OpenLDAP API is somewhat hostile

After a few days beating my head against OpenLDAP’s C API, the only thing I can think is that the developers don’t want you to use it.

All of the simple functions, the functions that are in all of the sample code out there, has been deprecated:

  1. ldap_bind and it’s ilk are gone with the exception of ldap_sasl_bind and ldap_sasl_bind_s.
  2. ldap_init, and ldap_open are gone, although ldap_initialize still exists.

What seems to be going on is an attempt to push people to use SASL: The (not so) Simple Authentication and Security Layer that abstracts away the differences between Kerberos, Radius, and other full fledged authentication and authorization mechanisms.

The problem here is that the most common  application for using LDAP is for authenticating users.  It doesn’t matter that you “shouldn’t” do this according to the established literature.  If you are stuck talking to Active DIrectory, LDAP is your primary tool.

The LDAP_Result api makes sense from an object oriented perspective, but man, is that a lot of function calls just to iterate through a list.  For example, to process the effect of calling ldap_sasl_bind you have to call:

  1. ldap_result
  2. ldap_first_message
  3. ldap_parse_result
  4. ldap_free for each value allocated by ldap_parse_result
  5. ldap_next_message
  6. ldap_freemsg

The problem here is they are trying to be objected, but stopping short of actually returning vtables.  I suspect I could just look at the LDAPMessage structure and get the same result.

I think the choice of SASL is somewhat suspect as well.  I would much prefer it if they used PAM.  If you are going to make use of a flexible authentication mechanism, go with the dominant one.

I admit that I am not an expert on LDAP things, and that perhaps I am missing something.  But trying to get the C equivalent of

ldapsearch -H “ldap://localhost” -LLL -x -b  ‘dc=application,dc=domain,dc=com’ ‘(objectclass=*)’

Should not take several days.

2 thoughts on “OpenLDAP API is somewhat hostile

  1. Hi Adam,

    It’s widely known the C API needs rework. See the OpenLDAP Devel lists:

    http://www.openldap.org/lists/openldap-devel/200803/msg00036.html

    There a wiki with some C API problems at:

    http://scratchpad.wikia.com/wiki/Ldap

    This documents how to deal with the deprecated functions:

    http://en.opensuse.org/OpenLDAP_2.3_libldap_upgrade_howto

    or use -DLDAP_DEPRECATED

    For more help join:

    http://www.openldap.org/lists/mm/listinfo/openldap-devel

    Or you could try the C++ API:

    http://www.openldap.org/devel/cvsweb.cgi/contrib/ldapc%2b%2b/?hideattic=1&sortbydate=0
    http://www.openldap.org/devel/cvsweb.cgi/contrib/ldapc%2b%2b/examples/?hideattic=1&sortbydate=0

    Thanks,

    Gavin.


    Kind Regards,

    Gavin Henry.
    OpenLDAP Engineering Team.

    E ghenry@OpenLDAP.org

    Community developed LDAP software.

    http://www.openldap.org/project/

  2. Pingback: Openldap binding via C API « conflictable

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.