Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
LDAP_BIND(3)		   Library Functions Manual		  LDAP_BIND(3)

       ldap_bind,     ldap_bind_s,    ldap_simple_bind,	   ldap_simple_bind_s,
       ldap_sasl_bind,	   ldap_sasl_bind_s,	 ldap_sasl_interactive_bind_s,
       ldap_parse_sasl_bind_result,   ldap_unbind,   ldap_unbind_s,   ldap_un-
       bind_ext, ldap_unbind_ext_s, ldap_set_rebind_proc - LDAP	bind routines

       OpenLDAP	LDAP (libldap, -lldap)

       #include	<ldap.h>

       int ldap_bind(LDAP *ld, const char *who,	const char *cred,
	      int method);

       int ldap_bind_s(LDAP *ld, const char *who, const	char *cred,
	      int method);

       int ldap_simple_bind(LDAP *ld, const char *who, const char *passwd);

       int ldap_simple_bind_s(LDAP *ld,	const char *who, const char *passwd);

       int ldap_sasl_bind(LDAP *ld, const char *dn, const char *mechanism,
	      struct berval *cred, LDAPControl *sctrls[],
	      LDAPControl *cctrls[], int *msgidp);

       int ldap_sasl_bind_s(LDAP *ld, const char *dn, const char *mechanism,
	      struct berval *cred, LDAPControl *sctrls[],
	      LDAPControl *cctrls[], struct berval **servercredp);

       int ldap_parse_sasl_bind_result(LDAP *ld, LDAPMessage *res,
	      struct berval **servercredp, int freeit);

       int ldap_sasl_interactive_bind_s(LDAP *ld, const	char *dn,
	      const char *mechs,
	      LDAPControl *sctrls[], LDAPControl *cctrls[],
	      unsigned flags, LDAP_SASL_INTERACT_PROC *interact,
	      void *defaults);

       int ldap_sasl_interactive_bind(LDAP *ld,	const char *dn,
	      const char *mechs,
	      LDAPControl *sctrls[], LDAPControl *cctrls[],
	      unsigned flags, LDAP_SASL_INTERACT_PROC *interact,
	      void *defaults, LDAPMessage *result,
	      const char **rmechp, int *msgidp);

       int (LDAP_SASL_INTERACT_PROC)(LDAP *ld, unsigned	flags, void *defaults, void *sasl_interact);

       int ldap_unbind(LDAP *ld);

       int ldap_unbind_s(LDAP *ld);

       int ldap_unbind_ext(LDAP	*ld, LDAPControl *sctrls[],
	      LDAPControl *cctrls[]);

       int ldap_unbind_ext_s(LDAP *ld, LDAPControl *sctrls[],
	      LDAPControl *cctrls[]);

       int ldap_set_rebind_proc	(LDAP *ld, LDAP_REBIND_PROC *ldap_proc,	void *params);

       int (LDAP_REBIND_PROC)(LDAP *ld,	LDAP_CONST char	*url, ber_tag_t	request, ber_int_t msgid, void *params);

       These routines provide various interfaces to the	LDAP  bind  operation.
       After an	association with an LDAP server	is made	using ldap_init(3), an
       LDAP bind operation should be performed before other operations are at-
       tempted	over the connection.  An LDAP bind is required when using Ver-
       sion 2 of the LDAP protocol; it is optional for Version 3 but  is  usu-
       ally needed due to security considerations.

       There  are three	types of bind calls, ones providing simple authentica-
       tion, ones providing SASL authentication, and general routines  capable
       of doing	either simple or SASL authentication.

       SASL  (Simple  Authentication  and Security Layer) can negotiate	one of
       many different kinds of authentication.	Both synchronous and asynchro-
       nous  versions of each variant of the bind call are provided.  All rou-
       tines take ld as	their first parameter, as returned from	ldap_init(3).

       The simplest form of the	bind call is ldap_simple_bind_s().   It	 takes
       the  DN to bind as in who, and the userPassword associated with the en-
       try in passwd.  It returns  an  LDAP  error  indication	(see  ldap_er-
       ror(3)).	  The ldap_simple_bind() call is asynchronous, taking the same
       parameters but only initiating the bind	operation  and	returning  the
       message	id of the request it sent.  The	result of the operation	can be
       obtained	by a subsequent	call to	ldap_result(3).

       The ldap_bind() and ldap_bind_s() routines can be used when the authen-
       tication	method to use needs to be selected at runtime.	They both take
       an extra	method parameter selecting the authentication method  to  use.
       It  should  be set to LDAP_AUTH_SIMPLE to select	simple authentication.
       ldap_bind() returns  the	 message  id  of  the  request	it  initiates.
       ldap_bind_s() returns an	LDAP error indication.

       For SASL	binds the server always	ignores	any provided DN, so the	dn pa-
       rameter should always be	NULL.  ldap_sasl_bind_s() sends	a single  SASL
       bind  request with the given SASL mechanism and credentials in the cred
       parameter. The format of	the credentials	depends	on the particular SASL
       mechanism in use. For mechanisms	that provide mutual authentication the
       server's	credentials will be returned  in  the  servercredp  parameter.
       The  routine returns an LDAP error indication (see ldap_error(3)).  The
       ldap_sasl_bind()	call is	asynchronous, taking the same  parameters  but
       only sending the	request	and returning the message id of	the request it
       sent. The result	of the operation can be	obtained by a subsequent  call
       to   ldap_result(3).    The  result  must  be  additionally  parsed  by
       ldap_parse_sasl_bind_result() to	obtain	any  server  credentials  sent
       from the	server.

       Many  SASL  mechanisms  require multiple	message	exchanges to perform a
       complete	  authentication.   Applications    should    generally	   use
       ldap_sasl_interactive_bind_s()	 rather	  than	 calling   the	 basic
       ldap_sasl_bind()	functions directly. The	mechs parameter	should contain
       a  space-separated list of candidate mechanisms to use. If this parame-
       ter is NULL or empty the	library	will query the supportedSASLMechanisms
       attribute from the server's rootDSE for the list	of SASL	mechanisms the
       server supports.	The flags parameter controls the interaction  used  to
       retrieve	any necessary SASL authentication parameters and should	be one

	      use defaults if available, prompt	otherwise

	      always prompt

	      never prompt

       The interact function uses the provided	defaults  to  handle  requests
       from  the  SASL library for particular authentication parameters. There
       is no defined format for	the defaults information;  it  is  up  to  the
       caller  to use whatever format is appropriate for the supplied interact
       function.  The sasl_interact parameter comes from the  underlying  SASL
       library.	 When used with	Cyrus SASL this	is an array of sasl_interact_t
       structures. The Cyrus SASL library will prompt for a variety of inputs,

	      the realm	for the	authentication attempt

	      the username to authenticate

	      the password for the provided username

	      the username to use for proxy authorization

	      generic prompt for input with input echoing disabled

	      generic prompt for input with input echoing enabled

	      indicates	the end	of the array of	prompts

       See the Cyrus SASL documentation	for more details.

       Applications  which  need  to manage connections	asynchronously may use
       ldap_sasl_interactive_bind() instead of	the  synchronous  version.   A
       valid  mechs  parameter must be supplied, otherwise the library will be
       forced to query the server for a	list of	supported mechanisms, and this
       query  will  be	performed synchronously.  The other parameters are the
       same as for the synchronous function, with three	additional parameters.
       The  actual  SASL  mechanism  that was used, and	the message ID for use
       with ldap_result() will be returned in rmechp and msgidp, respectively.
       The  value  in  rmechp  must  not be modified by	the caller and must be
       passed back on each subsequent call. The	message	obtained from ldap_re-
       sult()  must be passed in the result parameter.	This parameter must be
       NULL when initiating a new Bind.	The caller must	free the  result  mes-
       sage  after  each  call	using  ldap_msgfree().	The ldap_sasl_interac-
       tive_bind() function returns an	LDAP  result  code.  If	 the  code  is
       LDAP_SASL_BIND_IN_PROGRESS  then	the Bind is not	complete yet, and this
       function	must be	called again with the next result from the server.

       The ldap_set_rebind_proc	function() sets	the process to use for binding
       when an operation returns a referral. This function is used when	an ap-
       plication needs to bind to another server in order to follow a referral
       or search continuation reference.

       The  function  takes ld,	the rebind function, and the params, the arbi-
       trary data like state information which the client might	need to	 prop-
       erly rebind.  The LDAP_OPT_REFERRALS option in the ld must be set to ON
       for the libraries to use	the rebind function. Use  the  ldap_set_option
       function	to set the value.

       The rebind function parameters are as follows:

       The  ld	parameter  must	be used	by the application when	binding	to the
       referred	server if the application wants	the libraries  to  follow  the

       The  url	 parameter points to the URL referral string received from the
       LDAP server.  The LDAP application can use the ldap_url_parse(3)	 func-
       tion to parse the string	into its components.

       The  request parameter specifies	the type of request that generated the

       The msgid parameter specifies the message ID of the request  generating
       the referral.

       The  params  parameter  is  the	same value as passed originally	to the
       ldap_set_rebind_proc() function.

       The LDAP	libraries set all the parameters when  they  call  the	rebind
       function.  The  application should not attempt to free either the ld or
       the url structures in the rebind	function.

       The application must supply to the rebind function the required authen-
       tication	 information  such  as,	user name, password, and certificates.
       The rebind function must	use a synchronous bind method.

       The ldap_unbind() call is used to unbind	from the directory,  terminate
       the  current  association,  and	free the resources contained in	the ld
       structure.  Once	it is called, the connection to	 the  LDAP  server  is
       closed,	and  the ld structure is invalid.  The ldap_unbind_s() call is
       just another name for ldap_unbind(); both of these calls	 are  synchro-
       nous in nature.

       The  ldap_unbind_ext() and ldap_unbind_ext_s() allows the operations to
       specify	controls.

       Asynchronous routines will return -1 in	case  of  error,  setting  the
       ld_errno	 parameter  of	the ld structure.  Synchronous routines	return
       whatever	ld_errno is set	to.  See ldap_error(3) for more	information.

       If an anonymous bind is sufficient  for	the  application,  the	rebind
       process	need not be provided. The LDAP libraries with the LDAP_OPT_RE-
       FERRALS option set to ON	(default value)	will automatically follow  re-
       ferrals using an	anonymous bind.

       If  the	application  needs  stronger  authentication than an anonymous
       bind, you need to provide a  rebind  process  for  that	authentication
       method.	The bind method	must be	synchronous.

       ldap(3),	     ldap_error(3),	 ldap_open(3),	   ldap_set_option(3),
       ldap_url_parse(3)  RFC  4422  (,  Cyrus  SASL

       OpenLDAP	 Software  is developed	and maintained by The OpenLDAP Project
       <>.  OpenLDAP Software is derived from the Uni-
       versity of Michigan LDAP	3.3 Release.

OpenLDAP 2.4.45			  2017/06/01			  LDAP_BIND(3)


Want to link to this manual page? Use this URL:

home | help