From commits-return-47638-apmail-directory-commits-archive=directory.apache.org@directory.apache.org Thu Mar 2 19:35:58 2017 Return-Path: X-Original-To: apmail-directory-commits-archive@www.apache.org Delivered-To: apmail-directory-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 42817191EF for ; Thu, 2 Mar 2017 19:35:58 +0000 (UTC) Received: (qmail 86748 invoked by uid 500); 2 Mar 2017 19:35:58 -0000 Delivered-To: apmail-directory-commits-archive@directory.apache.org Received: (qmail 86709 invoked by uid 500); 2 Mar 2017 19:35:58 -0000 Mailing-List: contact commits-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@directory.apache.org Delivered-To: mailing list commits@directory.apache.org Received: (qmail 86700 invoked by uid 99); 2 Mar 2017 19:35:58 -0000 Received: from Unknown (HELO svn01-us-west.apache.org) (209.188.14.144) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Mar 2017 19:35:58 +0000 Received: from svn01-us-west.apache.org (localhost [127.0.0.1]) by svn01-us-west.apache.org (ASF Mail Server at svn01-us-west.apache.org) with ESMTP id 9F8CE3A0158 for ; Thu, 2 Mar 2017 19:35:57 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1007587 - in /websites/staging/directory/trunk/content: ./ api/user-guide/2.2-binding-unbinding.html Date: Thu, 02 Mar 2017 19:35:57 -0000 To: commits@directory.apache.org From: buildbot@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20170302193557.9F8CE3A0158@svn01-us-west.apache.org> Author: buildbot Date: Thu Mar 2 19:35:57 2017 New Revision: 1007587 Log: Staging update by buildbot for directory Modified: websites/staging/directory/trunk/content/ (props changed) websites/staging/directory/trunk/content/api/user-guide/2.2-binding-unbinding.html Propchange: websites/staging/directory/trunk/content/ ------------------------------------------------------------------------------ --- cms:source-revision (original) +++ cms:source-revision Thu Mar 2 19:35:57 2017 @@ -1 +1 @@ -1784453 +1785190 Modified: websites/staging/directory/trunk/content/api/user-guide/2.2-binding-unbinding.html ============================================================================== --- websites/staging/directory/trunk/content/api/user-guide/2.2-binding-unbinding.html (original) +++ websites/staging/directory/trunk/content/api/user-guide/2.2-binding-unbinding.html Thu Mar 2 19:35:57 2017 @@ -185,7 +185,7 @@ h2:hover > .headerlink, h3:hover > .headerlink, h1:hover > .headerlink, h6:hover > .headerlink, h4:hover > .headerlink, h5:hover > .headerlink, dt:hover > .elementid-permalink { visibility: visible }

2.2 - Binding and unbinding

In LDAP, if one wants to access the data in the base, the common way to do it is to bind to the server. However, it's important to understand that binding is a different from connecting.

-

Creating a connection to an LDAP server is opens a socket between the client and the server. You must provide the address and the port in order to do this.

+

Creating a connection to an LDAP server opens a socket between the client and the server. You must provide the address and the port in order to do this.

The bind operation, on the other hand, creates a Session which will hold user information for the duration of the session. This information is limited, but includes the user's credentials.

But it's important to know that it's possible to bind anonymously, which doesn't require a user or password, and still be able to send requests to the server (although the server can forbid anonymous binds).

Once the user has finished interacting with the server, they can unbind, destroying the session held on the server. This operation does not close the connection, because, again bind != connection!

@@ -198,12 +198,15 @@ h2:hover > .headerlink, h3:hover > .head

The first one is based on a userid/password sent to the server, which verifies the credentials are valid. It's also possible to proceed with an anonymous bind explicitly.

The second type is more complicated, and is used whenever authentication with a specific mechanism, like DIGEST-MD5, Kerberos or certificate based is required.

Simple Bind

-

One can issue three kinds of simple binds: - anonymous bind name/password bind -* unauthenticated authentication bind

+

One can issue three kinds of simple binds:

+
    +
  • anonymous bind
    • +
  • name/password bind
    • +
  • unauthenticated authentication bind
    • +

The first one is the easiest, but depending on the server's configuration, will be accepted or rejected (not all servers allow anonymous binds)

Most of the time, the bind operation will not return anything. You either get bound, or will receive an LdapException if an error occurs.

-

Issuing an anonymous bind is simple, you neither provide a user or password:

+

Issuing an anonymous bind is simple, you neither provide a user nor a password:

@Test
 public void testAnonymousBindRequest() throws Exception
 {
@@ -222,7 +225,7 @@ h2:hover > .headerlink, h3:hover > .head
 
 
 

-
Note It's important to note that the user's name is a Dn, not a simple name like 'John doe"

+
Note It's important to note that the user's name is a Dn, not a simple name like 'John Doe"

 

 
Last, not least, there is a quite unknown feature in LDAP bind that allows you to issue a Bind request without providing a password. It's equivalent to an anonymous bind, except that the server can log the user's name, thus being able to trace what the user does. Servers might forbid such bind, and this will be the case if the server disallow anonymous binds.

 
Note that this kind of bind will be supported only if the server allows anonymous binds. It's not supported by ApacheDS.