LDAP authentication with SSL

CNK · December 12, 2007, 3:52am

I am trying to get LDAP authentication working with SSL encryption. I have finally figured out how to authenticate against our central LDAP server with SSL (simple authentication, no SASL). To get OpenLDAP’s ldapsearch client program to work, I had to add some configuration information to /etc/openldap/ldap.conf. After those changes were in place, then I could use ruby/ldap to authenticate via irb using conn = LDAP:: SSLConn.new(host, port) (no TLS). However, I can’t authenticate over LDAPS from within Rails. I am using the Acts_as_LDAP_Authenticated plugin from http://www.noitulove.ch/ldap-authentication-plugin-for-rails/ If I configure my server not to use SSL, then I can authenticate just fine. If, however, I request ssl, I get the error below.

LDAP::ResultError (Operations error): /app/models/ldap_server.rb:86:in initialize' /app/models/ldap_server.rb:86:in connect’ /app/models/ldap_server.rb:70:in authenticated?' /app/models/user.rb:39:in authenticated?’ /app/models/user.rb:22:in authenticate' /app/controllers/account_controller.rb:75:in login’ /software/stow/ruby-1.8.4/lib/ruby/gems/1.8/gems/actionpack-1.13.3/lib/action_controller/base.rb:1095:in \

`perform_action_without_filters’ …

The line in question looks a lot like what I can do from irb. I have even tried changing it so it is exactly what I use from irb. But I still get the same error message. The connect method is:

def connect
conn = nil
if self.ssl?
conn = LDAP::SSLConn.new self.host, self.port else conn = LDAP::Conn.new self.host, self.port end conn.set_option(LDAP::LDAP_OPT_PROTOCOL_VERSION, 3) conn end

I suspect the issue may be that from within the Rails context, the configuration options from my ldap.conf file are not being honored.

Does anyone know how to make ruby/ldap give more informative error messages? I would like more detail on the operations error that appears to be in some initialize function somewhere. I am assuming it is failing at the same point where ldapsearch was having trouble - but I can’t figure out how to confirm that.
Does anyone know how to pass options directly to ruby/ldap? There are tantilizing methods like conn.set_option but I am having trouble figuring out legal options and how they relate to configuration options that I set in ldap.conf.

Craig_White2 · December 12, 2007, 4:49am

I am trying to get LDAP authentication working with SSL encryption. I have finally figured out how to authenticate against our central LDAP server with SSL (simple authentication, no SASL). To get OpenLDAP’s ldapsearch client program to work, I had to add some configuration information to /etc/openldap/ldap.conf. After those changes were in place, then I could use ruby/ldap to authenticate via irb using conn = LDAP:: SSLConn.new(host, port) (no TLS). However, I can’t authenticate over LDAPS from within Rails. I am using the Acts_as_LDAP_Authenticated plugin from http://www.noitulove.ch/ldap-authentication-plugin-for-rails/ If I configure my server not to use SSL, then I can authenticate just fine. If, however, I request ssl, I get the error below.
LDAP::ResultError (Operations error):

    /app/models/ldap_server.rb:86:in `initialize'

    /app/models/ldap_server.rb:86:in `connect'

    /app/models/ldap_server.rb:70:in `authenticated?'

    /app/models/user.rb:39:in `authenticated?'

    /app/models/user.rb:22:in `authenticate'

    /app/controllers/account_controller.rb:75:in `login'

    /software/stow/ruby-1.8.4/lib/ruby/gems/1.8/gems/actionpack-1.13.3/lib/action_controller/base.rb:1095:in \

`perform_action_without_filters' ...



The line in question looks a lot like what I can do from irb. I have even tried changing it so it is exactly what I use from irb. But I still get the same error message. The connect method is:



  def connect                                 

    conn = nil                              

    if self.ssl?                                        

      conn = LDAP::SSLConn.new self.host, self.port

    else

      conn = LDAP::Conn.new self.host, self.port

    end

    conn.set_option(LDAP::LDAP_OPT_PROTOCOL_VERSION, 3)

    conn

  end          



I suspect the issue may be that from within the Rails context, the configuration options from my ldap.conf file are not being honored.



1. Does anyone know how to make ruby/ldap give more informative error messages? I would like more detail on the operations error that appears to be in some initialize function somewhere. I am assuming it is failing at the same point where ldapsearch was having trouble - but I can't figure out how to confirm that.



2. Does anyone know how to pass options directly to ruby/ldap? There are tantilizing methods like conn.set_option but I am having trouble figuring out legal options and how they relate to configuration options that I set in ldap.conf.

CNK · December 19, 2007, 1:17am

Thought I would post back to say that the SSL connection turned out to be a red herring. The real problem - which only showed up if I tried to bind to LDAP before doing any manipulations (other parts of my code query LDAP but w/o having to bind first) - turned out to be a conflict with part of the Oracle client libraries that contain incompatible ldap functionality. Once I had traced the problem to something to do with binding when the Oracle ruby adapter was also loaded, I found this post the the solution (require ‘ldap’ before the Rails boot line in environment.rb) http://lists.rubyonrails.org/pipermail/rails/2006-April/032583.html