A pure-Rust LDAP client library using the Tokio stack.
Building with Rustls requires explicitly selecting a crypto provider. TL;DR is to use the tls-rustls-aws-lc-rs or tls-rustls-ring feature instead of tls-rustls. See the "Compile-time features" section for details.
The 0.12 branch contains basic NTLM support, removes deprecated functions, and updates
the dependencies and documentation. The earliest Rust version which can be used with NTLM
is 1.85.0; without NTLM, 1.82.0 will work. The only breaking changes are the use of feature
flags when building with Rustls and the removal of the deprecated ldap_str_unescape()
function.
The 0.11 branch is now in maintenance mode, and 0.10 is retired. If you're using GSSAPI and compiling with Rust 1.78.0 or later, upgrade to 0.11.5.
API reference:
There is an LDAP introduction for those still getting their bearings in the LDAP world.
The library is client-only. One cannot make an LDAP server or a proxy with it. It supports only version 3 of the protocol over connection-oriented transports.
There is no built-in support for connection pooling, automatic fallback or reconnections.
Add this to your Cargo.toml:
[dependencies.ldap3]
version = "0.12.1"The library can be used either synchronously or asynchronously. The aim is to offer essentially the same call interface for both flavors, with the necessary differences in interaction and return values according to the nature of I/O.
The following two examples perform exactly the same operation and should produce identical
results. They should be run against the example server in the data subdirectory of the crate source.
Other sample programs expecting the same server setup can be found in the examples subdirectory.
use ldap3::{LdapConn, Scope, SearchEntry};
use ldap3::result::Result;
fn main() -> Result<()> {
let mut ldap = LdapConn::new("ldap://localhost:2389")?;
let (rs, _res) = ldap.search(
"ou=Places,dc=example,dc=org",
Scope::Subtree,
"(&(objectClass=locality)(l=ma*))",
vec!["l"]
)?.success()?;
for entry in rs {
println!("{:?}", SearchEntry::construct(entry));
}
Ok(ldap.unbind()?)
}use ldap3::{LdapConnAsync, Scope, SearchEntry};
use ldap3::result::Result;
#[tokio::main]
async fn main() -> Result<()> {
let (conn, mut ldap) = LdapConnAsync::new("ldap://localhost:2389").await?;
ldap3::drive!(conn);
let (rs, _res) = ldap.search(
"ou=Places,dc=example,dc=org",
Scope::Subtree,
"(&(objectClass=locality)(l=ma*))",
vec!["l"]
).await?.success()?;
for entry in rs {
println!("{:?}", SearchEntry::construct(entry));
}
Ok(ldap.unbind().await?)
}The following features are available at compile time:
-
sync (enabled by default): Synchronous API support.
-
gssapi (disabled by default): Kerberos/GSSAPI support. On Windows, system support crates and SDK libraries are used. Elsewhere, the feature needs Clang and its development libraries (for
bindgen), as well as the Kerberos development libraries. On Debian/Ubuntu, that meansclang-N,libclang-N-devandlibkrb5-dev. It should be clear from these requirements that GSSAPI support uses FFI to C libraries; you should consider the security implications of this fact.For usage notes and caveats, see the documentation for
Ldap::sasl_gssapi_bind()in the API reference. -
ntlm (disabled by default): NTLM authentication support. Username and password must be provided, and the password must be in cleartext. It works on TLS connections, or clear connections with no signing or sealing. With TLS, a channel binding token is sent to the server if possible.
-
tls (enabled by default): TLS support, backed by the
native-tlscrate, which uses a platform-specific TLS backend. This is an alias for tls-native. -
tls-rustls-... (disabled by default): TLS support, backed by the Rustls library. The bare tls-rustls flag, used previously for this purpose, won't work by itself; one must choose the crypto provider for Rustls. There are two predefined flags for this purpose, tls-rustls-aws-lc-rs and tls-rustls-ring. If another provider is needed, it can be chosen by activating the corresponding feature in Rustls and setting the flags tls-rustls and rustls-provider. For example the AWS FIPS provider can be chosen with:
...
--features tls-rustls,rustls/fips,rustls-providerNot selecting a provider, or selecting one without specifying rustls-provider, will produce a compile-time error.
Without any features, only plain TCP connections (and Unix domain sockets on Unix-like platforms) are available. For TLS support, tls and tls-rustls are mutually exclusive: choosing both will produce a compile-time error.
Licensed under either of:
- Apache License, Version 2.0 (LICENSE-APACHE), or
- MIT license (LICENSE-MIT)
at your option.
