2.2 - Binding and unbinding

In LDAP, if one wants to access the data in the base, the common way to do it is to bind to the server. However, it's important to understand that binding is a different from connecting.

Creating a connection to an LDAP server opens a socket between the client and the server. You must provide the address and the port in order to do this.

The bind operation, on the other hand, creates a Session which will hold user information for the duration of the session. This information is limited, but includes the user's credentials.

But it's important to know that it's possible to bind anonymously, which doesn't require a user or password, and still be able to send requests to the server (although the server can forbid anonymous binds).

Once the user has finished interacting with the server, they can unbind, destroying the session held on the server. This operation does not close the connection, because, again bind != connection!

Binding

There are two possible types of binds in LDAP:

  • Simple
  • SASL

The first one is based on a userid/password sent to the server, which verifies the credentials are valid. It's also possible to proceed with an anonymous bind explicitly.

The second type is more complicated, and is used whenever authentication with a specific mechanism, like DIGEST-MD5, Kerberos or certificate based is required.

Simple Bind

One can issue three kinds of simple binds:

  • anonymous bind
  • name/password bind
  • unauthenticated authentication bind

The first one is the easiest, but depending on the server's configuration, will be accepted or rejected (not all servers allow anonymous binds)

Most of the time, the bind operation will not return anything. You either get bound, or will receive an LdapException if an error occurs.

Issuing an anonymous bind is simple, you neither provide a user nor a password:

@Test
public void testAnonymousBindRequest() throws Exception
{
    connection.bind();
}

Issuing a user/password bind is slightly more complex, because those credentials must be included:

@Test
public void testSimpleBindRequest() throws Exception
{
    connection.bind( "uid=admin,ou=system", "secret" );
}

Note It's important to note that the user's name is a Dn, not a simple name like 'John Doe"

Last, not least, there is a quite unknown feature in LDAP bind that allows you to issue a Bind request without providing a password. It's equivalent to an anonymous bind, except that the server can log the user's name, thus being able to trace what the user does. Servers might forbid such bind, and this will be the case if the server disallow anonymous binds.

Note that this kind of bind will be supported only if the server allows anonymous binds. It's not supported by ApacheDS.

@Test
public void testSimpleBindRequest() throws Exception
{

    connection.bind( "uid=admin,ou=system" );
}

Rebinding

It's possible to issue a Bind on an already bound connection and the existing LDAP session will be terminated, and replaced by a new LDAP session. In any case, the connection is not dropped when doing so. Note that if the connection was encrypted, it remains encrypted.

@Test
public void testDoubleSimpleBindValid() throws Exception
{
    connection.bind( "uid=admin,ou=system", "secret" );

    // Now, rebind
    connection.bind( "cn=john doe,dc=example,dc=com", "secret" );

    assertTrue( connection.isConnected() );
    assertTrue( connection.isAuthenticated() );
}

If you issue a bind on the same connection with some different credentials, then the existing session will be terminated on the server, and a new one will be created. All the pending requests for the initial session will be lost.

Unbinding

This is a trivial operation : you just send an UnbindRequest to the server, which will invalidate your session.

It's important to know that when you issue an Unbind, the connection is dropped. It's done like this:

@Test
public void testDoubleSimpleBindValid() throws Exception
{
    connection.bind( "uid=admin,ou=system", "secret" );

    // Now, unbind
    connection.unBind();
    assertFalse( connection.isConnected() );
    assertFalse( connection.isAuthenticated() );

    // And Bind again.
    connection.bind( "uid=admin,ou=system", "secret" );
}

Last, but not least, if you close the connection, the session also terminates.