I am trying to get LDAP authentication working with SSL encryption. I have finally figured out how to authenticate against our central LDAP server with SSL (simple authentication, no SASL). To get OpenLDAP’s ldapsearch client program to work, I had to add some configuration information to /etc/openldap/ldap.conf. After those changes were in place, then I could use ruby/ldap to authenticate via irb using conn = LDAP:: SSLConn.new(host, port) (no TLS). However, I can’t authenticate over LDAPS from within Rails. I am using the Acts_as_LDAP_Authenticated plugin from http://www.noitulove.ch/ldap-authentication-plugin-for-rails/ If I configure my server not to use SSL, then I can authenticate just fine. If, however, I request ssl, I get the error below.
LDAP::ResultError (Operations error):
/app/models/ldap_server.rb:86:in initialize' /app/models/ldap_server.rb:86:in
connect’
/app/models/ldap_server.rb:70:in authenticated?' /app/models/user.rb:39:in
authenticated?’
/app/models/user.rb:22:in authenticate' /app/controllers/account_controller.rb:75:in
login’
/software/stow/ruby-1.8.4/lib/ruby/gems/1.8/gems/actionpack-1.13.3/lib/action_controller/base.rb:1095:in \
`perform_action_without_filters’ …
The line in question looks a lot like what I can do from irb. I have even tried changing it so it is exactly what I use from irb. But I still get the same error message. The connect method is:
def connect
conn = nil
if self.ssl?
conn = LDAP::SSLConn.new self.host, self.port
else
conn = LDAP::Conn.new self.host, self.port
end
conn.set_option(LDAP::LDAP_OPT_PROTOCOL_VERSION, 3)
conn
end
I suspect the issue may be that from within the Rails context, the configuration options from my ldap.conf file are not being honored.
-
Does anyone know how to make ruby/ldap give more informative error messages? I would like more detail on the operations error that appears to be in some initialize function somewhere. I am assuming it is failing at the same point where ldapsearch was having trouble - but I can’t figure out how to confirm that.
-
Does anyone know how to pass options directly to ruby/ldap? There are tantilizing methods like conn.set_option but I am having trouble figuring out legal options and how they relate to configuration options that I set in ldap.conf.