Piotr Wadas writes:

To be exact, how do I use unix socket with ldap_init ?

You don't. Use LDAP *ld; int rc = ldap_initialize(&ld, "ldapi://URL-escaped socket filename/"); By default, the socket file is something like "<prefix>/var/run/ldapi". If you want something else, you need URL-escaping for characters like "/" and ":", i.e. "/" becomes "%2F".

What's about bind operation? Does ldap_init supports it? I've read some posts saying that ldapi was to be used for fast and insecure connection which does not require bind operation.

ldap_init() and ldap_initialize() do not Bind. the ldap_...bind...() functions Bind.

As for ldapi, you can use Bind as normal, like with DN and password. And on some hosts it also lets you use SASL bind method EXTERNAL and get a bind DN derived from your group ID and user ID, without giving a password. That could be insecure before 2.3.35. From 2.3.35 on, it does not work when it would have been insecure.

I haven't tried this in C, but it should be something like rc = ldap_sasl_bind_s(ld, NULL, "EXTERNAL", NULL, NULL, NULL, NULL); The Bind DN becomes gidNumber=<your gid>,uidNumber=<your uid>,cn=peercred,cn=external,cn=auth which you can rewrite to a prettier DN with the "authz-regexp" directive in slapd.conf (see man slapd.conf).

Anyway should I care? I mean, is it really somehow faster than tcp socket?

Can be. But for me the main point is that cron jobs can authenticate without a password (or certificate+key) which must be stored somewhere.