For LDAP

Authentication

For the LDAP authentification, one can provide the user name as a valid Distinguished Name (DN), or one can provide a user name which correponds to an entry in the LDAP tree; however the LDAP server usually requires a DN to authenticate. Providing a DN is usually inconvenient and people prefer to remember their user name rather than the associated DN. For this reason, if a user name is not provided, the LDAP provider tries the following:

  • do an anonymous bind

  • search a DN from the specified user name

  • fetch the DN is it exists and is the only result

  • close the anonymous connection

  • bind using the found DN

However for an Active Directory server, this may fail if the server does not allow anonymous binding or searches, and one can use one of the following username syntaxes instead:

  • username@DOMAIN

  • DOMAIN\username

Mapping to GdaDataModel

The LDAP provider maps LDAP searches to Libgda's data models, with the following design choices:

  • A data model column is created for each attibute the LDAP search returns, plus one column for the DN (Distinguished name), as the 1st column of each search; so if no attribute is requested, the resulting data model will only contain one column for the DN

  • If not otherwise specified, the data type of each data model column is determined by the data type of the corresponding column attribute

  • Multi valued attributes are by default handled as an invalid data, but it is possible to specify instead to report a NULL value, or an array in a CSV notation.

  • For performances reasons, some data is cached (unless the "USE_CACHE" connection variable is set to FALSE). Cache files are in the users's home directory, as per the XDG Base Directory Specification

For more information, see the GdaDataModelLdap and the GdaLdapConnection objects.