2.2 - Binding and unbinding (...)

In LDAP, if one wants to access the data in the base, the common way to do it is to bind on the server. However, it's important to understand that binding is a different beast than connection.

Creating a connection to a LDAP server is just about opening a socket between the client and the server. You just need to provide the address and the port.

The bind operation, on the other hand, create a Session which will hold some user's information for the time being of the session. Those information are quite limited, they include the user's credentials.

But it's important to know that it's possible to bind as anonymous, providing no name and password, and still be able to request the server (note though that the server can forbid such anonymous bind).

Once the user has finished to request the server, then he can unbind, destroying his session on the server. That does not close the connection, because, one more time, bind != connection.

Binding

You have two possible types of binds in LDAP :

  • Simple
  • SASL

The first one is based on a user/password being send to the server, which check that they are valid. It's also possible to proceed an Anonymous bind explicitly.

The second one is more complex, and is used if you want to proceed an authentication with some specific mechanism, like DIGEST-MD5, Kerberos or certificate based.

Simple Bind

One can issue three kind of Simple bind : anonymous bind name/password bind * unauthenticated authentication bind

The first one is the easiest one, but depending on the server configuration, it will be accepted or rejected (all the servers don't allow anonymous binds)

Most of the time, the bind operation will not return anything. You will get bound, or you'll get an LdapException if an error is met.

Issuing an anonymous bind is very simple, you just provide no user name nor any password :

@Test
public void testAnonymousBindRequest() throws Exception
{
    connection.bind();
}

Issuing a user/password bind is just slightly more complex, you just have to provide your user name and its password :

@Test
public void testSimpleBindRequest() throws Exception
{
    connection.bind( "uid=admin,ou=system", "secret" );
}

Note It's important to note that the user's name is a Dn, not a simple name like 'John doe"

Last, not least, there is a quite unknown feature in LDAP bind that allows you to issue a Bind request without providing a password. It's equivalent to an anonymous bind, except that the server can log the user's name, thus being able to trace what the user does. Servers might forbid such bind, and this will be the case if the server disallow anonymous binds.

Note that this kind of bind will be supported only if the server allows anonymous binds. It's not supported by ApacheDS.

@Test
public void testSimpleBindRequest() throws Exception
{

    connection.bind( "uid=admin,ou=system" );
}

SASL Bind

TO BE COMPLETED

Unbinding

This is a trivial operation : you just send an UnbindRequest to the server, which will invalidate your session.

It's important to know that when you issue an Unbind, the connection is dropped. However, if you immediately try another bind, the API will open the connection again, using the information provided when the connection has been created. You can then do such a thing :

@Test
public void testDoubleSimpleBindValid() throws Exception
{
    connection.bind( "uid=admin,ou=system", "secret" );

    // Now, unbind
    connection.unBind();
    assertFalse( connection.isConnected() );
    assertFalse( connection.isAuthenticated() );

    // And Bind again.
    connection.bind( "uid=admin,ou=system", "secret" );
}

If you issue a bind on the same connection with some different credentials, then the existing session will be terminated on the server, and a new one will be created. All the pending requests for the initial session will be lost.

Last, not least, if you close the connection, then the session will also be terminated.