1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
|
'\" te
.\" Copyright (C) 1990, Regents of the University of Michigan. All Rights Reserved.
.\" Portions Copyright 2004, Sun Microsystems, Inc. All Rights Reserved.
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
.TH LDAP_BIND 3LDAP "Jan 14, 2004"
.SH NAME
ldap_bind, ldap_bind_s, ldap_sasl_bind, ldap_sasl_bind_s, ldap_simple_bind,
ldap_simple_bind_s, ldap_unbind, ldap_unbind_s, ldap_unbind_ext,
ldap_set_rebind_proc, ldap_sasl_interactive_bind_s \- LDAP bind functions
.SH SYNOPSIS
.LP
.nf
cc [ \fIflag\fR... ] \fIfile\fR... -lldap [ \fIlibrary\fR... ]
#include <lber.h>
#include <ldap.h>
\fBint\fR \fBldap_bind\fR(\fBLDAP *\fR\fIld\fR, \fBchar *\fR\fIwho\fR, \fBchar *\fR\fIcred\fR, \fBint\fR \fImethod\fR);
.fi
.LP
.nf
\fBint\fR \fBldap_bind_s\fR(\fBLDAP *\fR\fIld\fR, \fBchar *\fR\fIwho\fR, \fBchar *\fR\fIcred\fR, \fBint\fR \fImethod\fR);
.fi
.LP
.nf
\fBint\fR \fBldap_simple_bind\fR(\fBLDAP *\fR\fIld\fR, \fBchar *\fR\fIwho\fR, \fBchar *\fR\fIpasswd\fR);
.fi
.LP
.nf
\fBint\fR \fBldap_simple_bind_s\fR(\fBLDAP *\fR\fIld\fR, \fBchar *\fR\fIwho\fR, \fBchar *\fR\fIpasswd\fR);
.fi
.LP
.nf
\fBint\fR \fBldap_unbind\fR(\fBLDAP *\fR\fIld\fR);
.fi
.LP
.nf
\fBint\fR \fBldap_unbind_s\fR(\fBLDAP *\fR\fIld\fR);
.fi
.LP
.nf
\fBint\fR \fBldap_unbind_ext\fR(\fBLDAP\fR \fI*ld\fR, \fBLDAPControl **\fR\fIserverctrls\fR,
\fBLDAPControl **\fR\fIclientctrls\fR);
.fi
.LP
.nf
\fBvoid\fR \fBldap_set_rebind_proc\fR(\fBLDAP\fR \fI*ld\fR, \fBint (*\fR\fIrebindproc\fR);
.fi
.LP
.nf
\fBint\fR \fBldap_sasl_bind\fR(\fBLDAP *\fR\fIld\fR, \fBchar *\fR\fIdn\fR, \fBchar *\fR\fImechanism\fR,
\fBstruct berval **\fR\fIserverctrls\fR, \fBLDAPControl **\fR\fIclientctrls\fR,
\fBint *\fR\fImsgidp\fR);
.fi
.LP
.nf
\fBint\fR \fBldap_sasl_bind_s\fR(\fBLDAP *\fR\fIld\fR, \fBchar *\fR\fIdn\fR, \fBchar *\fR\fImechanism\fR,
\fBstruct berval *\fR\fIcred\fR, \fBLDAPControl **\fR\fIserverctrls\fR,
\fBLDAPControl **\fR\fIclientctrls\fR);
.fi
.LP
.nf
\fBint\fR \fBldap_sasl_interactive_bind_s\fR(\fBLDAP *\fR\fIld\fR, \fBchar *\fR\fIdn\fR,
\fBchar *\fR\fIsaslMechanism\fR, \fBLDAPControl **\fR\fIsctrl\fR, \fBLDAPControl **\fR\fIcctrl\fR,
\fBLDAPControl **\fR\fIunsigned flags\fR, \fBLDAP_SASL_INTERACT_PROC *\fR\fIcallback\fR,
\fBvoid *\fR\fIdefaults\fR);
.fi
.SH DESCRIPTION
.sp
.LP
These functions provide various interfaces to the LDAP bind operation. After a
connection is made to an LDAP server, the \fBldap_bind()\fR function returns
the message ID of the request initiated. The \fBldap_bind_s()\fR function
returns an LDAP error code.
.SS "Simple Authentication"
.sp
.LP
The simplest form of the bind call is \fBldap_simple_bind_s()\fR. The function
takes the DN (Distinguished Name) of the \fIdn\fR parameter and the
\fBuserPassword\fR associated with the entry in \fIpasswd\fR to return an LDAP
error code. See \fBldap_error\fR(3LDAP).
.sp
.LP
The \fBldap_simple_bind()\fR call is asynchronous. The function takes the same
parameters as \fBldap_simple_bind_s()\fR but initiates the bind operation and
returns the message ID of the request sent. The result of the operation can be
obtained by a subsequent call to \fBldap_result\fR(3LDAP).
.SS "General Authentication"
.sp
.LP
The \fBldap_bind()\fR and \fBldap_bind_s()\fR functions are used to select the
authentication method at runtime. Both functions take an extra \fImethod\fR
parameter to set the authentication method. For simple authentication, the
\fImethod\fR parameter is set to \fBLDAP_AUTH_SIMPLE\fR. The \fBldap_bind()\fR
function returns the message id of the request initiated. The
\fBldap_bind_s()\fR function returns an LDAP error code.
.SS "SASL Authentication"
.sp
.LP
The \fBldap_sasl_bind()\fR and \fBldap_sasl_bind_s()\fR functions are used for
general and extensible authentication over LDAP through the use of the Simple
Authentication Security Layer. The routines both take the \fBDN\fR to bind as
the authentication method. A dotted-string representation of an OID identifies
the method, and the \fBberval\fR structure holds the credentials. The special
constant value \fBLDAP_SASL_SIMPLE\fR ("") can be passed to request simple
authentication. Otherwise, the \fBldap_simple_bind()\fR function or the
\fBldap_simple_bind_s()\fR function can be used.
.sp
.LP
The \fBldap_sasl_interactive_bind_s()\fR helper function takes its data and
performs the necessary \fBldap_sasl_bind()\fR and associated SASL library
authentication sequencing with the LDAP server that uses the provided
connection (\fIld\fR).
.sp
.LP
Upon a successful bind, the \fBldap_sasl_bind()\fR function will, if negotiated
by the SASL interface, install the necessary internal \fBlibldap\fR plumbing to
enable SASL integrity and privacy (over the wire encryption) with the LDAP
server.
.sp
.LP
The \fBLDAP_SASL_INTERACTIVE\fR option flag is passed to the libldap API
through the flags argument of the API. The flag tells the API to use the SASL
interactive mode and to have the API request SASL authentication data through
the \fBLDAP_SASL_INTERACTIVE_PROC\fR callback as needed. The callback provided
is in the form:
.sp
.in +2
.nf
typedef int (LDAP_SASL_INTERACT_PROC)
(LDAP *ld, unsigned flags, void* defaults, void *interact);
.fi
.in -2
.sp
.sp
.LP
The user-provided SASL callback is passed to the current LDAP connection
pointer, the current flags field, an optional pointer to user-defined data, and
the list of \fBsasl_interact_t\fR authentication values requested by
\fBlibsasl\fR(3LIB) to complete authentication.
.sp
.LP
The user-defined callback collects and returns the authentication information
in the \fBsasl_interact_t\fR array according to \fBlibsasl\fR rules. The
authentication information can include user IDs, passwords, realms, or other
information defined by SASL. The SASL library uses this date during sequencing
to complete authentication.
.SS "Unbinding"
.sp
.LP
The \fBldap_unbind()\fR call is used to unbind from a directory, to terminate
the current association, and to free the resources contained in the \fIld\fR
structure. Once the function is called, the connection to the LDAP server is
closed and the \fIld\fR structure is invalid. The \fBldap_unbind_s()\fR and
\fBldap_unbind()\fR calls are identical and synchronous in nature.
.sp
.LP
The \fBldap_unbind_ext()\fR function is used to unbind from a directory, to
terminate the current association, and to free the resources contained in the
LDAP structure. Unlike \fBldap_unbind()\fR and \fBldap_unbind_s()\fR, both
server and client controls can be explicitly included with
\fBldap_unbind_ext()\fR requests. No server response is made to an unbind
request and responses should not be expected from server controls included with
unbind requests.
.SS "Rebinding While Following Referral"
.sp
.LP
The \fBldap_set_rebind_proc()\fR call is used to set a function called back to
obtain bind credentials. The credentials are used when a new server is
contacted after an LDAP referral. If \fBldap_set_rebind_proc()\fR is never
called, or if it is called with a \fBNULL\fR \fIrebindproc\fR parameter, an
unauthenticated simple LDAP bind is always done when chasing referrals.
.sp
.LP
The \fBrebindproc()\fR function is declared as shown below:
.sp
.in +2
.nf
int rebindproc(LDAP *ld, char **whop, char **credp,
int *methodp, int freeit);
.fi
.in -2
.sp
.LP
The LDAP library first calls the \fBrebindproc()\fR to obtain the referral bind
credentials. The \fIfreeit\fR parameter is zero. The \fIwhop\fR, \fIcredp\fR,
and \fImethodp\fR parameters should be set as appropriate. If
\fBrebindproc()\fR returns \fBLDAP_SUCCESS\fR, referral processing continues.
The \fBrebindproc()\fR is called a second time with a non-zero \fIfreeit\fR
value to give the application a chance to free any memory allocated in the
previous call.
.sp
.LP
If anything but \fBLDAP_SUCCESS\fR is returned by the first call to
\fBrebindproc()\fR, referral processing is stopped and the error code is
returned for the original LDAP operation.
.SH RETURN VALUES
.sp
.LP
Make a call to \fBldap_result\fR(3LDAP) to obtain the result of a bind
operation.
.SH ERRORS
.sp
.LP
Asynchronous functions will return \fB\(mi1\fR in case of error. See
\fBldap_error\fR(3LDAP) for more information on error codes returned. If no
credentials are returned, the result parameter is set to \fINULL\fR.
.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(5) for descriptions of the following attributes:
.sp
.sp
.TS
box;
c | c
l | l .
ATTRIBUTE TYPE ATTRIBUTE VALUE
_
Interface Stability Evolving
_
MT-Level Safe
.TE
.SH SEE ALSO
.sp
.LP
\fBldap\fR(3LDAP), \fBldap_error\fR(3LDAP), \fBldap_open\fR(3LDAP),
\fBldap_result\fR(3LDAP), \fBlibsasl\fR(3LIB), \fBattributes\fR(5)
|
