I've written various pieces of code that connect to LDAP servers and run queries, but it's always been voodoo to me. One thing I don't really understand is the concept of a bind DN. Here's an example using the ldapsearch command-line tool available from openldap. (Ignore the lack of authentication.)
ldapsearch -h 1.2.3.4 -D dc=example,dc=com [query]
What is the purpose and function of the -D dc=example,dc=com part of this? Why do we need to bind to a particular location in the directory hierarchy? Is it to establish which part of the directory my queries should apply to? E.g. if the root node of the directory is dc=com, and it has two children (dc=foo and dc=bar), maybe I want my queries to be against the dc=foo,dc=com subtree and not the dc=bar,dc=com subtree?
Best Answer
A bind DN is an object that you bind to inside LDAP to give you permissions to do whatever you're trying to do. Some (many?) LDAP instances don't allow anonymous binds, or don't allow certain operations to be conducted with anonymous binds, so you must specify a bindDN to obtain an identity to perform that operation.
In a similar non-technical way - and yes this is a stretch - a bank will allow you to walk in and look at their interest rates without giving them any sort of ID, but in order to open an account or withdraw money, you have to have an identity they know about - that identity is the bindDN.