[Bug 381791] [NEW] LDAP::SSLConn from ruby fails, probably from not seeing cert
Xeno Campanoli
xeno at eskimo.com
Fri May 29 23:45:33 UTC 2009
Public bug reported:
I am unable to execute a simple script to authenticate users using
LDAP::SSLConn in Ruby. The following two scripts and output explain the
situation:
I have the following working with cleartext LDAP:
#!/usr/bin/ruby
#
require 'ldap'
begin
ldap_host = 'myldaphost'
ldap_port = 389
ldap_conn = LDAP::Conn.new(ldap_host,ldap_port)
puts "trace 2 ldap_conn: #{ldap_conn.class}"
# ldap_conn.set_option( LDAP::LDAP_OPT_PROTOCOL_VERSION, 3 )
puts "trace 3 ldap_conn: #{ldap_conn.class}"
bind_dn = "uid=#{ARGV[0]},ou=People,ou=Corporate,dc=x,dc=com"
password_dn = "#{ARGV[1]}"
ldap_conn.bind(bind_dn,password_dn)
puts "trace 4 ldap_conn: #{ldap_conn.class}"
rescue
puts "trace 5 oops"
end
# end of test
----snip---
But when I try to run it with SSL, I get a failure saying "Can't connect LDAP Server". My admin says it is not seeing the certificate. I need to either accept the certificate or turn certification off, but for the life of me I am looking at the rdoc and I cannot find methods for either. Perhaps I just don't understand the vocabulary or something, but I would expect this to be simple. My SSL version is as follows, and gets the diagnosic I gave above:
#!/usr/bin/ruby
#
require 'ldap'
begin
ldap_host = 'myldaphost'
ldap_port = 636
ldap_conn = LDAP::SSLConn.new(ldap_host,ldap_port)
puts "trace 2 ldap_conn: #{ldap_conn.class}"
ldap_conn.set_option( LDAP::LDAP_OPT_PROTOCOL_VERSION, 3 )
puts "trace 3 ldap_conn: #{ldap_conn.class}"
bind_dn = "uid=#{ARGV[0]},ou=People,ou=Corporate,dc=x,dc=com"
password_dn = "#{ARGV[1]}"
ldap_conn.bind(bind_dn,password_dn)
puts "trace 4 ldap_conn: #{ldap_conn.class}"
rescue
puts "trace 5 oops, #{$!}"
end
# end of test
----snip---
Here is the output:
u at h:$ ./t7.rb un 'pw'
trace 2 ldap_conn: LDAP::SSLConn
trace 3 ldap_conn: LDAP::SSLConn
trace 5 oops, Can't contact LDAP server
u at h:$
On the first one, with the proper u/p I get the trace 4. Anyway, please
can someone suggest what I may be leaving out, or what is the method for
specifying certs or no certs, both would be nice.
I am seeing this behavior on Ubuntu Server installs with the following versions:
Linux hostname.domainstuff 2.6.24-19-server #1 SMP Wed Aug 20 23:54:28 UTC 2008 i686 GNU/Linux
Linux leopard 2.6.28-11-server #42-Ubuntu SMP Fri Apr 17 02:48:10 UTC 2009 i686 GNU/Linux
It appears that the versions of these routines installed on Red Hat and
CentOS have a default directory (I believe I was told it was
/etc/openldap/cacerts) where you can put certificates that then allow
SSL activity with Ruby LDAP, but aparently either we are unable to find
that point in Ubuntu Server, or there is no default. Furthermore there
is not apparent way to specify it from the application, nor to turn the
requirement for the cert off from the API. We also tried running this
with the certs in the default directory, and my CentOS pal made it work
that way, but on Ubuntu Server it did not work.
** Affects: libldap-ruby (Ubuntu)
Importance: Undecided
Status: New
--
LDAP::SSLConn from ruby fails, probably from not seeing cert
https://bugs.launchpad.net/bugs/381791
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
More information about the universe-bugs
mailing list