In attempt of execution of a code:

require 'pry'
require 'net/ldap'
$HOST =    'psp.int'
$PORT =    389

auth = {
  :method => :simple, 
  :username => 'psp\\administrator', 
  :password => 'Aa123456'
}
ldap = Net::LDAP.new(:host => $HOST, :port => $PORT, :auth => auth)
ldap.open do |ldap|
  treebase = "ou=Offices, dc=psp, dc=int"

  dn = "cn=George Smith, #{treebase}"
  attr = {
    :cn => "George Smith",

    :samAccountName => 'gs',
    :userPrincipalName => '[email protected]',
    :useraccountcontrol => 0x0200,
    :pwdLastSet => 0,

    :objectclass => ['top',"person", "organizationalPerson", "user"],
    :sn => "Smith",
    :mail => "[email protected]"
  }
  ldap.add(:dn => dn, :attributes => attr)
end

There is the following error:

/var/lib/gems/1.9.1/gems/net-ldap-0.6.1/lib/net/ldap/pdu.rb:219:in `parse_controls': undefined method `map' for 18400597803079440689678002902069631524796887079072566:Bignum (NoMethodError)
        from /var/lib/gems/1.9.1/gems/net-ldap-0.6.1/lib/net/ldap/pdu.rb:104:in `initialize'
        from /var/lib/gems/1.9.1/gems/net-ldap-0.6.1/lib/net/ldap.rb:1603:in `new'
        from /var/lib/gems/1.9.1/gems/net-ldap-0.6.1/lib/net/ldap.rb:1603:in `add'
        from /var/lib/gems/1.9.1/gems/net-ldap-0.6.1/lib/net/ldap.rb:830:in `add'
        from ldap_exp_net_ldap.rb:36:in `block in <main>'
        from /var/lib/gems/1.9.1/gems/net-ldap-0.6.1/lib/net/ldap.rb:580:in `open'
        from ldap_exp_net_ldap.rb:12:in `<main>'

ActiveDirectory level 2003
The code is taken from an example http://net-ldap.rubyforge.org/Net/LDAP.html#method-i-add
Search takes place successfully

I need to verify that I am talking with the same secure server before I do ldap.bind
I couldn't find anywhere in the documentation about how I could do it?
Is there a workaround which allows me to verify the certificate in ruby

Additional details:

1. The certificate which is passed on to me is same as the one I see when I run

openssl s_client -showcerts -connect "<host>:<port>" </dev/null 2>/dev/null|openssl x509 -outform PEM

1. I used http://www.ldapsoft.com/ to connect to client's server
   Unless I add the certificate file given to me in Security > Manage server certificates, I get a warning saying unknown security certificate
2. I tried do it manually first in plain ruby (without gem)
   But i get following error

test-ssl.rb:23:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)

cert_store = OpenSSL::X509::Store.new
cert_store.add_file "server-wildcard.crt"
io = TCPSocket.new("SECURELDAP.UMC.EDU","636")
ctx = OpenSSL::SSL::SSLContext.new
#ctx.cert = OpenSSL::X509::Certificate.new(File.read("server-wildcard.crt"))
#ctx.client_ca = OpenSSL::X509::Certificate.new(File.read("server-wildcard.crt"))
#ctx.ca_file = "server-wildcard.crt"
#ctx.ca_path = "./"
ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER | OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
ctx.cert_store = cert_store
conn = OpenSSL::SSL::SSLSocket.new(io, ctx)
conn.connect

Simple test to CentOS-DS works, but to recent 389-DS failed:

#############test-ldap.rb###############
# host IP 192.168.0.12
require 'rubygems'
require 'net/ldap'
require 'pp'
ldap = Net::LDAP.new
ldap.host = "192.168.0.5"
ldap.port = 389
username,password = "java", "javapass"
result = ldap.bind_as(
 :base => "ou=Users,dc=example,dc=com",
 :filter => "(uid=#{username})",
 :password => password
)

if result
  pp result
else
  puts "Authentication FAILED."
  pp result
end
#####################################

SUCCEED. Access log from CentOS-DS-8.2.0-2.el5

#####################################
[05/Oct/2012:12:51:46 +0300] conn=103017 fd=93 slot=93 connection from 192.168.0.12 to 192.168.0.5
[05/Oct/2012:12:51:46 +0300] conn=103017 op=0 BIND dn="" method=128 version=3
[05/Oct/2012:12:51:46 +0300] conn=103017 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
[05/Oct/2012:12:51:46 +0300] conn=103017 op=1 SRCH base="" scope=0 filter="(objectClass=*)" attrs="namingContexts supportedLDAPVersion altServer supportedControl supportedExtension supportedFeatures supportedSASLMechanisms"
[05/Oct/2012:12:51:46 +0300] conn=103017 op=1 RESULT err=0 tag=101 nentries=1 etime=0
[05/Oct/2012:12:51:46 +0300] conn=103017 op=2 SRCH base="ou=Users,dc=example,dc=com" scope=2 filter="(uid=java)" attrs=ALL
[05/Oct/2012:12:51:46 +0300] conn=103017 op=2 RESULT err=0 tag=101 nentries=1 etime=0
[05/Oct/2012:12:51:46 +0300] conn=103017 op=3 BIND dn="uid=java,ou=Users,dc=example,dc=com" method=128 version=3
[05/Oct/2012:12:51:46 +0300] conn=103017 op=3 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=java,ou=users,dc=example,dc=com"
[05/Oct/2012:12:51:46 +0300] conn=103017 op=-1 fd=93 closed - B1
#####################################

FAILED. Access log from 389-ds-1.2.2-1.el6

#####################################
[05/Oct/2012:13:04:30 +0300] conn=40926 fd=75 slot=75 connection from 192.168.0.12 to 192.168.0.3
[05/Oct/2012:13:04:30 +0300] conn=40926 op=0 BIND dn="" method=128 version=3
[05/Oct/2012:13:04:30 +0300] conn=40926 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
[05/Oct/2012:13:04:30 +0300] conn=40926 op=1 SRCH base="" scope=0 filter="(objectClass=*)", failed to decode LDAP controls
[05/Oct/2012:13:04:30 +0300] conn=40926 op=1 RESULT err=2 tag=101 nentries=0 etime=0
[05/Oct/2012:13:04:30 +0300] conn=40926 op=2 SRCH base="" scope=2 filter="(uid=java)", failed to decode LDAP controls
[05/Oct/2012:13:04:30 +0300] conn=40926 op=2 RESULT err=2 tag=101 nentries=0 etime=0
[05/Oct/2012:13:04:30 +0300] conn=40926 op=-1 fd=75 closed - B1
#####################################

And, at the same time test succeed with 389-ds-1.2.1-1.el5

#####################################
[05/Oct/2012:13:07:46 +0300] conn=13304 fd=65 slot=65 connection from 192.168.0.12 to 192.168.0.135
[05/Oct/2012:13:07:46 +0300] conn=13304 op=0 BIND dn="" method=128 version=3
[05/Oct/2012:13:07:46 +0300] conn=13304 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
[05/Oct/2012:13:07:46 +0300] conn=13304 op=1 SRCH base="" scope=0 filter="(objectClass=*)" attrs="namingContexts supportedLDAPVersion altServer supportedControl supportedExtension supportedFeatures supportedSASLMechanisms"
[05/Oct/2012:13:07:46 +0300] conn=13304 op=1 RESULT err=0 tag=101 nentries=1 etime=0
[05/Oct/2012:13:07:46 +0300] conn=13304 op=2 SRCH base="dc=example,dc=com" scope=2 filter="(uid=java)" attrs=ALL
[05/Oct/2012:13:07:46 +0300] conn=13304 op=2 RESULT err=0 tag=101 nentries=1 etime=0 notes=P
[05/Oct/2012:13:07:46 +0300] conn=13304 op=3 BIND dn="uid=java,ou=Users,dc=example,dc=com" method=128 version=3
[05/Oct/2012:13:07:46 +0300] conn=13304 op=3 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=java,ou=users,dc=example,dc=com"
[05/Oct/2012:13:07:46 +0300] conn=13304 op=-1 fd=65 closed - B1
#####################################

I have a model that uses net-ldap for communication to an Active Directory server, and after upgrading the gem from v0.2.2 to v0.3.1, I get a Encoding::UndefinedConversionError exception when binding and performing a query. When I downgrade to 0.2.2, the problem goes away instantly. It looks like it may be due to the recent changes to use UTF-8 string encoding by default.

It seems that my application encounters this only when I am searching AD using a GUID, which would indicate that net-ldap is trying to convert the binary GUID to UTF-8.

Originally submitted on RubyForge by James Hewitt as #23425 on 2009-01-03:

I'd like to be able to leave an LDAP connection open.

I know the library doesn't want me to, but I would like to be able to decide what to do with my own network connections.

In some cases, leaving the ldap connection open makes writing my application a lot easier, for example, where I want to only use one ldap connection for each request to a rails app, but don't want to have to wrap the whole request in an LDAP.open. Or even to have an ldap connection pool, as you would a mysql connection pool.

I would suggest:

1. Altering LDAP.open to open the connection and leave it open if a block is not given.
2. Adding a close method to close connections.

There´s an strange issue in the 0.3.2 gem version with our old server Open LDAP 2.2.13, not with others old versions of the gem, included the 0.3.0, all search operations returns procotolError(2)

Javi

Originally submitted by Rubyforge user cuzic4n on 2010-09-02:

I am adding and deleting all sorts of ldap entries. I can even make new entries with objectclasses, but when I want
to remove an existing one or add another one I get 'object class violation'. Before you say that the ldap server is
correct. I can do it with softerra ldap administrator just fine. They have a special menu option for adding/removing
objectclasses to existing entries.

The entry log from the ldap server when using softerra to remove posixAccount and shadowaccount objectclasses from already existing entries.

AuditV3--2010-09-02-18:36:52.865+00:00DST--V3 SSL Modify--bindDN: cn=root--client: x.x.x.x:22795--connectionID:
1943--received: 2010-09-02-18:36:52.470+00:00DST--Success
operationResponseTime: 395
timeOnWorkQ: 0
rdbmLockWaitTime: 1
clientIOTime: 0
object: cn=myname,ou=internal,O=stuff
delete: gidNumber
delete: homeDirectory
delete: loginShell
delete: shadowFlag
delete: uidNumber
delete: userid
replace: objectClass

The entry log from the ldap server when trying using net-ldap:

AuditV3--2010-09-02-18:02:34.520+00:00DST--V3 Modify--bindDN: cn=root--client: x.x.x.x:65284--connectionID: 1935--received:
2010-09-02-18:02:34.516+00:00DST--Object class violation
operationResponseTime: 4
timeOnWorkQ: 0
rdbmLockWaitTime: 0
clientIOTime: 0
object: cn=myname,ou=internal,o=stuff
delete: userid
delete: gidnumber
delete: uidnumber
delete: loginshell
delete: homedirectory
delete: objectclass

I notice they are using a replace action. I looked at the net-ldap replace api but it doesn't support this type of call.
I tried ldap.mod with ops array with even just the objectclasses listed. no luck. ldap.delete_attibute won't work for
objectclasses.. ldap.replace_attribute won't work for objectclasses..

Tried the ldap.add with the attr array for adding new objectclasses to no avail. tried ldap.add_attribute for objectclass
to no avail. tried ldap.replace_attribute for objectclass to no avail.

Is there any work being done for supporting adding/removing objectclasses to already existing entries?

It looks like the rename method needs to specify the "new_superior" attribute with context-specific encoding. From RFC2251 section 4.9 we see:

ModifyDNRequest ::= [APPLICATION 12] SEQUENCE {
        entry           LDAPDN,
        newrdn          RelativeLDAPDN,
        deleteoldrdn    BOOLEAN,
        newSuperior     [0] LDAPDN OPTIONAL }

I've confirmed this fix then matches other LDAP clients, and I can successfully perform an object move in AD. Here's a quick patch which corrects this problem, for your consideration:

--- lib/net/ldap.rb
+++ lib/net/ldap.rb
@@ -1537,7 +1537,7 @@ def rename args
     new_superior = args[:new_superior]
 
     request = [old_dn.to_ber, new_rdn.to_ber, delete_attrs.to_ber]
-    request << new_superior.to_ber unless new_superior == nil
+    request << new_superior.to_ber_contextspecific(0) unless new_superior == nil
 
     pkt = [next_msgid.to_ber, request.to_ber_appsequence(12)].to_ber_sequence
     @conn.write pkt

Hi all,

I'm a bit confused by the fact that the rubygems version is currently 0.6.1 but the version in master is only 0.5.0. Can anyone shed light on this? Is there some other branch that the rubygems version draws on?

I'm trying to implement net/ldap with Rex::Socket::Tcp (https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/socket/tcp.rb), which is a nonblocking socket. I keep getting errors and tracked them down to net/ber/ber_parser.rb which claims that it doesn't work with nonblocking IO. Are there any plans to allow non-blocking sockets?

Originally submitted on 2010-05-18 by Tomas Valenta (Rubyforge user borland).

Hello,

I have a Rails app (MRI 1.8.7, Rails 2.3.5) where i included ActiveLdap (2.3.5, net-ldap 0.1.1) just to do simple searches
of users and groups. It works fine, however after some time of inactivity I get this error:

An established connection was aborted by the software in your host machine.

C:/Data/Tools/ruby/lib/ruby/gems/1.8/gems/net-ldap-0.1.1/lib/net/ldap.rb:1417:in `write'
C:/Data/Tools/ruby/lib/ruby/gems/1.8/gems/net-ldap-0.1.1/lib/net/ldap.rb:1417:in `search'
C:/Data/Tools/ruby/lib/ruby/gems/1.8/gems/net-ldap-0.1.1/lib/net/ldap.rb:1385:in `loop'
C:/Data/Tools/ruby/lib/ruby/gems/1.8/gems/net-ldap-0.1.1/lib/net/ldap.rb:1385:in `search'
C:/Data/Tools/ruby/lib/ruby/gems/1.8/gems/activeldap-1.2.1/lib/active_ldap/adapter/net_ldap.rb:141:in `send'
C:/Data/Tools/ruby/lib/ruby/gems/1.8/gems/activeldap-1.2.1/lib/active_ldap/adapter/net_ldap.rb:141:in `execute'
C:/Data/Tools/ruby/lib/ruby/gems/1.8/gems/activeldap-1.2.1/lib/active_ldap/adapter/base.rb:659:in `log'
C:/Data/Tools/ruby/lib/ruby/1.8/benchmark.rb:308:in `realtime'
C:/Data/Tools/ruby/lib/ruby/gems/1.8/gems/activeldap-1.2.1/lib/active_ldap/adapter/base.rb:659:in `log'
C:/Data/Tools/ruby/lib/ruby/gems/1.8/gems/activeldap-1.2.1/lib/active_ldap/adapter/net_ldap.rb:141:in `execute'
C:/Data/Tools/ruby/lib/ruby/gems/1.8/gems/activeldap-1.2.1/lib/active_ldap/adapter/net_ldap.rb:78:in `search'
C:/Data/Tools/ruby/lib/ruby/gems/1.8/gems/activeldap-1.2.1/lib/active_ldap/adapter/base.rb:170:in `search'
C:/Data/Tools/ruby/lib/ruby/gems/1.8/gems/activeldap-1.2.1/lib/active_ldap/adapter/base.rb:275:in `operation'
C:/Data/Tools/ruby/lib/ruby/1.8/timeout.rb:53:in `timeout'
C:/Data/Tools/ruby/lib/ruby/gems/1.8/gems/activeldap-1.2.1/lib/active_ldap/timeout_stub.rb:6:in `alarm'
C:/Data/Tools/ruby/lib/ruby/gems/1.8/gems/activeldap-1.2.1/lib/active_ldap/adapter/base.rb:321:in `with_timeout'
C:/Data/Tools/ruby/lib/ruby/gems/1.8/gems/activeldap-1.2.1/lib/active_ldap/adapter/base.rb:274:in `operation'
C:/Data/Tools/ruby/lib/ruby/gems/1.8/gems/activeldap-1.2.1/lib/active_ldap/adapter/base.rb:169:in `search'
C:/Data/Tools/ruby/lib/ruby/gems/1.8/gems/activeldap-1.2.1/lib/active_ldap/adapter/net_ldap.rb:66:in `search'
C:/Data/Tools/ruby/lib/ruby/gems/1.8/gems/activeldap-1.2.1/lib/active_ldap/operations.rb:65:in `search'
C:/Data/Tools/ruby/lib/ruby/gems/1.8/gems/activeldap-1.2.1/lib/active_ldap/operations.rb:282:in `find_every'
C:/Data/Tools/ruby/lib/ruby/gems/1.8/gems/activeldap-1.2.1/lib/active_ldap/operations.rb:226:in `find'
C:/Data/Devel/LDB/app/controllers/ldap_controller.rb:9:in `user'

I was not yet able to force reconnection or solve this problem. I am running on Windows XP with Mongrel, if that matters
in any way.

Can anyone post any suggestion how to solve this?

My code is simple as that:

@query = params[:query]
@ntlogin = params[:ntlogin]
if @query and @query.empty? == false
  @results = AdUser.find(:all, :attribute => 'cn', :value => @query)
elsif @ntlogin and @ntlogin.empty? == false
  @results = AdUser.find(:all, :attribute => 'sAMAccountName', :value => @ntlogin)
end

Thanks for any help

Tested with net-ldap 0.3.1 inside of a gitlab installation.

We have a person who has two identical DN entries in LDAP. The following will return two entries:

irb > ldap = Net::LDAP.new(...)
irb > ldap.search(base: <dn>)
=> [Net::LDAP::Entry ..., Net::LDAP::Entry]

But when I use :size, nil is returned instead of a single element.

irb > ldap.search(base: <dn>, size: 1)
=> nil

The documentation seems to indicate that :size is supposed to truncate rather than silently fail.

Originally submitted as RubyForge issue 28676 on 2010-10-28 by Cédric F. (iuser69):

I'm using net-ldap with active-ldap into my rails project.

It seems something went wrong about the server disconnection handle.

This is what can reproduce the problem

  ldap = Net::LDAP.new(..., :encryption => {:method => :simple_tls})
  ldap.bind(...)
  ldap.search(...) # will succeed
  # wait 15 minutes
  ldap.search(...) # will fail

I think I have an answer to AZ's code comment on the "true" value BER encoding...

According to RFC4511, section 5.1, it looks like "true" should be an 0xFF instead of 1:

If the value of a BOOLEAN type is true, the encoding of the value octet is set to hex "FF".

I've confirmed this matches other LDAP client protocol communications. However, since the default string encoding is UTF-8 it has potential to cause an encoding exception on the array join, so I think it should also be forced to ASCII-8BIT to prevent problems.

So, here's a couple tiny patches with relevant changes for consideration (including 8BIT'ing the "false" string):

--- lib/net/ber/core_ext/true_class.rb
+++ lib/net/ber/core_ext/true_class.rb
@@ -5,8 +5,6 @@ module Net::BER::Extensions::TrueClass
   ##
   # Converts +true+ to the BER wireline representation of +true+.
   def to_ber
-    # 20100319 AZ: Note that this may not be the completely correct value,
-    # per some test documentation. We need to determine the truth of this.
-    "\001\001\001"
+    "\x01\x01\xFF".force_encoding("ASCII-8BIT")
   end
 end

--- lib/net/ber/core_ext/false_class.rb
+++ lib/net/ber/core_ext/false_class.rb
@@ -5,6 +5,6 @@ module Net::BER::Extensions::FalseClass
   ##
   # Converts +false+ to the BER wireline representation of +false+.
   def to_ber
-    "\001\001\000"
+    "\x01\x01\x00".force_encoding("ASCII-8BIT")
   end
 end

Hi. Working on an existing app (been deployed for over a year), its started hanging on bind in development and test. I've traced it in the debugger to this line,

ruby-1.9.3-p125/gems/net-ldap-0.3.1/lib/net/ldap.rb:1236
(be = @conn.read_ber(Net::LDAP::AsnSyntax) and pdu = Net::LDAP::PDU.new(be)) or raise Net::LDAP::LdapError, "no bind result"

and specifically this call:
@conn.read_ber(Net::LDAP::AsnSyntax)

It just hangs, no return value or exceptions. Can you give me some hints how to further diagnose, determine what may be causing it, and how to fix it?

In my active_directory gem, I use net-ldap. I have accounts that have empty attributes in AD, like extensionattribute2. When I pull the entry through my gem and look for that attribute, it's not there. However, if I add something to it in AD and do another search, the entry now has the attribute.

I need to be able to write values to attributes that will be empty from AD. Would you be so kind as to help me figure out where I'm going wrong? Essentially, I'm getting a "no id given" ArgumentError.

I'm asking you because I think that net-ldap is not returning attributes that are empty. Perhaps there is some property-add function I can write in my own clone of ruby-net-ldap, but I would need some guidance to see if I'm anywhere near being correct.

Thanks in advance,
Richard

Originally submitted by Jonathan Clarke (jooooooon) on 2009-07-02:

The "deref" parameter to the search command is ignored, unlike in the original Net::LDAP. This supports dereferencing aliases during search, either in search results or when locating the base object for the search.

The attached patch adds support to this, in the same style as the scope parameter. Possible values are: Net::LDAP::DerefAliases_Never, Net::LDAP::DerefAliases_Search, Net::LDAP::DerefAliases_Find, Net::LDAP::DerefAliases_Always. Default is Never.

Please consider it for inclusion it Ruby Net::LDAP. Thanks.

It may not a right place to ask question here, sorry if it makes you annoyed.

I'm currently using ruby-ldap in my system. For some security problem, my IT admin wants to know does the LDAP client library (ruby-ldap) remember the IP address of the LDAP server? He wants to make sure that there is no DNS caching.

Can anyone help me to answer that question?
All your help are very appreciated :)

I am trying to bind to the LDAP server using simple_tls but I am getting the following error:

OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol)

Cheers,
Owen

All of the links to documentation go to the no longer existent RubyForge website. Can those files be hosted somewhere else?

bind seems to fail if there is a "?" in the password. I have not tested other "special" characters to know if this is more than just that character. I suspect it is something in the BER encoding but not sure. In the LDAP object the password seems to be correct so it's in the transmitting to the ldap server.

In "net/ldap/filter.rb", line 626 there is this function:

Converts escaped characters (e.g., "\28") to unescaped characters

("(").

def unescape(right)
right.gsub(/([a-fA-F\d]{2})/) { [$1.hex].pack("U") }
end

That is the incorrect way to turn escaped values into their proper binary value. Specifically, packing as a UTF8 string is not desired. What should happen is:

right.gsub(/([a-fA-F\d]{2})/) { $1.hex.chr }

Why? Suppose "right" has UTF8. Cases:

• the byte sequence is already valid UTF8. There will be no escapes and this gsub block will never be called.
• the byte sequence contains escaped UTF8 data. The data, escaped, is already a valid UTF8 string. Consider the user passes in 'r\C3\A9sum\C3\A9'. The '\C3\A9' is already the correct sequence for an "é" and all we have to do is unescape the bytes as is. Unescaping them using pack('U') would corrupt the string.

But suppose the user, like me, wants to pass in raw binary data such as a GUID '\00\5f\ce\cf\98\e4\d8\11\85\bd\00\00\5a\99\61\58'. Using pack('U') hopelessly corrupts this since each byte is not meant to be a UTF8 sequence. Instead, it should be passed along as is: $1.hex.chr.

Originally submitted as issue 8591 on RubyForge on 2007-02-13.

bind and bind_as return results if a empty password is submitted. If a incorrect password is given it fails. However
to my mind, if you don't provide a password the bind should fail. I think this is a bug. The code below follows the
example code.

Here is the code that I've run to test. As you can see by the result, this ends up returning the same results regardless
if you enter a password or if you enter the correct pass. You only get a failure when you enter the incorrect password.

#################################

require 'rubygems'
require 'net/ldap'
require 'pp'

ldap = Net::LDAP.new
ldap.host = "192.168.1.16"
ldap.port = 389

####################
#  NO PASSWORD
####################

username,password = "pnovess", ""

result = ldap.bind_as(
 :base => "dc=net",
 :filter => "(cn=#{username})",
 :password => password
)

if result
  pp result
else
  puts "Authentication FAILED."
  pp result
end


####################
#  CORRECT PASSWORD
####################

username,password = "pnovess", "correct"

result = ldap.bind_as(
 :base => "dc=net",
 :filter => "(cn=#{username})",
 :password => password
)

if result
  pp result
else
  puts "Authentication FAILED."
  pp result
end

####################
#  INCORRECT PASSWORD
####################

username,password = "pnovess", "incorrect"

result = ldap.bind_as(
 :base => "dc=net",
 :filter => "(cn=#{username})",
 :password => password
)

if result
  pp result
else
  puts "Authentication FAILED."
  pp result
end

The URL there is for the github.com.org domain, should be github.com.

I'm currently developing an application internally at IBM and their LDAP server fails to successfully search with the hard-coded ControlType in Net::LDAP, here: https://github.com/ruby-ldap/ruby-net-ldap/blob/master/lib/net/ldap.rb#L339

I meant to just write up a patch for this but it looks like it is much more involved that I originally thought. The IBM LDAP server, whatever it is, appears to support ControlType 2.16.840.1.113730.3.4.2 (RFC 3296).

When substituted with the hard-coded one in PagedResults, it works fine.

Happy to supply wireshark dumps, etc whatever to help out. Let me know.

green_egg1 = Net::LDAP::Filter.equals("name", "Egg") & Net::LDAP::Filter.equals("color", "green")
green_egg2 = Net::LDAP::Filter.equals("name", "Egg") & Net::LDAP::Filter.equals("color", "green")
green_egg3 = Net::LDAP::Filter.equals("color", "green") & Net::LDAP::Filter.equals("name", "Egg")

green_egg1 == green_egg2 # => true
green_egg1 == green_egg3 # => false

This behavior seems strange to me, given that the filters green_egg1 and green_egg3 will both find the exact same set of objects in LDAP. Is there any reason why Filter#== should care about the order in which filters are combined?

Originally submitted on 2011-03-03 by C C (ccom):

It's much better (faster, more secure, etc.) to communicate to a local LDAP server over a Unix socket (ldapi). Net::LDAP,
however, does not support ldapi sockets.

I could not find a way to get proper error messages thrown by Active Directory. I always get "Invalid Credentials" for errors in AD. AD is issuing different error codes for scenarios of AccountLocked, PasswordExpirred etc.

Whatz the best way to get this expected result ?

I think line continuations are broken in #read_ldif in net/ldap/dataset.rb. The pertinent section of RFC 2849 http://tools.ietf.org/html/rfc2849 is:

  2)  Any non-empty line, including comment lines, in an LDIF file
      MAY be folded by inserting a line separator (SEP) and a SPACE.
      Folding MUST NOT occur before the first character of the line.
      In other words, folding a line into two lines, the first of
      which is empty, is not permitted. Any line that begins with a
      single space MUST be treated as a continuation of the previous
      (non-empty) line. When joining folded lines, exactly one space
      character at the beginning of each continued line must be
      discarded. [...]

(NB. last sentence).

#read_ldif:

    if new_line =~ /^[\s]+/
      line << " " << $'

A space character is preserved?

Suggested fix:

120,121c120,121
<         if new_line =~ /^[\s]+/
<           line << " " << $'

---
>         if new_line =~ /^ /
>           line << $'

Hi,

I just started working with ruby-net-ldap and decided to use the latest version (had encoding problems before). There seems to be a new problem though: the new net/ldap/version file doesn't seem to be included in the gemspec (there's a Cannot load such file error when I require the gem).

I modified the gemspec temporarily on my side to include "lib/net/ldap/version.rb" (in the s.files) and just wanted to let you know since it's critical, but easy to fix.

Originally submitted by Maurice Fäh (mauricefaeh) on 2007-10-04:

Will you eventually add LDAP schema related features?

The search returns always an object of type Net::LDAP::PDU - no matter whether the result set empty or not. Thats a bug according the documentation.

Using the net-ldap gem version 0.3.1 I'm getting an error:

`encode': "\x82" from ASCII-8BIT to UTF-8 (Encoding::UndefinedConversionError)

This is while going after MS ActiveDirectory.

It looks like the version on rubygems.org is rather old and newer versions have been tagged in git since then. Would it be possible to update rubygems.org to the latest version so 'gem install net-ldap' gets the current release?

net-ldap at /usr/local/rvm/gems/ruby-1.9.3-p0/bundler/gems/ruby-net-ldap-76a81cce4ad6 did not have a valid gemspec.
This prevents bundler from installing bins or native extensions, but that may not affect its functionality.
The validation message from Rubygems was:
[".gemtest"] are not files

Environment: Windows XP, Java 1.6.0_29, JRuby 1.6.7 and net-ldap 0.3.1. JRuby is running in Ruby 1.9 mode.

Scenario: Searching for computers in our Windows Active Directory.

As I understand it, if the search result contains more than 126 (hardcoded page size in net/ldap.rb) entries, which it always does in my case, the server returns a cookie indicating a paged result (RFC 2696). The cookie should be sent back by the client when requesting more entries from the result. This does not seem to work. The result is always 126 bigger than it should be and those 126 seem to be duplicates of some already in the result.

Another problem: If the result contains more than 1000 entries a "Size Limit Exceeded" error is returned.

My guess is that net-ldap somehow changes the cookie before sending it back to the server.

If I switch to net-ldap 0.2.2, it seems to work as it should.

We are trying to perform LDAP searches to retrieve users information.

We are getting the following response intermittently:
result.code => 53
result.message => Unwilling to perform

when calling this method:
def searchLdap(searchBase, filter, scopes=false)
arr = Array.new
@ldap.search(:base => searchBase, :filter => filter) do |entry|
...code to push to array....
end
return arr
end

This only happens when the application is under a heavy load.
This happens in both our development and production environments.

No other applications are experiencing the same response code from LDAP.
We are using Tivoli Directory Server as our LDAP.

Any ideas?

Internally we're still assuming ASCII-8 on all string, so when doing manipulations between a UTF-8 response from the server and internal strings it will fail with EncodingError on 1.9.

This is likely going to be a huge overhaul and should be a release in itself.

RFC 2849:

ldif-file                = ldif-content / ldif-changes
ldif-content             = version-spec 1*(1*SEP ldif-attrval-record)
...
version-spec             = "version:" FILL version-number

Test case:

irb(main):001:0> require 'net-ldap'
=> true
irb(main):002:0> require 'stringio'
=> false
irb(main):003:0> Net::LDAP::Dataset.read_ldif(StringIO.new(<<-EOF
irb(main):004:2" version: 1
irb(main):005:2" 
irb(main):006:2" dn: cn=foo
irb(main):007:2" bar: baz
irb(main):008:2" EOF
irb(main):009:2> ))
NoMethodError: undefined method `[]' for nil:NilClass
        from /usr/lib/ruby/gems/1.9.1/gems/net-ldap-0.3.1/lib/net/ldap/dataset.rb:146:in `read_ldif'
        from (irb):3
        from /usr/bin/irb:12:in `<main>'
irb(main):010:0> 

dataset.rb line 141:

        ds[dn][$1.downcase.to_sym] << attrvalue

version is interpreted as an attribute but no dn has yet been found, hence ds[dn] returns nil.

Hello,

I am using net-ldap-0.3.1 on a Rails application to perform user authentication against our LDAP server. When the user types in the form an existing username but leaves the password field empty, calling bind method will return true instead of false, as one would think reading method's documentation (http://net-ldap.rubyforge.org/Net/LDAP.html#method-i-bind).

I am not sure if it's a problem with the gem or with our LDAP server, but I have seen there is an old thread with this issue [1] and I think it would make sense at least to write a little warning in the documentation regarding this problem.

Thank you.

Best regards

[1] http://rubyforge.org/forum/forum.php?thread_id=15539&forum_id=586

In my Ruby application, I am attempting to cache LDAP requests to improve performance. I want to cache the requests by filter, but Net::LDAP::Filter doesn't implement the hash method correctly, which messes up the caching solution that I am using:

irb(main):001:0> Net::LDAP::Filter.present("cn").hash == Net::LDAP::Filter.present("cn").hash
=> false

Some simple hash support for LDAP filters would be nice. For now I'll just use the string returned by the filter's .inspect method as the key for my cache instead.

Originally submitted on RubyForge by Stefano Grioni (esox_ch) on 2008-12-14:

Hello,

I think that you should provide a method which allows people to set a timeout. Because if my LDAP server goes down and I use NET::LDAP I risk to see the whole Rails app stop as well, and I currently have no way to detect it and display any kind of message.

Thanks a lot

At the moment it is not possible to extract the attributes of a BerIdentifiedString via the library.
My suggestion is to make methods such as .cn, .ou, etc.. that allows to retrieve and set this in the string.

These strings look like this:

"CN=sampleuser,OU=Users,OU=Organic Units,DC=organization,DC=com"

I can definitely move on and make the Pull Request myself if needed, but I'd like to know first whether you guys think this is important or not.

Without a method like this, simple tasks such as getting the name of everyone in a group, ends up in messy code like this:

"members.map { |m| m.split(',')[0][3..m.length] }" -> basically split the string, get the CN one and remove the "CN=" part.

I try to create a group but I get the following error:

NoMethodError (undefined method `map' for 18400597803079440689678002902069631524796887079072566:Bignum):

Here is my ruby code to create a group

group_dn='cn=foo,ou=bar,dc=my,dc=company,dc=com'
groupname='foo'    
grouptype = 0x80000008
ldap_con = Net::LDAP.new({ :host => 'my_host', :port => 389, :encryption => nil, :auth => { :method => :simple, :username => 'my_username', :password => 'my_password' }})
ldap_con.open do |ldap|
      ldap.add(:dn => group_dn, :attributes => {:samaccountname => groupname,
                  :mailNickname => groupname,
                  :displayName => groupname,
                  :groupType => grouptype})
end

The error occurs only if I try to set the attribute :groupType, but if I don't set it the group is not created.

I have done some debugging and found that the issue occurs when the Initialize method of Net::LDAP::PDU calls parse_controls(ber_object[2])

def parse_controls(sequence)
    @ldap_controls = sequence.map do |control|
      o = OpenStruct.new
      o.oid, o.criticality, o.value = control[0], control[1], control[2]
      if o.criticality and o.criticality.is_a?(String)
        o.value = o.criticality
        o.criticality = false
      end
      o
    end
  end

Originally submitted by James Hewitt (jamstah) on 2009-01-06:

I would like to be able to not send the paging control, because it can cause access errors on some servers.

It would be good to be able to specify a paging size, to work with tricky servers.

It would be great to be able to control the use of paging:

LDAP.open do |ldap|
  cookie = ldap.search( { paging: 10, options... } ) do |entry|
    handle entries...
  end

  ldap.search( cookie ) do |entry|
    handle next 10...
  end

  ldap.cancel( cookie )
end

But that might be best as another feature request, and a different function name (paged_search), and probably with exception
raising for the server returning a non-zero response.

I've got a corporate ldap server (directory server).
When I do a simple search like this one, I've got a protocolError in response:

ldap = Net::LDAP.new :host => 'X.X.X.X', :port => 389, :auth => {
  :method => :simple,
  :username => "uid=admin,cn=pouet,dc=bang,dc=fuzz,dc=com",
  :password => "password" }
filter = Net::LDAP::Filter.eq("uid",'user')
treebase = "ou=People,dc=bang,dc=fuzz,dc=com"
ldap.search(:base => treebase, :filter => filter)

After digging a little bit (the linux ldapsearch utility is working fine with the same values), it appears that the difference between the two request is that net-ldap add 'controls 0' at the end of the request according to wireshark.
If I suppress controls variable from the packet (on line 1462 of net/lib/ldap.rb) (https://github.com/ruby-ldap/ruby-net-ldap/blob/master/lib/net/ldap.rb#L1462), it works.
Not being at all an expert, how can I say to net-ldap not to send controls?

The issue is there even if do ldap.search(:base => treebase, :filter => filter, :ignore_server_caps => true)

If we received some entries the nil must be returned instead of true.

Hello,

I'm trying to use the rename fonction of this library, and I have this error :
Net::LDAP is not missing constant AsnSyntax!

Here is the code I use :
Net::LDAP.open(@@ldap_options) do |ldap|
ldap.modify_rdn :olddn => dn, :newrdn => new_uid
end

And the options :
@@ldap_options = {
:host => ldap_config["host"],
:port => ldap_config["port"],
:auth => {
:method => :simple,
:username => ldap_config["admin_user"],
:password => ldap_config["admin_password"]
}}

Do you know what could be the problem ?

Thank you

Best regards

Constructing filter with search value that contains a colon cuts everything off after colon.

For example:
ldap_filter = "cn=Doe, Jane: IT"
filter = Net::LDAP::Filter.construct( ldap_filter )
puts filter

this returns:
(cn=Doe, Jane)

I'm assuming this is not intended functionality.

How to reproduce:

1. Install ApacheDS, and use the default configuration.

2. Import default partition following ApacheDS basic documentation.

3. Search:

   require 'rubygems'
   gem 'net-ldap', '0.2.2'
   require 'net-ldap'
   
   ldap = Net::LDAP.new
   ldap.port = 10389
   ldap.auth 'uid=admin,ou=system', 'secret'
   
   p ldap.search(:base => 'ou=people,o=sevenSeas',
                 :filter => '(uid=cbuckley)')
   

Version 0.1.1 works, also see this related issue reported in devise ldap authenticatable.