPLE ("") can be passed to request simple authentication. Otherwise, the ldap_simple_bind() function or the ldap_simple_bind_s() function can be used.

The ldap_sasl_interactive_bind_s() helper function takes its data and performs the necessary ldap_sasl_bind() and associated SASL library authentication sequencing with the LDAP server that uses the provided connection (ld).

Upon a successful bind, the ldap_sasl_bind() function will, if negotiated by the SASL interface, install the necessary internal libldap plumbing to enable SASL integrity and privacy (over the wire encryption) with the LDAP server.

The LDAP_SASL_INTERACTIVE option flag is passed to the libldap API through the flags argument of the API. The flag tells the API to use the SASL interactive mode and to have the API request SASL authentication data through the LDAP_SASL_INTERACTIVE_PROC callback as needed. The callback provided is in the form:

typedef int (LDAP_SASL_INTERACT_PROC)
 (LDAP *ld, unsigned flags, void* defaults, void *interact);

The user-provided SASL callback is passed to the current LDAP connection pointer, the current flags field, an optional pointer to user-defined data, and the list of sasl_interact_t authentication values requested by libsasl(3LIB) to complete authentication.

The user-defined callback collects and returns the authentication information in the sasl_interact_t array according to libsasl rules. The authentication information can include user IDs, passwords, realms, or other information defined by SASL. The SASL library uses this date during sequencing to complete authentication.

"Unbinding"

The ldap_unbind() call is used to unbind from a directory, to terminate the current association, and to free the resources contained in the ld structure. Once the function is called, the connection to the LDAP server is closed and the ld structure is invalid. The ldap_unbind_s() and ldap_unbind() calls are identical and synchronous in nature.

The ldap_unbind_ext() function is used to unbind from a directory, to terminate the current association, and to free the resources contained in the LDAP structure. Unlike ldap_unbind() and ldap_unbind_s(), both server and client controls can be explicitly included with ldap_unbind_ext() requests. No server response is made to an unbind request and responses should not be expected from server controls included with unbind requests.

"Rebinding While Following Referral"

The ldap_set_rebind_proc() call is used to set a function called back to obtain bind credentials. The credentials are used when a new server is contacted after an LDAP referral. If ldap_set_rebind_proc() is never called, or if it is called with a NULL rebindproc parameter, an unauthenticated simple LDAP bind is always done when chasing referrals.

The rebindproc() function is declared as shown below:

int rebindproc(LDAP *ld, char **whop, char **credp,
 int *methodp, int freeit);

The LDAP library first calls the rebindproc() to obtain the referral bind credentials. The freeit parameter is zero. The whop, credp, and methodp parameters should be set as appropriate. If rebindproc() returns LDAP_SUCCESS, referral processing continues. The rebindproc() is called a second time with a non-zero freeit value to give the application a chance to free any memory allocated in the previous call.

If anything but LDAP_SUCCESS is returned by the first call to rebindproc(), referral processing is stopped and the error code is returned for the original LDAP operation.

RETURN VALUES

Make a call to ldap_result(3LDAP) to obtain the result of a bind operation.

ERRORS

Asynchronous functions will return -1 in case of error. See ldap_error(3LDAP) for more information on error codes returned. If no credentials are returned, the result parameter is set to NULL.

ATTRIBUTES

See attributes(7) for descriptions of the following attributes:

ATTRIBUTE TYPE ATTRIBUTE VALUE
Interface Stability Evolving
MT-Level Safe
SEE ALSO

ldap (3LDAP), ldap_error (3LDAP), ldap_open (3LDAP), ldap_result (3LDAP), libsasl (3LIB), attributes (7)