LDAP over ssl

[RaceFPV]

Needs support for LDAP over SSL please

[Arcath]

Sorry for taking so long to get back to you, been a bit busy this week

Is this not already supported by changing the port to 636 and setting an encryption method?

I've not really looked into LDAPS.

[RaceFPV]

Not sure where i should be setting the encryption method at. I set 'c.encryption' in config/adauth.rb but then i get error: 'undefined method encryption'

[Arcath]

you would set an encryption method so c.encryption = :simple_tls

[hermiti]

I can verify that this works by setting the following in config/initializers/adauth.rb:

c.port = 636
c.encryption = :simple_tls

If you are getting an undefined method ensure that you are using adauth ~2.X, as it is not supported in 1.2.1.

[drewhamlett]

Hi @hermiti do you have to have the AD TLS certificate on the machine running Ruby?

[hermiti]

@drewhjava
No I did not, the server itself supplies the certificate to the client. No verification of that certificate or the certificate chain is performed by the client. Here is an excerpt from the net-ldap implementation's source code:

https://github.com/ruby-ldap/ruby-net-ldap/blob/master/lib/net/ldap.rb

# The :simple_tls encryption method encrypts <i>all</i> communications
# with the LDAP server. It completely establishes SSL/TLS encryption with
# the LDAP server before any LDAP-protocol data is exchanged. There is no
# plaintext negotiation and no special encryption-request controls are
# sent to the server. <i>The :simple_tls option is the simplest, easiest
# way to encrypt communications between Net::LDAP and LDAP servers.</i>
# It's intended for cases where you have an implicit level of trust in the
# authenticity of the LDAP server. No validation of the LDAP server's SSL
# certificate is performed. This means that :simple_tls will not produce
# errors if the LDAP server's encryption certificate is not signed by a
# well-known Certification Authority.

Here is a super simple ruby script that I threw together just to test simple_tls, mainly because I felt like the authentication times were much to long using tls, and I wanted to test the implementation.

require 'rubygems'
require 'net/ldap'

time_before = Time.now.to_f

ldap = Net::LDAP.new :host => "192.168.1.1",
  :port => 636,
  :encryption => :simple_tls,
  :base => "dc=somewhere, dc=org",
  :force_no_page => false,
  :auth => {
     :method => :simple,
         :username => "whatever@somewhere",
         :password => "password"
   }

if ldap.bind

  #User Authenticated

  test_username_query = "testuser"

  filter = Net::LDAP::Filter.eq("samaccountname", test_username_query)
  treebase = "dc=somewhere, dc=org"

  results = ldap.search(:base => treebase, :filter => filter)
  results.each do |entry|
    puts "DN: #{entry.dn}"
    entry.each do |attribute, values|
      puts "   #{attribute}:"
      values.each do |value|
        puts "      --->#{value}"
      end
    end
  end

else

  #User Authentication Failed

  p "DOH!"

end

p results.length
p results[0].samaccountname
p results[0].mail
p results[0].telephonenumber
p results[0].company

p ldap.get_operation_result

time_after = Time.now.to_f

p (time_after - time_before) 

[drewhamlett]

@hermiti Thanks for your help with this. I was able to get it working!

[Arcath]

@slacker87 Does the solution by @hermiti fix your issue aswell?