173
174
175
-176
+176
+177
+178
# File 'lib/omniauth-ldap/adaptor.rb', line 131
@@ -1284,6 +1286,8 @@
@last_password_policy_response = nil
@connection.open do |me|
rs = me.search(args)
+ raise ConnectionError.new("LDAP search operation failed") unless rs
+
if rs && rs.first
dn = rs.first.dn
if dn
@@ -1334,7 +1338,7 @@
diff --git a/docs/OmniAuth/LDAP/Adaptor/AuthenticationError.html b/docs/OmniAuth/LDAP/Adaptor/AuthenticationError.html
index 353f275..c29cdb0 100644
--- a/docs/OmniAuth/LDAP/Adaptor/AuthenticationError.html
+++ b/docs/OmniAuth/LDAP/Adaptor/AuthenticationError.html
@@ -114,7 +114,7 @@
diff --git a/docs/OmniAuth/LDAP/Adaptor/ConfigurationError.html b/docs/OmniAuth/LDAP/Adaptor/ConfigurationError.html
index c065402..02f7213 100644
--- a/docs/OmniAuth/LDAP/Adaptor/ConfigurationError.html
+++ b/docs/OmniAuth/LDAP/Adaptor/ConfigurationError.html
@@ -114,7 +114,7 @@
diff --git a/docs/OmniAuth/LDAP/Adaptor/ConnectionError.html b/docs/OmniAuth/LDAP/Adaptor/ConnectionError.html
index d41a9bc..c17bafb 100644
--- a/docs/OmniAuth/LDAP/Adaptor/ConnectionError.html
+++ b/docs/OmniAuth/LDAP/Adaptor/ConnectionError.html
@@ -114,7 +114,7 @@
diff --git a/docs/OmniAuth/LDAP/Adaptor/LdapError.html b/docs/OmniAuth/LDAP/Adaptor/LdapError.html
index 94e94ca..569bfad 100644
--- a/docs/OmniAuth/LDAP/Adaptor/LdapError.html
+++ b/docs/OmniAuth/LDAP/Adaptor/LdapError.html
@@ -114,7 +114,7 @@
diff --git a/docs/OmniAuth/LDAP/Version.html b/docs/OmniAuth/LDAP/Version.html
index 83f9fc2..d9f0a48 100644
--- a/docs/OmniAuth/LDAP/Version.html
+++ b/docs/OmniAuth/LDAP/Version.html
@@ -111,7 +111,7 @@
diff --git a/docs/OmniAuth/Strategies.html b/docs/OmniAuth/Strategies.html
index dd54494..60b93d6 100644
--- a/docs/OmniAuth/Strategies.html
+++ b/docs/OmniAuth/Strategies.html
@@ -105,7 +105,7 @@ Defined Under Namespace
diff --git a/docs/OmniAuth/Strategies/LDAP.html b/docs/OmniAuth/Strategies/LDAP.html
index 7157854..5a9a8d5 100644
--- a/docs/OmniAuth/Strategies/LDAP.html
+++ b/docs/OmniAuth/Strategies/LDAP.html
@@ -576,7 +576,7 @@
diff --git a/docs/_index.html b/docs/_index.html
index e8944cd..d1b0254 100644
--- a/docs/_index.html
+++ b/docs/_index.html
@@ -254,7 +254,7 @@ Namespace Listing A-Z
diff --git a/docs/file.CHANGELOG.html b/docs/file.CHANGELOG.html
index 36c5361..4e84dac 100644
--- a/docs/file.CHANGELOG.html
+++ b/docs/file.CHANGELOG.html
@@ -97,6 +97,14 @@ Added
https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-11
+ Support for JSON bodies
+ Support custom LDAP attributes mapping
+ Raise a distinct error when LDAP server is unreachable
+
+ - Previously raised an invalid credentials authentication failure error, which is technically incorrect
+
+
+ Documentation of TLS verification options
Changed
@@ -317,7 +325,7 @@
diff --git a/docs/file.CITATION.html b/docs/file.CITATION.html
index 91e946d..9c4b22b 100644
--- a/docs/file.CITATION.html
+++ b/docs/file.CITATION.html
@@ -82,7 +82,7 @@
diff --git a/docs/file.CODE_OF_CONDUCT.html b/docs/file.CODE_OF_CONDUCT.html
index 36775d6..97d119f 100644
--- a/docs/file.CODE_OF_CONDUCT.html
+++ b/docs/file.CODE_OF_CONDUCT.html
@@ -191,7 +191,7 @@ Attribution
diff --git a/docs/file.CONTRIBUTING.html b/docs/file.CONTRIBUTING.html
index cc7c0b9..ba83f05 100644
--- a/docs/file.CONTRIBUTING.html
+++ b/docs/file.CONTRIBUTING.html
@@ -295,7 +295,7 @@ Manual process
diff --git a/docs/file.FUNDING.html b/docs/file.FUNDING.html
index 33a9f14..6eb868c 100644
--- a/docs/file.FUNDING.html
+++ b/docs/file.FUNDING.html
@@ -104,7 +104,7 @@ Another Way to Support Open
diff --git a/docs/file.LICENSE.html b/docs/file.LICENSE.html
index ab7bff6..6782bb4 100644
--- a/docs/file.LICENSE.html
+++ b/docs/file.LICENSE.html
@@ -60,7 +60,7 @@
MIT License
Copyright (c) 2025 Peter H. Boling, and omniauth-ldap contributors
Copyright (c) 2011 by Ping Yu and Intridea, Inc.
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 🌻 Synopsis
All of the listed options are required, with the exception of :title, :name_proc, :bind_dn, and :password.
+TLS certificate verification
+
+This gem enables TLS certificate verification by default when you use encryption: "ssl" (LDAPS / simple TLS) or encryption: "tls" (STARTTLS). We always pass tls_options to Net::LDAP based on OpenSSL::SSL::SSLContext::DEFAULT_PARAMS, which includes verify_mode: OpenSSL::SSL::VERIFY_PEER and sane defaults.
+
+
+ - Secure by default: you do not need to set anything extra to verify the LDAP server certificate.
+ - To customize trust or ciphers, supply your own
tls_options, which are merged over the safe defaults.
+ - If you truly need to skip verification (not recommended), set
disable_verify_certificates: true.
+
+
+Examples:
+
+# Verify server certs (default behavior)
+use OmniAuth::Strategies::LDAP,
+ host: ENV["LDAP_HOST"],
+ port: 636,
+ encryption: "ssl", # or "tls"
+ base: "dc=example,dc=com",
+ uid: "uid"
+
+# Use a private CA bundle and restrict protocol/ciphers
+use OmniAuth::Strategies::LDAP,
+ host: ENV["LDAP_HOST"],
+ port: 636,
+ encryption: "ssl",
+ base: "dc=example,dc=com",
+ uid: "uid",
+ tls_options: {
+ ca_file: "/etc/ssl/private/my_org_ca.pem",
+ ssl_version: "TLSv1_2",
+ ciphers: ["TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256"],
+ }
+
+# Opt out of verification (NOT recommended – use only in trusted test/dev scenarios)
+use OmniAuth::Strategies::LDAP,
+ host: ENV["LDAP_HOST"],
+ port: 636,
+ encryption: "ssl",
+ base: "dc=example,dc=com",
+ uid: "uid",
+ disable_verify_certificates: true
+
+
+Note: Net::LDAP historically defaulted to no certificate validation when tls_options were not provided. This library mitigates that by always providing secure tls_options unless you explicitly disable verification.
+
💡 Info you can shake a stick at
@@ -998,7 +1043,7 @@ Please give the project a star ⭐ ♥
diff --git a/docs/file.REEK.html b/docs/file.REEK.html
index 2365083..a3f781e 100644
--- a/docs/file.REEK.html
+++ b/docs/file.REEK.html
@@ -61,7 +61,7 @@
diff --git a/docs/file.RUBOCOP.html b/docs/file.RUBOCOP.html
index d86061a..86c6174 100644
--- a/docs/file.RUBOCOP.html
+++ b/docs/file.RUBOCOP.html
@@ -161,7 +161,7 @@ Benefits of rubocop_gradual
diff --git a/docs/file.SECURITY.html b/docs/file.SECURITY.html
index 1ee7bdb..77c53c7 100644
--- a/docs/file.SECURITY.html
+++ b/docs/file.SECURITY.html
@@ -91,7 +91,7 @@ Additional Support
diff --git a/docs/file.adaptor.html b/docs/file.adaptor.html
index 3dd8918..0cd2055 100644
--- a/docs/file.adaptor.html
+++ b/docs/file.adaptor.html
@@ -131,7 +131,7 @@
diff --git a/docs/file.ldap.html b/docs/file.ldap.html
index d044ea7..b8b64a8 100644
--- a/docs/file.ldap.html
+++ b/docs/file.ldap.html
@@ -94,7 +94,7 @@
diff --git a/docs/file.net-ldap.html b/docs/file.net-ldap.html
index 9380b92..09ae9d5 100644
--- a/docs/file.net-ldap.html
+++ b/docs/file.net-ldap.html
@@ -95,7 +95,7 @@
diff --git a/docs/file.net-ntlm.html b/docs/file.net-ntlm.html
index b4d0821..2b39122 100644
--- a/docs/file.net-ntlm.html
+++ b/docs/file.net-ntlm.html
@@ -76,7 +76,7 @@
diff --git a/docs/file.omniauth-ldap-2.3.1.gem.html b/docs/file.omniauth-ldap-2.3.1.gem.html
index 7912f44..24ecd1e 100644
--- a/docs/file.omniauth-ldap-2.3.1.gem.html
+++ b/docs/file.omniauth-ldap-2.3.1.gem.html
@@ -61,7 +61,7 @@
diff --git a/docs/file.omniauth-ldap.html b/docs/file.omniauth-ldap.html
index 2fd85c4..2861d9c 100644
--- a/docs/file.omniauth-ldap.html
+++ b/docs/file.omniauth-ldap.html
@@ -70,7 +70,7 @@ Th
diff --git a/docs/file.sasl.html b/docs/file.sasl.html
index f171ef9..3e293d4 100644
--- a/docs/file.sasl.html
+++ b/docs/file.sasl.html
@@ -71,7 +71,7 @@
diff --git a/docs/file.version.html b/docs/file.version.html
index 51d9eee..3034f23 100644
--- a/docs/file.version.html
+++ b/docs/file.version.html
@@ -69,7 +69,7 @@
diff --git a/docs/index.html b/docs/index.html
index 6f955ad..69159d3 100644
--- a/docs/index.html
+++ b/docs/index.html
@@ -143,6 +143,51 @@ 🌻 Synopsis
All of the listed options are required, with the exception of :title, :name_proc, :bind_dn, and :password.
+TLS certificate verification
+
+This gem enables TLS certificate verification by default when you use encryption: "ssl" (LDAPS / simple TLS) or encryption: "tls" (STARTTLS). We always pass tls_options to Net::LDAP based on OpenSSL::SSL::SSLContext::DEFAULT_PARAMS, which includes verify_mode: OpenSSL::SSL::VERIFY_PEER and sane defaults.
+
+
+ - Secure by default: you do not need to set anything extra to verify the LDAP server certificate.
+ - To customize trust or ciphers, supply your own
tls_options, which are merged over the safe defaults.
+ - If you truly need to skip verification (not recommended), set
disable_verify_certificates: true.
+
+
+Examples:
+
+# Verify server certs (default behavior)
+use OmniAuth::Strategies::LDAP,
+ host: ENV["LDAP_HOST"],
+ port: 636,
+ encryption: "ssl", # or "tls"
+ base: "dc=example,dc=com",
+ uid: "uid"
+
+# Use a private CA bundle and restrict protocol/ciphers
+use OmniAuth::Strategies::LDAP,
+ host: ENV["LDAP_HOST"],
+ port: 636,
+ encryption: "ssl",
+ base: "dc=example,dc=com",
+ uid: "uid",
+ tls_options: {
+ ca_file: "/etc/ssl/private/my_org_ca.pem",
+ ssl_version: "TLSv1_2",
+ ciphers: ["TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256"],
+ }
+
+# Opt out of verification (NOT recommended – use only in trusted test/dev scenarios)
+use OmniAuth::Strategies::LDAP,
+ host: ENV["LDAP_HOST"],
+ port: 636,
+ encryption: "ssl",
+ base: "dc=example,dc=com",
+ uid: "uid",
+ disable_verify_certificates: true
+
+
+Note: Net::LDAP historically defaulted to no certificate validation when tls_options were not provided. This library mitigates that by always providing secure tls_options unless you explicitly disable verification.
+
💡 Info you can shake a stick at
@@ -998,7 +1043,7 @@ Please give the project a star ⭐ ♥
diff --git a/docs/top-level-namespace.html b/docs/top-level-namespace.html
index 1181177..bff39cb 100644
--- a/docs/top-level-namespace.html
+++ b/docs/top-level-namespace.html
@@ -100,7 +100,7 @@ Defined Under Namespace
|