Hi all,
I see that most LDAP utilities (openldap included) do a ldap_bind() before every ldap_search(). Is this mandatory?
If LDAP descriptor (ld) is valid and can be used for multiple ldap_search() calls, when does it become invalid? Is it time based, say ld becomes invalid after 10 minutes?
I have an application which needs to search the LDAP server for some specific attributes of users. The user name is taken as input from the command line. Is it necessary to do a ldap_bind() before each ldap_search() call? Doesn't this make it costly? Can I do ldap_bind() once and call ldap_search() many times? When does my "bind" become invalid?
Can my application do this: #1 - bind to a LDAP server during initialization #2- then do an ldap_search() whenever required #3- then invalidate the ld after 10 minutes #4- do a ldap_bind() again and repeat from #2?
Can someone kindly clarify?
Thanks, Shankar
Shankar Anand R writes:
I see that most LDAP utilities (openldap included) do a ldap_bind() before every ldap_search(). Is this mandatory?
No, not in LDAPv3. It was mandatory in LDAPv2: You started a session with bind and ended it with unbind - which is why the latter is misnamed, it should have been called "close" or something. BTW, note that ldap_unbind() is also the destructor for the C LDAP* structure.
If LDAP descriptor (ld) is valid and can be used for multiple ldap_search() calls, when does it become invalid? Is it time based, say ld becomes invalid after 10 minutes?
That's up to the server. Ours has set idletimeout so the server closes the connection if the client has been passive for some minutes.
I have an application which needs to search the LDAP server for some specific attributes of users. The user name is taken as input from the command line. Is it necessary to do a ldap_bind() before each ldap_search() call? Doesn't this make it costly?
Depends on the access controls set in the server. If the attributes are publicly available, don't bother to Bind.
Can I do ldap_bind() once and call ldap_search() many times? When does my "bind" become invalid?
(a) Yes, and (b) if you use Simple Bind, not until you Bind again or the connection is closed. Some authentication methods (Kerberos I think) will time out a Bind after a while, but the descriptior might still remain useful - presumably you'll have to Bind again, even if just anonymously. I haven't tried.
Can my application do this: #1 - bind to a LDAP server during initialization #2- then do an ldap_search() whenever required
Yes...
#3- then invalidate the ld after 10 minutes
Another Bind invalidates the previous Bind, if that's what you mean.
#4- do a ldap_bind() again and repeat from #2?
Yup.
You should be prepared for losing the connection (LDAP_SERVER_DOWN), e.g. due to an idletimeout set in the server. If so, to ldap_unbind, connect and Bind again, and proceed.
Thanks for the reply. Queries inline.
On Tue, Nov 9, 2010 at 1:46 PM, Hallvard B Furuseth < h.b.furuseth@usit.uio.no> wrote:
Shankar Anand R writes:
I see that most LDAP utilities (openldap included) do a ldap_bind()
before
every ldap_search(). Is this mandatory?
No, not in LDAPv3. It was mandatory in LDAPv2: You started a session with bind and ended it with unbind - which is why the latter is misnamed, it should have been called "close" or something. BTW, note that ldap_unbind() is also the destructor for the C LDAP* structure.
If the client does a ldap_search() without doing a ldap_bind() how / where does it present its credentials to the server? When I tried a ldap_search() without doing a ldap_bind() I got an error that said "A successful bind should have been done before this operation". This was with an OpenLDAP client and Active directory 2008 server.
If LDAP descriptor (ld) is valid and can be used for multiple ldap_search() calls, when does it become invalid? Is it time based, say ld becomes invalid after 10 minutes?
That's up to the server. Ours has set idletimeout so the server closes the connection if the client has been passive for some minutes.
Can you kindly tell me the minimum, default and maximum timeout values? Or point me to documentation that talks about them?
I have an application which needs to search the LDAP server for some specific attributes of users. The user name is taken as input from the command line. Is it necessary to do a ldap_bind() before each
ldap_search()
call? Doesn't this make it costly?
Depends on the access controls set in the server. If the attributes are publicly available, don't bother to Bind.
Can I do ldap_bind() once and call ldap_search() many times? When does
my
"bind" become invalid?
(a) Yes, and (b) if you use Simple Bind, not until you Bind again or the connection is closed. Some authentication methods (Kerberos I think) will time out a Bind after a while, but the descriptior might still remain useful - presumably you'll have to Bind again, even if just anonymously. I haven't tried.
Can my application do this: #1 - bind to a LDAP server during initialization #2- then do an ldap_search() whenever required
Yes...
#3- then invalidate the ld after 10 minutes
Another Bind invalidates the previous Bind, if that's what you mean.
#4- do a ldap_bind() again and repeat from #2?
Yup.
You should be prepared for losing the connection (LDAP_SERVER_DOWN), e.g. due to an idletimeout set in the server. If so, to ldap_unbind, connect and Bind again, and proceed.
Is there any way (for example, a part of bind reply) for the LDAP client to get to know about the session timeout so that the client can try to unbind and bind again before session expiry? Or does the client know about session expiry only after one of its LDAP operations fail with LDAP_SERVER_DOWN?
-- Hallvard
Someone who knows Active Directory might give better answers, since your remaining questions relate to the server, not the client. Try your sysadmin, ldap@umich.edu, or some AD-specific group.
Shankar Anand R writes:
If the client does a ldap_search() without doing a ldap_bind() how / where does it present its credentials to the server? When I tried a ldap_search() without doing a ldap_bind() I got an error that said "A successful bind should have been done before this operation". This was with an OpenLDAP client and Active directory 2008 server.
Ah, OK. In that case you just have to do what the server says. The LDAP spec doesn't require it but the server may, as you see.
Can you kindly tell me the minimum, default and maximum timeout values? Or point me to documentation that talks about them?
As far as the LDAP spec is concerned there aren't any. Check with your server's sysadmin, these may be per-server settings (if they are set).
You should be prepared for losing the connection (LDAP_SERVER_DOWN), e.g. due to an idletimeout set in the server. If so, to ldap_unbind, connect and Bind again, and proceed.
Is there any way (for example, a part of bind reply) for the LDAP client to get to know about the session timeout so that the client can try to unbind and bind again before session expiry? Or does the client know about session expiry only after one of its LDAP operations fail with LDAP_SERVER_DOWN?
The latter. Well, the client cal poll for results asynchronously even if it isn't expecting any, and check for LDAP_SERVER_DOWN.
On Tue, Nov 9, 2010 at 2:22 PM, Hallvard B Furuseth < h.b.furuseth@usit.uio.no> wrote:
Someone who knows Active Directory might give better answers, since your remaining questions relate to the server, not the client. Try your sysadmin, ldap@umich.edu, or some AD-specific group.
Shankar Anand R writes:
If the client does a ldap_search() without doing a ldap_bind() how /
where
does it present its credentials to the server? When I tried a
ldap_search()
without doing a ldap_bind() I got an error that said "A successful bind should have been done before this operation". This was with an OpenLDAP client and Active directory 2008 server.
Ah, OK. In that case you just have to do what the server says. The LDAP spec doesn't require it but the server may, as you see.
Can you kindly tell me the minimum, default and maximum timeout values?
Or
point me to documentation that talks about them?
As far as the LDAP spec is concerned there aren't any. Check with your server's sysadmin, these may be per-server settings (if they are set).
You should be prepared for losing the connection (LDAP_SERVER_DOWN), e.g. due to an idletimeout set in the server. If so, to ldap_unbind, connect and Bind again, and proceed.
Is there any way (for example, a part of bind reply) for the LDAP client
to
get to know about the session timeout so that the client can try to
unbind
and bind again before session expiry? Or does the client know about
session
expiry only after one of its LDAP operations fail with LDAP_SERVER_DOWN?
The latter. Well, the client cal poll for results asynchronously even if it isn't expecting any, and check for LDAP_SERVER_DOWN.
I tried making a call to ldap_result() even though I was not expecting any results. I made this call just before doing an ldap_bind() and also just after calling the ldap_result() that fetched the bind result. Both the times ldap_result() returned 0 and the LDAP_OPT_RESULT_CODE gave me LDAP_TIMEOUT (-5).
The first call to ldap_result() was before binding. Here the session was not yet established. The second call was after a successful ldap_bind(). I don't understand why I was getting the result mentioned above in both the cases.
What is the expected reply from ldap_result() when there is no operation result currently expected but the session is still valid? Is it the right / only way for a client to poll a server to check if the session has expired its time to do a ldap_bind() again? Is there any other way out?
- Shankar
To be clear, whether you have to bind at all is up to the server, but you only ever have to bind once per connection, not once per search request or other operation.
There is no way to present credentials without a bind; that's what binding is for. But an implementation may allow the bind to be skipped entirely and assume anonymous access. To be maximally portable, though, even if using anonymous access, you should do an explicit bind (a simple bind with an empty password is anonymous - even if a username is specified).
On Tuesday, November 9, 2010, Shankar Anand R shankaranand@gmail.com wrote:
On Tue, Nov 9, 2010 at 2:22 PM, Hallvard B Furuseth h.b.furuseth@usit.uio.no wrote:
Someone who knows Active Directory might give better answers, since your remaining questions relate to the server, not the client. Try your sysadmin, ldap@umich.edu, or some AD-specific group.
Shankar Anand R writes:
If the client does a ldap_search() without doing a ldap_bind() how / where does it present its credentials to the server? When I tried a ldap_search() without doing a ldap_bind() I got an error that said "A successful bind should have been done before this operation". This was with an OpenLDAP client and Active directory 2008 server.
Ah, OK. In that case you just have to do what the server says. The LDAP spec doesn't require it but the server may, as you see.
Can you kindly tell me the minimum, default and maximum timeout values? Or point me to documentation that talks about them?
As far as the LDAP spec is concerned there aren't any. Check with your server's sysadmin, these may be per-server settings (if they are set).
You should be prepared for losing the connection (LDAP_SERVER_DOWN), e.g. due to an idletimeout set in the server. If so, to ldap_unbind, connect and Bind again, and proceed.
Is there any way (for example, a part of bind reply) for the LDAP client to get to know about the session timeout so that the client can try to unbind and bind again before session expiry? Or does the client know about session expiry only after one of its LDAP operations fail with LDAP_SERVER_DOWN?
The latter. Well, the client cal poll for results asynchronously even if it isn't expecting any, and check for LDAP_SERVER_DOWN.
I tried making a call to ldap_result() even though I was not expecting any results. I made this call just before doing an ldap_bind() and also just after calling the ldap_result() that fetched the bind result. Both the times ldap_result() returned 0 and the LDAP_OPT_RESULT_CODE gave me LDAP_TIMEOUT (-5).
The first call to ldap_result() was before binding. Here the session was not yet established. The second call was after a successful ldap_bind(). I don't understand why I was getting the result mentioned above in both the cases.
What is the expected reply from ldap_result() when there is no operation result currently expected but the session is still valid? Is it the right / only way for a client to poll a server to check if the session has expired its time to do a ldap_bind() again? Is there any other way out?
- Shankar
On Tue, Nov 9, 2010 at 8:10 PM, Mark J. Reed markjreed@gmail.com wrote:
To be clear, whether you have to bind at all is up to the server, but you only ever have to bind once per connection, not once per search request or other operation.
Thanks for the explanation.
My question is how long does the connection stay valid? If this is a configurable parameter of the server, how does the client know if the connection is still valid before trying the next operation? Is failure of the operation the only way for the client to know that the connection has expired? Or can there be a more graceful way by which the client can detect that the connection is about to expire (or just expired) and can reconnect before trying the next LDAP operation?
There is no way to present credentials without a bind; that's what binding is for. But an implementation may allow the bind to be skipped entirely and assume anonymous access. To be maximally portable, though, even if using anonymous access, you should do an explicit bind (a simple bind with an empty password is anonymous - even if a username is specified).
On Tuesday, November 9, 2010, Shankar Anand R shankaranand@gmail.com wrote:
On Tue, Nov 9, 2010 at 2:22 PM, Hallvard B Furuseth <
h.b.furuseth@usit.uio.no> wrote:
Someone who knows Active Directory might give better answers, since your remaining questions relate to the server, not the client. Try your sysadmin, ldap@umich.edu, or some AD-specific group.
Shankar Anand R writes:
If the client does a ldap_search() without doing a ldap_bind() how /
where
does it present its credentials to the server? When I tried a
ldap_search()
without doing a ldap_bind() I got an error that said "A successful bind should have been done before this operation". This was with an OpenLDAP client and Active directory 2008 server.
Ah, OK. In that case you just have to do what the server says. The LDAP spec doesn't require it but the server may, as you see.
Can you kindly tell me the minimum, default and maximum timeout values?
Or
point me to documentation that talks about them?
As far as the LDAP spec is concerned there aren't any. Check with your server's sysadmin, these may be per-server settings (if they are set).
You should be prepared for losing the connection (LDAP_SERVER_DOWN), e.g. due to an idletimeout set in the server. If so, to ldap_unbind, connect and Bind again, and proceed.
Is there any way (for example, a part of bind reply) for the LDAP client
to
get to know about the session timeout so that the client can try to
unbind
and bind again before session expiry? Or does the client know about
session
expiry only after one of its LDAP operations fail with LDAP_SERVER_DOWN?
The latter. Well, the client cal poll for results asynchronously even if it isn't expecting any, and check for LDAP_SERVER_DOWN.
I tried making a call to ldap_result() even though I was not expecting
any results. I made this call just before doing an ldap_bind() and also just after calling the ldap_result() that fetched the bind result. Both the times ldap_result() returned 0 and the LDAP_OPT_RESULT_CODE gave me LDAP_TIMEOUT (-5).
The first call to ldap_result() was before binding. Here the session was
not yet established. The second call was after a successful ldap_bind(). I don't understand why I was getting the result mentioned above in both the cases.
What is the expected reply from ldap_result() when there is no operation
result currently expected but the session is still valid? Is it the right / only way for a client to poll a server to check if the session has expired its time to do a ldap_bind() again? Is there any other way out?
- Shankar
-- Mark J. Reed markjreed@gmail.com
On Tue, Nov 9, 2010 at 11:37 AM, Shankar Anand R shankaranand@gmail.com wrote:
My question is how long does the connection stay valid?
Too many variables involved to answer that question. Client software, server software, policies of intervening network equipment and/or proxies...
Is failure of the operation the only way for the client to know that the connection has expired?
IME, yes. You have to try some operation to get an indication that there's a problem with the connection. And then you have to examine the specific error response you get to determine that it's not a malformed filter or something else.
The details of the response vary among different server implementations. This being an OpenLDAP list, someone may have the details you need for the particular case of slapd. For what it's worth, when using ActiveDirectory and eDirectory, I've so far not run into a case where a re-bind sufficed; I always have to close the whole connection and reconnect.
openldap-technical@openldap.org