📝 Document TLS options

CHANGELOG.md

@@ -33,6 +33,7 @@ Please file a bug if you notice a violation of semantic versioning.
 - Support custom LDAP attributes mapping
 - Raise a distinct error when LDAP server is unreachable
   - Previously raised an invalid credentials authentication failure error, which is technically incorrect
+- Documentation of TLS verification options
 
 ### Changed
 

README.md

@@ -81,6 +81,50 @@ use OmniAuth::Strategies::LDAP,
 
 All of the listed options are required, with the exception of `:title`, `:name_proc`, `:bind_dn`, and `:password`.
 
+## TLS certificate verification
+
+This gem enables TLS certificate verification by default when you use `encryption: "ssl"` (LDAPS / simple TLS) or `encryption: "tls"` (STARTTLS). We always pass `tls_options` to Net::LDAP based on `OpenSSL::SSL::SSLContext::DEFAULT_PARAMS`, which includes `verify_mode: OpenSSL::SSL::VERIFY_PEER` and sane defaults.
+
+- Secure by default: you do not need to set anything extra to verify the LDAP server certificate.
+- To customize trust or ciphers, supply your own `tls_options`, which are merged over the safe defaults.
+- If you truly need to skip verification (not recommended), set `disable_verify_certificates: true`.
+
+Examples:
+
+```ruby
+# Verify server certs (default behavior)
+use OmniAuth::Strategies::LDAP,
+  host: ENV["LDAP_HOST"],
+  port: 636,
+  encryption: "ssl",  # or "tls"
+  base: "dc=example,dc=com",
+  uid:  "uid"
+
+# Use a private CA bundle and restrict protocol/ciphers
+use OmniAuth::Strategies::LDAP,
+  host: ENV["LDAP_HOST"],
+  port: 636,
+  encryption: "ssl",
+  base: "dc=example,dc=com",
+  uid:  "uid",
+  tls_options: {
+    ca_file: "/etc/ssl/private/my_org_ca.pem",
+    ssl_version: "TLSv1_2",
+    ciphers: ["TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256"],
+  }
+
+# Opt out of verification (NOT recommended – use only in trusted test/dev scenarios)
+use OmniAuth::Strategies::LDAP,
+  host: ENV["LDAP_HOST"],
+  port: 636,
+  encryption: "ssl",
+  base: "dc=example,dc=com",
+  uid:  "uid",
+  disable_verify_certificates: true
+```
+
+Note: Net::LDAP historically defaulted to no certificate validation when `tls_options` were not provided. This library mitigates that by always providing secure `tls_options` unless you explicitly disable verification.
+
 ## 💡 Info you can shake a stick at
 
 | Tokens to Remember      | [![Gem name][⛳️name-img]][⛳️gem-name] [![Gem namespace][⛳️namespace-img]][⛳️gem-namespace]                                                                                                                                                                                                                                                                          |

docs/OmniAuth.html

@@ -107,7 +107,7 @@ <h2>Defined Under Namespace</h2>
 </div>
 
       <div id="footer">
-  Generated on Thu Nov  6 02:24:32 2025 by
+  Generated on Thu Nov  6 04:21:53 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/OmniAuth/LDAP.html

@@ -135,7 +135,7 @@ <h2>
 </div>
 
       <div id="footer">
-  Generated on Thu Nov  6 02:24:32 2025 by
+  Generated on Thu Nov  6 04:21:53 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/OmniAuth/LDAP/Adaptor.html

@@ -1273,7 +1273,9 @@ <h3 class="signature first" id="bind_as-instance_method">
 173
 174
 175
-176</pre>
+176
+177
+178</pre>
     </td>
     <td>
       <pre class="code"><span class="info file"># File 'lib/omniauth-ldap/adaptor.rb', line 131</span>
@@ -1284,6 +1286,8 @@ <h3 class="signature first" id="bind_as-instance_method">
   <span class='ivar'>@last_password_policy_response</span> <span class='op'>=</span> <span class='kw'>nil</span>
   <span class='ivar'>@connection</span><span class='period'>.</span><span class='id identifier rubyid_open'>open</span> <span class='kw'>do</span> <span class='op'>|</span><span class='id identifier rubyid_me'>me</span><span class='op'>|</span>
     <span class='id identifier rubyid_rs'>rs</span> <span class='op'>=</span> <span class='id identifier rubyid_me'>me</span><span class='period'>.</span><span class='id identifier rubyid_search'>search</span><span class='lparen'>(</span><span class='id identifier rubyid_args'>args</span><span class='rparen'>)</span>
+    <span class='id identifier rubyid_raise'>raise</span> <span class='const'><span class='object_link'><a href="Adaptor/ConnectionError.html" title="OmniAuth::LDAP::Adaptor::ConnectionError (class)">ConnectionError</a></span></span><span class='period'>.</span><span class='id identifier rubyid_new'><span class='object_link'><a href="#initialize-instance_method" title="OmniAuth::LDAP::Adaptor#initialize (method)">new</a></span></span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>LDAP search operation failed</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span> <span class='kw'>unless</span> <span class='id identifier rubyid_rs'>rs</span>
+
     <span class='kw'>if</span> <span class='id identifier rubyid_rs'>rs</span> <span class='op'>&amp;&amp;</span> <span class='id identifier rubyid_rs'>rs</span><span class='period'>.</span><span class='id identifier rubyid_first'>first</span>
       <span class='id identifier rubyid_dn'>dn</span> <span class='op'>=</span> <span class='id identifier rubyid_rs'>rs</span><span class='period'>.</span><span class='id identifier rubyid_first'>first</span><span class='period'>.</span><span class='id identifier rubyid_dn'>dn</span>
       <span class='kw'>if</span> <span class='id identifier rubyid_dn'>dn</span>
@@ -1334,7 +1338,7 @@ <h3 class="signature first" id="bind_as-instance_method">
 </div>
 
       <div id="footer">
-  Generated on Thu Nov  6 02:24:32 2025 by
+  Generated on Thu Nov  6 04:21:53 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/OmniAuth/LDAP/Adaptor/AuthenticationError.html

@@ -114,7 +114,7 @@
 </div>
 
       <div id="footer">
-  Generated on Thu Nov  6 02:24:32 2025 by
+  Generated on Thu Nov  6 04:21:53 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/OmniAuth/LDAP/Adaptor/ConfigurationError.html

@@ -114,7 +114,7 @@
 </div>
 
       <div id="footer">
-  Generated on Thu Nov  6 02:24:32 2025 by
+  Generated on Thu Nov  6 04:21:53 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/OmniAuth/LDAP/Adaptor/ConnectionError.html

@@ -114,7 +114,7 @@
 </div>
 
       <div id="footer">
-  Generated on Thu Nov  6 02:24:32 2025 by
+  Generated on Thu Nov  6 04:21:53 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/OmniAuth/LDAP/Adaptor/LdapError.html

@@ -114,7 +114,7 @@
 </div>
 
       <div id="footer">
-  Generated on Thu Nov  6 02:24:32 2025 by
+  Generated on Thu Nov  6 04:21:53 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/OmniAuth/LDAP/Version.html

@@ -111,7 +111,7 @@ <h2>
 </div>
 
       <div id="footer">
-  Generated on Thu Nov  6 02:24:32 2025 by
+  Generated on Thu Nov  6 04:21:53 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/OmniAuth/Strategies.html

@@ -105,7 +105,7 @@ <h2>Defined Under Namespace</h2>
 </div>
 
       <div id="footer">
-  Generated on Thu Nov  6 02:24:32 2025 by
+  Generated on Thu Nov  6 04:21:53 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/OmniAuth/Strategies/LDAP.html

@@ -576,7 +576,7 @@ <h3 class="signature " id="request_phase-instance_method">
 </div>
 
       <div id="footer">
-  Generated on Thu Nov  6 02:24:32 2025 by
+  Generated on Thu Nov  6 04:21:53 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/_index.html

@@ -254,7 +254,7 @@ <h2>Namespace Listing A-Z</h2>
 </div>
 
       <div id="footer">
-  Generated on Thu Nov  6 02:24:31 2025 by
+  Generated on Thu Nov  6 04:21:53 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/file.CHANGELOG.html

@@ -97,6 +97,14 @@ <h3 id="added">Added</h3>
       <li>https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-11</li>
     </ul>
   </li>
+  <li>Support for JSON bodies</li>
+  <li>Support custom LDAP attributes mapping</li>
+  <li>Raise a distinct error when LDAP server is unreachable
+    <ul>
+      <li>Previously raised an invalid credentials authentication failure error, which is technically incorrect</li>
+    </ul>
+  </li>
+  <li>Documentation of TLS verification options</li>
 </ul>
 
 <h3 id="changed">Changed</h3>
@@ -317,7 +325,7 @@ <h2 id="100-gl---2011-11-02">
 </div></div>
 
       <div id="footer">
-  Generated on Thu Nov  6 02:24:32 2025 by
+  Generated on Thu Nov  6 04:21:53 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/file.CITATION.html

@@ -82,7 +82,7 @@
 </div></div>
 
       <div id="footer">
-  Generated on Thu Nov  6 02:24:32 2025 by
+  Generated on Thu Nov  6 04:21:53 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/file.CODE_OF_CONDUCT.html

@@ -191,7 +191,7 @@ <h2 id="attribution">Attribution</h2>
 </div></div>
 
       <div id="footer">
-  Generated on Thu Nov  6 02:24:32 2025 by
+  Generated on Thu Nov  6 04:21:53 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/file.CONTRIBUTING.html

@@ -295,7 +295,7 @@ <h4 id="manual-process">Manual process</h4>
 </div></div>
 
       <div id="footer">
-  Generated on Thu Nov  6 02:24:32 2025 by
+  Generated on Thu Nov  6 04:21:53 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/file.FUNDING.html

@@ -104,7 +104,7 @@ <h1 id="another-way-to-support-open-source-software">Another Way to Support Open
 </div></div>
 
       <div id="footer">
-  Generated on Thu Nov  6 02:24:32 2025 by
+  Generated on Thu Nov  6 04:21:53 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/file.LICENSE.html

@@ -60,7 +60,7 @@
       <div id="content"><div id='filecontents'>MIT License<br><br>Copyright (c) 2025 Peter H. Boling, and omniauth-ldap contributors<br>Copyright (c) 2011 by Ping Yu and Intridea, Inc.<br><br>Permission is hereby granted, free of charge, to any person obtaining<br>a copy of this software and associated documentation files (the<br>"Software"), to deal in the Software without restriction, including<br>without limitation the rights to use, copy, modify, merge, publish,<br>distribute, sublicense, and/or sell copies of the Software, and to<br>permit persons to whom the Software is furnished to do so, subject to<br>the following conditions:<br><br>The above copyright notice and this permission notice shall be<br>included in all copies or substantial portions of the Software.<br><br>THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,<br>EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF<br>MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND<br>NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE<br>LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION<br>OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION<br>WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.</div></div>
 
       <div id="footer">
-  Generated on Thu Nov  6 02:24:32 2025 by
+  Generated on Thu Nov  6 04:21:53 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/file.README.html

@@ -143,6 +143,51 @@ <h2 id="-synopsis">🌻 Synopsis</h2>
 
 <p>All of the listed options are required, with the exception of <code>:title</code>, <code>:name_proc</code>, <code>:bind_dn</code>, and <code>:password</code>.</p>
 
+<h2 id="tls-certificate-verification">TLS certificate verification</h2>
+
+<p>This gem enables TLS certificate verification by default when you use <code>encryption: "ssl"</code> (LDAPS / simple TLS) or <code>encryption: "tls"</code> (STARTTLS). We always pass <code>tls_options</code> to Net::LDAP based on <code>OpenSSL::SSL::SSLContext::DEFAULT_PARAMS</code>, which includes <code>verify_mode: OpenSSL::SSL::VERIFY_PEER</code> and sane defaults.</p>
+
+<ul>
+  <li>Secure by default: you do not need to set anything extra to verify the LDAP server certificate.</li>
+  <li>To customize trust or ciphers, supply your own <code>tls_options</code>, which are merged over the safe defaults.</li>
+  <li>If you truly need to skip verification (not recommended), set <code>disable_verify_certificates: true</code>.</li>
+</ul>
+
+<p>Examples:</p>
+
+<pre class="code language-ruby"><code class="language-ruby"># Verify server certs (default behavior)
+use OmniAuth::Strategies::LDAP,
+  host: ENV[&quot;LDAP_HOST&quot;],
+  port: 636,
+  encryption: &quot;ssl&quot;,  # or &quot;tls&quot;
+  base: &quot;dc=example,dc=com&quot;,
+  uid:  &quot;uid&quot;
+
+# Use a private CA bundle and restrict protocol/ciphers
+use OmniAuth::Strategies::LDAP,
+  host: ENV[&quot;LDAP_HOST&quot;],
+  port: 636,
+  encryption: &quot;ssl&quot;,
+  base: &quot;dc=example,dc=com&quot;,
+  uid:  &quot;uid&quot;,
+  tls_options: {
+    ca_file: &quot;/etc/ssl/private/my_org_ca.pem&quot;,
+    ssl_version: &quot;TLSv1_2&quot;,
+    ciphers: [&quot;TLS_AES_256_GCM_SHA384&quot;, &quot;TLS_CHACHA20_POLY1305_SHA256&quot;],
+  }
+
+# Opt out of verification (NOT recommended – use only in trusted test/dev scenarios)
+use OmniAuth::Strategies::LDAP,
+  host: ENV[&quot;LDAP_HOST&quot;],
+  port: 636,
+  encryption: &quot;ssl&quot;,
+  base: &quot;dc=example,dc=com&quot;,
+  uid:  &quot;uid&quot;,
+  disable_verify_certificates: true
+</code></pre>
+
+<p>Note: Net::LDAP historically defaulted to no certificate validation when <code>tls_options</code> were not provided. This library mitigates that by always providing secure <code>tls_options</code> unless you explicitly disable verification.</p>
+
 <h2 id="-info-you-can-shake-a-stick-at">💡 Info you can shake a stick at</h2>
 
 <table>
@@ -998,7 +1043,7 @@ <h3 id="please-give-the-project-a-star--">Please give the project a star ⭐ ♥
 </div></div>
 
       <div id="footer">
-  Generated on Thu Nov  6 02:24:32 2025 by
+  Generated on Thu Nov  6 04:21:53 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/file.REEK.html

@@ -61,7 +61,7 @@
 </div></div>
 
       <div id="footer">
-  Generated on Thu Nov  6 02:24:32 2025 by
+  Generated on Thu Nov  6 04:21:53 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/file.RUBOCOP.html

@@ -161,7 +161,7 @@ <h2 id="benefits-of-rubocop_gradual">Benefits of rubocop_gradual</h2>
 </div></div>
 
       <div id="footer">
-  Generated on Thu Nov  6 02:24:32 2025 by
+  Generated on Thu Nov  6 04:21:53 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/file.SECURITY.html

@@ -91,7 +91,7 @@ <h2 id="additional-support">Additional Support</h2>
 </div></div>
 
       <div id="footer">
-  Generated on Thu Nov  6 02:24:32 2025 by
+  Generated on Thu Nov  6 04:21:53 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/file.adaptor.html

@@ -131,7 +131,7 @@
 </div></div>
 
       <div id="footer">
-  Generated on Thu Nov  6 02:24:32 2025 by
+  Generated on Thu Nov  6 04:21:53 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/file.ldap.html

@@ -94,7 +94,7 @@
 </div></div>
 
       <div id="footer">
-  Generated on Thu Nov  6 02:24:32 2025 by
+  Generated on Thu Nov  6 04:21:53 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/file.net-ldap.html

@@ -95,7 +95,7 @@
 </div></div>
 
       <div id="footer">
-  Generated on Thu Nov  6 02:24:32 2025 by
+  Generated on Thu Nov  6 04:21:53 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/file.net-ntlm.html

@@ -76,7 +76,7 @@
 </div></div>
 
       <div id="footer">
-  Generated on Thu Nov  6 02:24:32 2025 by
+  Generated on Thu Nov  6 04:21:53 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/file.omniauth-ldap-2.3.1.gem.html

@@ -61,7 +61,7 @@
 </div></div>
 
       <div id="footer">
-  Generated on Thu Nov  6 02:24:32 2025 by
+  Generated on Thu Nov  6 04:21:53 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/file.omniauth-ldap.html

@@ -70,7 +70,7 @@ <h1 id="this-file-is-intentionally-minimal-to-avoid-duplicating-declarations">Th
 </div></div>
 
       <div id="footer">
-  Generated on Thu Nov  6 02:24:32 2025 by
+  Generated on Thu Nov  6 04:21:53 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/file.sasl.html

@@ -71,7 +71,7 @@
 </div></div>
 
       <div id="footer">
-  Generated on Thu Nov  6 02:24:32 2025 by
+  Generated on Thu Nov  6 04:21:53 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>