On Sat 12 Mar 2005 at 05:39:42 +0900, Dick Davies wrote:

> * Ian Macdonald <ian / caliban.org> [0303 20:03]:
> > 
> > Yes, I'm afraid you need a new connection to bind as a different user.
> > On the other hand, is you only want to check the validity of a username
> > and password combination, you should be able to pull that information
> > from the directory as a user with the privileges required to view
> > passwords.
> 
> Yeah, but then I need to code an admin user/pass pair into my script,
> and that sort of thing gives me the heeby-jeebies..

You could consider using SASL and something like GSSAPI instead, but
that might be a lot of work if you're not already set up for it.

> I suspect perl-ldap actually drops and reloads the connection in any case,
> I'm not sure whether the C API lets you reuse a connection by rebinding
> as another user.

It doesn't.

Perhaps Net::LDAP remembers the details of the connection when it was
opened and silently performs another open when you perform a bind after
an unbind, but at some point, you're still opening a new connection.
It's just a question of whether it's implicit or explicit.

Ruby/LDAP could be made to do this, too, I think. The details passed to
LDAP::Conn.new could be put into instance variables. If the connection
is dead at bind time, these could be read and used to transparently
reestablish the connection before conducting the bind.

I'll look at how hard this would be to ship up in practice.

Ian
-- 
Ian Macdonald               | There's something different about us --
System Administrator        | different from people of Europe, Africa,
ian / caliban.org             | Asia ... a deep and abiding belief in the
http://www.caliban.org      | Easter Bunny.   -- G. Gordon Liddy 
                            |