Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
LDAP_BIND(3)		   Library Functions Manual		  LDAP_BIND(3)

       ldap_bind,     ldap_bind_s,    ldap_simple_bind,	   ldap_simple_bind_s,
       ldap_sasl_bind,	   ldap_sasl_bind_s,	 ldap_sasl_interactive_bind_s,
       ldap_parse_sasl_bind_result,   ldap_unbind,   ldap_unbind_s,   ldap_un-
       bind_ext, ldap_unbind_ext_s, ldap_set_rebind_proc - LDAP	bind routines

       OpenLDAP	LDAP (libldap, -lldap)

       #include	<ldap.h>

       int ldap_bind(LDAP *ld, const char *who,	const char *cred,
	      int method);

       int ldap_bind_s(LDAP *ld, const char *who, const	char *cred,
	      int method);

       int ldap_simple_bind(LDAP *ld, const char *who, const char *passwd);

       int ldap_simple_bind_s(LDAP *ld,	const char *who, const char *passwd);

       int ldap_sasl_bind(LDAP *ld, const char *dn, const char *mechanism,
	      struct berval *cred, LDAPControl *sctrls[],
	      LDAPControl *cctrls[], int *msgidp);

       int ldap_sasl_bind_s(LDAP *ld, const char *dn, const char *mechanism,
	      struct berval *cred, LDAPControl *sctrls[],
	      LDAPControl *cctrls[], struct berval **servercredp);

       int ldap_parse_sasl_bind_result(LDAP *ld, LDAPMessage *res,
	      struct berval **servercredp, int freeit);

       int ldap_sasl_interactive_bind_s(LDAP *ld, const	char *dn,
	      const char *mechs,
	      LDAPControl *sctrls[], LDAPControl *cctrls[],
	      unsigned flags, LDAP_SASL_INTERACT_PROC *interact,
	      void *defaults);

       int ldap_sasl_interactive_bind(LDAP *ld,	const char *dn,
	      const char *mechs,
	      LDAPControl *sctrls[], LDAPControl *cctrls[],
	      unsigned flags, LDAP_SASL_INTERACT_PROC *interact,
	      void *defaults, LDAPMessage *result,
	      const char **rmechp, int *msgidp);

       int (LDAP_SASL_INTERACT_PROC)(LDAP *ld, unsigned	flags, void *defaults, void *sasl_interact);

       int ldap_unbind(LDAP *ld);

       int ldap_unbind_s(LDAP *ld);

       int ldap_unbind_ext(LDAP	*ld, LDAPControl *sctrls[],
	      LDAPControl *cctrls[]);

       int ldap_unbind_ext_s(LDAP *ld, LDAPControl *sctrls[],
	      LDAPControl *cctrls[]);

       int ldap_set_rebind_proc	(LDAP *ld, LDAP_REBIND_PROC *ldap_proc,	void *params);

       int (LDAP_REBIND_PROC)(LDAP *ld,	LDAP_CONST char	*url, ber_tag_t	request, ber_int_t msgid, void *params);

       These routines provide various interfaces to the	LDAP  bind  operation.
       After an	association with an LDAP server	is made	using ldap_init(3), an
       LDAP bind operation should be performed before other operations are at-
       tempted	over the connection.  An LDAP bind is required when using Ver-
       sion 2 of the LDAP protocol; it is optional for Version 3 but  is  usu-
       ally needed due to security considerations.

       There  are three	types of bind calls, ones providing simple authentica-
       tion, ones providing SASL authentication, and general routines  capable
       of doing	either simple or SASL authentication.

       SASL  (Simple  Authentication  and Security Layer) can negotiate	one of
       many different kinds of authentication.	Both synchronous and asynchro-
       nous  versions of each variant of the bind call are provided.  All rou-
       tines take ld as	their first parameter, as returned from	ldap_init(3).

       The simplest form of the	bind call is ldap_simple_bind_s().   It	 takes
       the  DN to bind as in who, and the userPassword associated with the en-
       try in passwd.  It returns  an  LDAP  error  indication	(see  ldap_er-
       ror(3)).	  The ldap_simple_bind() call is asynchronous, taking the same
       parameters but only initiating the bind	operation  and	returning  the
       message	id of the request it sent.  The	result of the operation	can be
       obtained	  by   a   subsequent	 call	 to    ldap_result(3).	   The
       ldap_sasl_bind_s() and asynchronous ldap_sasl_bind() functions can also
       be used to make a simple	bind by	using  LDAP_SASL_SIMPLE	 as  the  SASL

       The ldap_bind() and ldap_bind_s() routines can be used when the authen-
       tication	method to use needs to be selected at runtime.	They both take
       an  extra  method parameter selecting the authentication	method to use.
       It should be set	to LDAP_AUTH_SIMPLE to select  simple  authentication.
       ldap_bind()  returns  the  message  id  of  the	request	 it initiates.
       ldap_bind_s() returns an	LDAP error indication.

       For SASL	binds the server always	ignores	any provided DN, so the	dn pa-
       rameter	should always be NULL.	ldap_sasl_bind_s() sends a single SASL
       bind request with the given SASL	mechanism and credentials in the  cred
       parameter. The format of	the credentials	depends	on the particular SASL
       mechanism in use. For mechanisms	that provide mutual authentication the
       server's	 credentials  will  be	returned in the	servercredp parameter.
       The routine returns an LDAP error indication (see ldap_error(3)).   The
       ldap_sasl_bind()	 call  is asynchronous,	taking the same	parameters but
       only sending the	request	and returning the message id of	the request it
       sent.  The result of the	operation can be obtained by a subsequent call
       to  ldap_result(3).   The  result  must	be  additionally   parsed   by
       ldap_parse_sasl_bind_result()  to  obtain  any  server credentials sent
       from the	server.

       Many SASL mechanisms require multiple message exchanges	to  perform  a
       complete	   authentication.    Applications    should   generally   use
       ldap_sasl_interactive_bind_s()	rather	 than	calling	  the	 basic
       ldap_sasl_bind()	functions directly. The	mechs parameter	should contain
       a space-separated list of candidate mechanisms to use. If this  parame-
       ter is NULL or empty the	library	will query the supportedSASLMechanisms
       attribute from the server's rootDSE for the list	of SASL	mechanisms the
       server  supports.  The flags parameter controls the interaction used to
       retrieve	any necessary SASL authentication parameters and should	be one

	      use defaults if available, prompt	otherwise

	      always prompt

	      never prompt

       The  interact  function	uses  the provided defaults to handle requests
       from the	SASL library for particular authentication  parameters.	 There
       is  no  defined	format	for  the defaults information; it is up	to the
       caller to use whatever format is	appropriate for	the supplied  interact
       function.   The	sasl_interact parameter	comes from the underlying SASL
       library.	When used with Cyrus SASL this is an array of  sasl_interact_t
       structures. The Cyrus SASL library will prompt for a variety of inputs,

	      the realm	for the	authentication attempt

	      the username to authenticate

	      the password for the provided username

	      the username to use for proxy authorization

	      generic prompt for input with input echoing disabled

	      generic prompt for input with input echoing enabled

	      indicates	the end	of the array of	prompts

       See the Cyrus SASL documentation	for more details.

       Applications which need to manage connections  asynchronously  may  use
       ldap_sasl_interactive_bind()  instead  of  the  synchronous version.  A
       valid mechs parameter must be supplied, otherwise the library  will  be
       forced to query the server for a	list of	supported mechanisms, and this
       query will be performed synchronously.  The other  parameters  are  the
       same as for the synchronous function, with three	additional parameters.
       The actual SASL mechanism that was used,	and the	 message  ID  for  use
       with ldap_result() will be returned in rmechp and msgidp, respectively.
       The value in rmechp must	not be modified	by  the	 caller	 and  must  be
       passed back on each subsequent call. The	message	obtained from ldap_re-
       sult() must be passed in	the result parameter.  This parameter must  be
       NULL  when  initiating a	new Bind. The caller must free the result mes-
       sage after each	call  using  ldap_msgfree().   The  ldap_sasl_interac-
       tive_bind()  function  returns  an  LDAP	 result	 code.	If the code is
       LDAP_SASL_BIND_IN_PROGRESS then the Bind	is not complete	yet, and  this
       function	must be	called again with the next result from the server.

       The ldap_set_rebind_proc	function() sets	the process to use for binding
       when an operation returns a referral. This function is used when	an ap-
       plication needs to bind to another server in order to follow a referral
       or search continuation reference.

       The function takes ld, the rebind function, and the params,  the	 arbi-
       trary  data like	state information which	the client might need to prop-
       erly rebind.  The LDAP_OPT_REFERRALS option in the ld must be set to ON
       for  the	 libraries to use the rebind function. Use the ldap_set_option
       function	to set the value.

       The rebind function parameters are as follows:

       The ld parameter	must be	used by	the application	when  binding  to  the
       referred	 server	 if  the application wants the libraries to follow the

       The url parameter points	to the URL referral string received  from  the
       LDAP  server.  The LDAP application can use the ldap_url_parse(3) func-
       tion to parse the string	into its components.

       The request parameter specifies the type	of request that	generated  the

       The  msgid parameter specifies the message ID of	the request generating
       the referral.

       The params parameter is the same	value  as  passed  originally  to  the
       ldap_set_rebind_proc() function.

       The  LDAP  libraries  set  all the parameters when they call the	rebind
       function. The application should	not attempt to free either the	ld  or
       the url structures in the rebind	function.

       The application must supply to the rebind function the required authen-
       tication	information such as, user name,	 password,  and	 certificates.
       The rebind function must	use a synchronous bind method.

       The  ldap_unbind() call is used to unbind from the directory, terminate
       the current association,	and free the resources	contained  in  the  ld
       structure.   Once  it  is  called, the connection to the	LDAP server is
       closed, and the ld structure is invalid.	 The ldap_unbind_s()  call  is
       just  another  name for ldap_unbind(); both of these calls are synchro-
       nous in nature.

       The ldap_unbind_ext() and ldap_unbind_ext_s() allows the	operations  to
       specify	controls.

       Asynchronous  routines  will  return  -1	 in case of error, setting the
       ld_errno	parameter of the ld structure.	 Synchronous  routines	return
       whatever	ld_errno is set	to.  See ldap_error(3) for more	information.

       If  an  anonymous  bind	is  sufficient for the application, the	rebind
       process need not	be provided. The LDAP libraries	with the  LDAP_OPT_RE-
       FERRALS	option set to ON (default value) will automatically follow re-
       ferrals using an	anonymous bind.

       If the application needs	 stronger  authentication  than	 an  anonymous
       bind,  you  need	 to  provide  a	rebind process for that	authentication
       method.	The bind method	must be	synchronous.

       ldap(3),	    ldap_error(3),	ldap_open(3),	   ldap_set_option(3),
       ldap_url_parse(3)  RFC  4422  (,  Cyrus  SASL

       OpenLDAP	Software is developed and maintained by	The  OpenLDAP  Project
       <>.  OpenLDAP Software is derived from the Uni-
       versity of Michigan LDAP	3.3 Release.

OpenLDAP 2.6.1			  2022/01/20			  LDAP_BIND(3)


Want to link to this manual page? Use this URL:

home | help