I am trying to get LDAP authentication working with SSL encryption. I have
finally figured out how to authenticate against our central LDAP server with
SSL (simple authentication, no SASL). To get OpenLDAP''s ldapsearch
client
program to work, I had to add some configuration information to
/etc/openldap/ldap.conf. After those changes were in place, then I could use
ruby/ldap to authenticate via irb using conn = LDAP::SSLConn.new(host, port)
(no TLS). However, I can''t authenticate over LDAPS from within Rails. I
am
using the Acts_as_LDAP_Authenticated plugin from
http://www.noitulove.ch/ldap-authentication-plugin-for-rails/ If I configure
my server not to use SSL, then I can authenticate just fine. If, however, I
request ssl, I get the error below.
LDAP::ResultError (Operations error):
/app/models/ldap_server.rb:86:in `initialize''
/app/models/ldap_server.rb:86:in `connect''
/app/models/ldap_server.rb:70:in `authenticated?''
/app/models/user.rb:39:in `authenticated?''
/app/models/user.rb:22:in `authenticate''
/app/controllers/account_controller.rb:75:in `login''
/software/stow/ruby-1.8.4/lib/ruby/gems/1.8/gems/actionpack-1.13.3/lib/action_controller/base.rb:1095:in
\
`perform_action_without_filters'' ...
The line in question looks a lot like what I can do from irb. I have even
tried changing it so it is exactly what I use from irb. But I still get the
same error message. The connect method is:
def connect
conn = nil
if self.ssl?
conn = LDAP::SSLConn.new self.host, self.port
else
conn = LDAP::Conn.new self.host, self.port
end
conn.set_option(LDAP::LDAP_OPT_PROTOCOL_VERSION, 3)
conn
end
I suspect the issue may be that from within the Rails context, the
configuration options from my ldap.conf file are not being honored.
1. Does anyone know how to make ruby/ldap give more informative error
messages? I would like more detail on the operations error that appears to
be in some initialize function somewhere. I am assuming it is failing at the
same point where ldapsearch was having trouble - but I can''t figure out
how
to confirm that.
2. Does anyone know how to pass options directly to ruby/ldap? There are
tantilizing methods like conn.set_option but I am having trouble figuring
out legal options and how they relate to configuration options that I set in
ldap.conf.
--
Cynthia Kiser
cynthia.kiser-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
On Tue, 2007-12-11 at 19:52 -0800, Cynthia Kiser wrote:> I am trying to get LDAP authentication working with SSL encryption. I > have finally figured out how to authenticate against our central LDAP > server with SSL (simple authentication, no SASL). To get OpenLDAP''s > ldapsearch client program to work, I had to add some configuration > information to /etc/openldap/ldap.conf. After those changes were in > place, then I could use ruby/ldap to authenticate via irb using conn > LDAP:: SSLConn.new(host, port) (no TLS). However, I can''t authenticate > over LDAPS from within Rails. I am using the > Acts_as_LDAP_Authenticated plugin from > http://www.noitulove.ch/ldap-authentication-plugin-for-rails/ If I > configure my server not to use SSL, then I can authenticate just fine. > If, however, I request ssl, I get the error below. > > LDAP::ResultError (Operations error): > /app/models/ldap_server.rb:86:in `initialize'' > /app/models/ldap_server.rb:86:in `connect'' > /app/models/ldap_server.rb:70:in `authenticated?'' > /app/models/user.rb:39:in `authenticated?'' > /app/models/user.rb:22:in `authenticate'' > /app/controllers/account_controller.rb:75:in `login'' > /software/stow/ruby-1.8.4/lib/ruby/gems/1.8/gems/actionpack-1.13.3/lib/action_controller/base.rb:1095:in \ > `perform_action_without_filters'' ... > > The line in question looks a lot like what I can do from irb. I have > even tried changing it so it is exactly what I use from irb. But I > still get the same error message. The connect method is: > > def connect > conn = nil > if self.ssl? > conn = LDAP::SSLConn.new self.host, self.port > else > conn = LDAP::Conn.new self.host, self.port > end > conn.set_option(LDAP::LDAP_OPT_PROTOCOL_VERSION, 3) > conn > end > > I suspect the issue may be that from within the Rails context, the > configuration options from my ldap.conf file are not being honored. > > 1. Does anyone know how to make ruby/ldap give more informative error > messages? I would like more detail on the operations error that > appears to be in some initialize function somewhere. I am assuming it > is failing at the same point where ldapsearch was having trouble - but > I can''t figure out how to confirm that. > > 2. Does anyone know how to pass options directly to ruby/ldap? There > are tantilizing methods like conn.set_option but I am having trouble > figuring out legal options and how they relate to configuration > options that I set in ldap.conf.---- I don''t know that tool you referred to and I''m using... # rpm -q --info ruby-ldap Name : ruby-ldap Relocations: (not relocatable) Version : 0.9.7 Vendor: (none) Release : 1 Build Date: Sun 01 Jul 2007 05:01:16 PM MST Install Date: Sun 01 Jul 2007 05:01:55 PM MST Build Host: OBSCURED Group : Applications/Ruby Source RPM: ruby-ldap-0.9.7-1.src.rpm Size : 185033 License: Redistributable Signature : (none) Packager : Ian Macdonald <ian AT caliban.org> URL : http://ruby-ldap.sourceforge.net/ Summary : LDAP API (RFC1823) library module for Ruby. Description : Ruby/LDAP is an extension module for Ruby. It provides the interface to some LDAP libraries (for example, OpenLDAP, UMich LDAP, Netscape SDK and ActiveDirectory). The common API for application development is described in RFC1823 and most libraries comply with it. Ruby/LDAP supports those libraries. This claims to support both TLS and SSL but to be honest, I punted the whole issue and replicate LDAP to the same server and have ruby/rails simply talk to localhost (I''m read only anyway). Probably not a help but just thought I would toss this info your way. Craig --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Thought I would post back to say that the SSL connection turned out to be a red herring. The real problem - which only showed up if I tried to bind to LDAP before doing any manipulations (other parts of my code query LDAP but w/o having to bind first) - turned out to be a conflict with part of the Oracle client libraries that contain incompatible ldap functionality. Once I had traced the problem to something to do with binding when the Oracle ruby adapter was also loaded, I found this post the the solution (require ''ldap'' before the Rails boot line in environment.rb) http://lists.rubyonrails.org/pipermail/rails/2006-April/032583.html -- Cynthia Kiser cynthia.kiser-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---