LDAP authentication with SSL

I am trying to get LDAP authentication working with SSL encryption. I
have
finally figured out how to authenticate against our central LDAP server
with
SSL (simple authentication, no SASL). To get OpenLDAP’s ldapsearch
client
program to work, I had to add some configuration information to
/etc/openldap/ldap.conf. After those changes were in place, then I could
use
ruby/ldap to authenticate via irb using conn = LDAP::SSLConn.new(host,
port)
(no TLS). However, I can’t authenticate over LDAPS from within Rails. I
am
using the Acts_as_LDAP_Authenticated plugin from
http://www.noitulove.ch/ldap-authentication-plugin-for-rails/ If I
configure
my server not to use SSL, then I can authenticate just fine. If,
however, I
request ssl, I get the error below.

LDAP::ResultError (Operations error):
/app/models/ldap_server.rb:86:in initialize' /app/models/ldap_server.rb:86:in connect’
/app/models/ldap_server.rb:70:in authenticated?' /app/models/user.rb:39:in authenticated?’
/app/models/user.rb:22:in authenticate' /app/controllers/account_controller.rb:75:in login’
/software/stow/ruby-1.8.4/lib/ruby/gems/1.8/gems/actionpack-1.13.3/lib/action_controller/base.rb:1095:in

`perform_action_without_filters’ …

The line in question looks a lot like what I can do from irb. I have
even
tried changing it so it is exactly what I use from irb. But I still get
the
same error message. The connect method is:

def connect
conn = nil
if self.ssl?
conn = LDAP::SSLConn.new self.host, self.port
else
conn = LDAP::Conn.new self.host, self.port
end
conn.set_option(LDAP::LDAP_OPT_PROTOCOL_VERSION, 3)
conn
end

I suspect the issue may be that from within the Rails context, the
configuration options from my ldap.conf file are not being honored.

  1. Does anyone know how to make ruby/ldap give more informative error
    messages? I would like more detail on the operations error that appears
    to
    be in some initialize function somewhere. I am assuming it is failing at
    the
    same point where ldapsearch was having trouble - but I can’t figure out
    how
    to confirm that.

  2. Does anyone know how to pass options directly to ruby/ldap? There are
    tantilizing methods like conn.set_option but I am having trouble
    figuring
    out legal options and how they relate to configuration options that I
    set in
    ldap.conf.


Cynthia K.
[email protected]

On Tue, 2007-12-11 at 19:52 -0800, Cynthia K. wrote:

configure my server not to use SSL, then I can authenticate just fine.
`perform_action_without_filters’ …
conn = LDAP::Conn.new self.host, self.port
appears to be in some initialize function somewhere. I am assuming it
is failing at the same point where ldapsearch was having trouble - but
I can’t figure out how to confirm that.

  1. Does anyone know how to pass options directly to ruby/ldap? There
    are tantilizing methods like conn.set_option but I am having trouble
    figuring out legal options and how they relate to configuration
    options that I set in ldap.conf.

I don’t know that tool you referred to and I’m using…

rpm -q --info ruby-ldap

Name : ruby-ldap Relocations: (not
relocatable)
Version : 0.9.7 Vendor: (none)
Release : 1 Build Date: Sun 01 Jul 2007
05:01:16 PM MST
Install Date: Sun 01 Jul 2007 05:01:55 PM MST Build Host: OBSCURED
Group : Applications/Ruby Source RPM:
ruby-ldap-0.9.7-1.src.rpm
Size : 185033 License: Redistributable
Signature : (none)
Packager : Ian M.
URL : http://ruby-ldap.sourceforge.net/
Summary : LDAP API (RFC1823) library module for Ruby.
Description :
Ruby/LDAP is an extension module for Ruby. It provides the interface to
some
LDAP libraries (for example, OpenLDAP, UMich LDAP, Netscape SDK and
ActiveDirectory). The common API for application development is
described in
RFC1823 and most libraries comply with it. Ruby/LDAP supports those
libraries.

This claims to support both TLS and SSL but to be honest, I punted the
whole issue and replicate LDAP to the same server and have ruby/rails
simply talk to localhost (I’m read only anyway).

Probably not a help but just thought I would toss this info your way.

Craig

Thought I would post back to say that the SSL connection turned out to
be a
red herring. The real problem - which only showed up if I tried to bind
to
LDAP before doing any manipulations (other parts of my code query LDAP
but
w/o having to bind first) - turned out to be a conflict with part of the
Oracle client libraries that contain incompatible ldap functionality.
Once I
had traced the problem to something to do with binding when the Oracle
ruby
adapter was also loaded, I found this post the the solution (require
‘ldap’
before the Rails boot line in environment.rb)
http://lists.rubyonrails.org/pipermail/rails/2006-April/032583.html

Cynthia K.
[email protected]