cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: LDAP support

From: Howard Chu <hyc_at_highlandsun.com>
Date: Fri, 07 May 2010 16:11:48 -0700

Guenter wrote:
> Hi,
> Am 07.05.2010 22:56, schrieb Daniel Stenberg:
>> On Fri, 7 May 2010, Howard Chu wrote:
>>
>>> Looking at the code, it appears that libcurl always connects to the
>>> target server before dropping into any URL handler code. And this LDAP
>>> module totally ignores that, and does its own ldap_init which creates
>>> another connection. So every use of LDAP creates a redundant socket /
>>> connection. Am I right?
>>
>> You're the LDAP guy here, you tell us! ;-) I don't know anything about
>> OpenLDAP really, but the man page for ldap_init() says "does not open a
>> connection to the LDAP server." and that it "will occur when the first
>> operation is attempted.".

Well, that doc is correct. ldap_init() doesn't open a socket immediately, and
the first operation in this case would be the ldap_bind(). But still, libcurl
has already opened a socket long before this. It seems like a shame to have to
do this twice.

In the current OpenLDAP libldap there is a new ldap_init_fd() API which allows
us to use a socket that was created by someone else. It's meant for exactly
this sort of situation, but it's an OpenLDAP extension, not a standard function.

>> But I don't know which function that "the first operation" refers to in
>> our case.
>>
>>> I wonder if the NOVELL_LDAPSDK support is worthwhile any more. Novell
>>> has been shipping a repackaged OpenLDAP client library for several
>>> years now.
>>
>> Guenter might have a clue. You reading this? Any word on NOVELL_LDAPSDK?
> Novell provides an addon package to OpenLDAP for a wide range of
> platforms, and this package enhances/simplifies the LDAPS support a lot.

Mmm... Actually LDAPS support in OpenLDAP is dead-easy, you just use
ldap_initialize(&ld, url) and it does everything necessary regardless of the
URL type - ldap://, ldaps://, ldapi://, and cldap:// (ldapi is IPC, typically
over Unix domain socket, and cldap is connectionless LDAP over UDP). All of
these other APIs are a PITA. You don't need a separate API for each type of
LDAP connection.

ldap_init() is from the old LDAPv2 API and is deprecated. Any LDAPv3 compliant
SDK should support ldap_initialize().

> Also this package is free/OpenSource as the Novell LDAP SDK too, so you
> can take it on nearly every platform. However for NetWare OS the Novell
> LDAP SDK is the only available LDAP client, and thus dropping it would
> be bad since it would kill LDAP support at all for NetWare. Also for
> Win32 I use this LDAP SDK too since what M$ ships is too hard to handle
> for LDAPS.

Hmm. OpenLDAP builds on all of these platforms, you could just use the
OpenLDAP SDK everywhere.

Anyway, I'm considering leaving the current ldap.c untouched, and writing a
new openldap.c which only uses the OpenLDAP SDK, just for the sake of
illustration. OK?

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2010-05-08