Directory Services

Using ldap_bind_s

The ldap_bind_s function provides a distinguished name (DN) and an authentication credential, such as a password, that identifies the person, device, or application attempting to connect to the LDAP server. The type of credentials used depend upon the authentication method used.

The ldap_simple_bind_s function uses a plaintext password for authentication. Call ldap_bind_s to use authentication services, such as Kerberos, the Windows NT® LAN Manager (NTLM), or Digest (for Windows XP). For more information about supported authentication services, see ldap_bind_s and Using ldap_init.

To keep the name and password secure, and you do not require a secure session, then use ldap_bind_s with any authentication method discussed above. Kerberos and NTLM, for example, do not actually transmit the password; they transmit a representation of the password that cannot be traced back to the original password. Because the password is not transmitted, there is no urgent need to encrypt the process. For more information, and an example of this type of bind, see Example Code for Establishing a Session Without Encryption.

If you are sensitive to someone eavesdropping on any part of the session, set up an encrypted session. To encrypt portions of a session, use ldap_start_tls_s and ldap_stop_tls_s.

Note  LDAP 2 requires that a client bind even for an anonymous connection. Not all LDAP implementations enforce this requirement, but you should include the bind step in order to maintain compatibility with all LDAP 2 services.

For more information, and a list of the authentication and encryption options, see Session Options.