Class: Net::LDAP::Connection
- Inherits:
-
Object
- Object
- Net::LDAP::Connection
- Includes:
- Instrumentation
- Defined in:
- lib/net/ldap/connection.rb
Overview
This is a private class used internally by the library. It should not be called by user code.
Defined Under Namespace
Modules: FixSSLSocketSyncClose, GetbyteForSSLSocket Classes: DefaultSocket
Constant Summary collapse
- DefaultConnectTimeout =
Seconds before failing for socket connect timeout
5
- LdapVersion =
3
- MODIFY_OPERATIONS =
:nodoc:
{ #:nodoc: :add => 0, :delete => 1, :replace => 2, }
Class Method Summary collapse
- .modify_ops(operations) ⇒ Object
- .wrap_with_ssl(io, tls_options = {}, timeout = nil, hostname = nil) ⇒ Object
Instance Method Summary collapse
-
#add(args) ⇒ Object
– TODO: need to support a time limit, in case the server fails to respond.
- #bind(auth) ⇒ Object
-
#close ⇒ Object
– This is provided as a convenience method to make sure a connection object gets closed without waiting for a GC to happen.
-
#delete(args) ⇒ Object
– TODO, need to support a time limit, in case the server fails to respond.
-
#encode_sort_controls(sort_definitions) ⇒ Object
– Allow the caller to specify a sort control.
-
#initialize(server = {}) {|_self| ... } ⇒ Connection
constructor
Initialize a connection to an LDAP server.
- #ldapwhoami ⇒ Object
-
#message_queue ⇒ Object
Internal: The internal queue of messages, read from the socket, grouped by message ID.
-
#modify(args) ⇒ Object
– TODO: need to support a time limit, in case the server fails to respond.
- #next_msgid ⇒ Object
- #open_connection(server) ⇒ Object
-
#password_modify(args) ⇒ Object
Password Modify.
- #prepare_socket(server, timeout = nil, hostname = '127.0.0.1') ⇒ Object
-
#queued_read(message_id) ⇒ Object
Internal: Reads messages by ID from a queue, falling back to reading from the connected socket until a message matching the ID is read.
-
#rename(args) ⇒ Object
– TODO: need to support a time limit, in case the server fails to respond.
-
#search(args = nil) ⇒ Object
– Alternate implementation, this yields each search entry to the caller as it are received.
-
#setup_encryption(args, timeout = nil, hostname = nil) ⇒ Object
– Helper method called only from prepare_socket or open_connection, and only after we have a successfully-opened @conn instance variable, which is a TCP connection.
-
#socket ⇒ Object
Internal: Returns a Socket like object used internally to communicate with LDAP server.
- #socket_class=(socket_class) ⇒ Object
Constructor Details
#initialize(server = {}) {|_self| ... } ⇒ Connection
Initialize a connection to an LDAP server
:server
:hosts Array of tuples specifying host, port
:host host
:port port
:socket prepared socket
19 20 21 22 23 24 25 26 27 |
# File 'lib/net/ldap/connection.rb', line 19 def initialize(server = {}) @server = server @instrumentation_service = server[:instrumentation_service] # Allows tests to parameterize what socket class to use @socket_class = server.fetch(:socket_class, DefaultSocket) yield self if block_given? end |
Class Method Details
.modify_ops(operations) ⇒ Object
540 541 542 543 544 545 546 547 548 549 550 551 552 553 |
# File 'lib/net/ldap/connection.rb', line 540 def self.modify_ops(operations) ops = [] if operations operations.each do |op, attrib, values| # TODO, fix the following line, which gives a bogus error if the # opcode is invalid. op_ber = MODIFY_OPERATIONS[op.to_sym].to_ber_enumerated values = [values].flatten.map { |v| v.to_ber if v }.to_ber_set values = [attrib.to_s.to_ber, values].to_ber_sequence ops << [op_ber, values].to_ber end end ops end |
.wrap_with_ssl(io, tls_options = {}, timeout = nil, hostname = nil) ⇒ Object
89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 |
# File 'lib/net/ldap/connection.rb', line 89 def self.wrap_with_ssl(io, = {}, timeout=nil, hostname=nil) raise Net::LDAP::NoOpenSSLError, "OpenSSL is unavailable" unless Net::LDAP::HasOpenSSL ctx = OpenSSL::SSL::SSLContext.new # By default, we do not verify certificates. For a 1.0 release, this should probably be changed at some point. # See discussion in https://github.com/ruby-ldap/ruby-net-ldap/pull/161 ctx.set_params() unless .empty? conn = OpenSSL::SSL::SSLSocket.new(io, ctx) conn.hostname = hostname begin if timeout conn.connect_nonblock else conn.connect end rescue IO::WaitReadable raise Errno::ETIMEDOUT, "OpenSSL connection read timeout" unless IO.select([conn], nil, nil, timeout) retry rescue IO::WaitWritable raise Errno::ETIMEDOUT, "OpenSSL connection write timeout" unless IO.select(nil, [conn], nil, timeout) retry end # Doesn't work: # conn.sync_close = true conn.extend(GetbyteForSSLSocket) unless conn.respond_to?(:getbyte) conn.extend(FixSSLSocketSyncClose) conn end |
Instance Method Details
#add(args) ⇒ Object
– TODO: need to support a time limit, in case the server fails to respond. Unlike other operation-methods in this class, we return a result hash rather than a simple result number. This is experimental, and eventually we’ll want to do this with all the others. The point is to have access to the error message and the matched-DN returned by the server. ++
639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 |
# File 'lib/net/ldap/connection.rb', line 639 def add(args) add_dn = args[:dn] or raise Net::LDAP::EmptyDNError, "Unable to add empty DN" add_attrs = [] a = args[:attributes] and a.each do |k, v| add_attrs << [k.to_s.to_ber, Array(v).map(&:to_ber).to_ber_set].to_ber_sequence end = next_msgid request = [add_dn.to_ber, add_attrs.to_ber_sequence].to_ber_appsequence(Net::LDAP::PDU::AddRequest) controls = args.fetch(:controls, nil) unless controls.nil? controls = controls.to_ber_contextspecific(0) end write(request, controls, ) pdu = queued_read() if !pdu || pdu.app_tag != Net::LDAP::PDU::AddResponse raise Net::LDAP::ResponseMissingOrInvalidError, "response missing or invalid" end pdu end |
#bind(auth) ⇒ Object
276 277 278 279 280 281 282 |
# File 'lib/net/ldap/connection.rb', line 276 def bind(auth) instrument "bind.net_ldap_connection" do |payload| payload[:method] = meth = auth[:method] adapter = Net::LDAP::AuthAdapter[meth] adapter.new(self).bind(auth) end end |
#close ⇒ Object
– This is provided as a convenience method to make sure a connection object gets closed without waiting for a GC to happen. Clients shouldn’t have to call it, but perhaps it will come in handy someday. ++
185 186 187 188 189 |
# File 'lib/net/ldap/connection.rb', line 185 def close return if !defined?(@conn) || @conn.nil? @conn.close @conn = nil end |
#delete(args) ⇒ Object
– TODO, need to support a time limit, in case the server fails to respond. ++
690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 |
# File 'lib/net/ldap/connection.rb', line 690 def delete(args) dn = args[:dn] or raise "Unable to delete empty DN" controls = args.include?(:control_codes) ? args[:control_codes].to_ber_control : nil #use nil so we can compact later = next_msgid request = dn.to_s.to_ber_application_string(Net::LDAP::PDU::DeleteRequest) write(request, controls, ) pdu = queued_read() if !pdu || pdu.app_tag != Net::LDAP::PDU::DeleteResponse raise Net::LDAP::ResponseMissingOrInvalidError, "response missing or invalid" end pdu end |
#encode_sort_controls(sort_definitions) ⇒ Object
– Allow the caller to specify a sort control
The format of the sort control needs to be:
:sort_control => [“cn”] # just a string or :sort_control => [[“cn”, “matchingRule”, true]] #attribute, matchingRule, direction (true / false) or :sort_control => [“givenname”,“sn”] #multiple strings or arrays
295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 |
# File 'lib/net/ldap/connection.rb', line 295 def encode_sort_controls(sort_definitions) return sort_definitions unless sort_definitions sort_control_values = sort_definitions.map do |control| control = Array(control) # if there is only an attribute name as a string then infer the orderinrule and reverseorder control[0] = String(control[0]).to_ber, control[1] = String(control[1]).to_ber, control[2] = (control[2] == true).to_ber control.to_ber_sequence end [ Net::LDAP::LDAPControls::SORT_REQUEST.to_ber, false.to_ber, sort_control_values.to_ber_sequence.to_s.to_ber, ].to_ber_sequence end |
#ldapwhoami ⇒ Object
706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 |
# File 'lib/net/ldap/connection.rb', line 706 def ldapwhoami ext_seq = [Net::LDAP::WhoamiOid.to_ber_contextspecific(0)] request = ext_seq.to_ber_appsequence(Net::LDAP::PDU::ExtendedRequest) = next_msgid write(request, nil, ) pdu = queued_read() if !pdu || pdu.app_tag != Net::LDAP::PDU::ExtendedResponse raise Net::LDAP::ResponseMissingOrInvalidError, "response missing or invalid" end pdu end |
#message_queue ⇒ Object
Internal: The internal queue of messages, read from the socket, grouped by message ID.
Used by ‘queued_read` to return messages sent by the server with the given ID. If no messages are queued for that ID, `queued_read` will `read` from the socket and queue messages that don’t match the given ID for other readers.
Returns the message queue Hash.
222 223 224 225 226 |
# File 'lib/net/ldap/connection.rb', line 222 def @message_queue ||= Hash.new do |hash, key| hash[key] = [] end end |
#modify(args) ⇒ Object
– TODO: need to support a time limit, in case the server fails to respond. TODO: We’re throwing an exception here on empty DN. Should return a proper error instead, probaby from farther up the chain. TODO: If the user specifies a bogus opcode, we’ll throw a confusing error here (“to_ber_enumerated is not defined on nil”). ++
562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 |
# File 'lib/net/ldap/connection.rb', line 562 def modify(args) modify_dn = args[:dn] or raise "Unable to modify empty DN" ops = self.class.modify_ops args[:operations] = next_msgid request = [ modify_dn.to_ber, ops.to_ber_sequence, ].to_ber_appsequence(Net::LDAP::PDU::ModifyRequest) controls = args.fetch(:controls, nil) unless controls.nil? controls = controls.to_ber_contextspecific(0) end write(request, controls, ) pdu = queued_read() if !pdu || pdu.app_tag != Net::LDAP::PDU::ModifyResponse raise Net::LDAP::ResponseMissingOrInvalidError, "response missing or invalid" end pdu end |
#next_msgid ⇒ Object
271 272 273 274 |
# File 'lib/net/ldap/connection.rb', line 271 def next_msgid @msgid ||= 0 @msgid += 1 end |
#open_connection(server) ⇒ Object
41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 |
# File 'lib/net/ldap/connection.rb', line 41 def open_connection(server) hosts = server[:hosts] encryption = server[:encryption] timeout = server[:connect_timeout] || DefaultConnectTimeout socket_opts = { connect_timeout: timeout, } errors = [] hosts.each do |host, port| begin prepare_socket(server.merge(socket: @socket_class.new(host, port, socket_opts)), timeout, host) if encryption if encryption[:tls_options] && encryption[:tls_options][:verify_mode] && encryption[:tls_options][:verify_mode] == OpenSSL::SSL::VERIFY_NONE warn "not verifying SSL hostname of LDAPS server '#{host}:#{port}'" else @conn.post_connection_check(host) end end return rescue Net::LDAP::Error, SocketError, SystemCallError, OpenSSL::SSL::SSLError => e # Ensure the connection is closed in the event a setup failure. close errors << [e, host, port] end end raise Net::LDAP::ConnectionError.new(errors) end |
#password_modify(args) ⇒ Object
Password Modify
passwdModifyOID OBJECT IDENTIFIER ::= 1.3.6.1.4.1.4203.1.11.1
PasswdModifyRequestValue ::= SEQUENCE {
userIdentity [0] OCTET STRING OPTIONAL
oldPasswd [1] OCTET STRING OPTIONAL
newPasswd [2] OCTET STRING OPTIONAL }
PasswdModifyResponseValue ::= SEQUENCE {
genPasswd [0] OCTET STRING OPTIONAL }
Encoded request:
00\x02\x01\x02w+\x80\x171.3.6.1.4.1.4203.1.11.1\x81\x100\x0E\x81\x05old\x82\x05new
606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 |
# File 'lib/net/ldap/connection.rb', line 606 def password_modify(args) dn = args[:dn] raise ArgumentError, 'DN is required' if !dn || dn.empty? ext_seq = [Net::LDAP::PasswdModifyOid.to_ber_contextspecific(0)] pwd_seq = [] pwd_seq << dn.to_ber(0x80) pwd_seq << args[:old_password].to_ber(0x81) unless args[:old_password].nil? pwd_seq << args[:new_password].to_ber(0x82) unless args[:new_password].nil? ext_seq << pwd_seq.to_ber_sequence.to_ber(0x81) request = ext_seq.to_ber_appsequence(Net::LDAP::PDU::ExtendedRequest) = next_msgid write(request, nil, ) pdu = queued_read() if !pdu || pdu.app_tag != Net::LDAP::PDU::ExtendedResponse raise Net::LDAP::ResponseMissingOrInvalidError, "response missing or invalid" end pdu end |
#prepare_socket(server, timeout = nil, hostname = '127.0.0.1') ⇒ Object
33 34 35 36 37 38 39 |
# File 'lib/net/ldap/connection.rb', line 33 def prepare_socket(server, timeout=nil, hostname='127.0.0.1') socket = server[:socket] encryption = server[:encryption] @conn = socket setup_encryption(encryption, timeout, hostname) if encryption end |
#queued_read(message_id) ⇒ Object
Internal: Reads messages by ID from a queue, falling back to reading from the connected socket until a message matching the ID is read. Any messages with mismatched IDs gets queued for subsequent reads by the origin of that message ID.
Returns a Net::LDAP::PDU object or nil.
197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 |
# File 'lib/net/ldap/connection.rb', line 197 def queued_read() if pdu = [].shift return pdu end # read messages until we have a match for the given message_id while pdu = read return pdu if pdu. == [pdu.].push pdu next end pdu end |
#rename(args) ⇒ Object
– TODO: need to support a time limit, in case the server fails to respond. ++
667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 |
# File 'lib/net/ldap/connection.rb', line 667 def rename(args) old_dn = args[:olddn] or raise "Unable to rename empty DN" new_rdn = args[:newrdn] or raise "Unable to rename to empty RDN" delete_attrs = args[:delete_attributes] ? true : false new_superior = args[:new_superior] = next_msgid request = [old_dn.to_ber, new_rdn.to_ber, delete_attrs.to_ber] request << new_superior.to_ber_contextspecific(0) unless new_superior == nil write(request.to_ber_appsequence(Net::LDAP::PDU::ModifyRDNRequest), nil, ) pdu = queued_read() if !pdu || pdu.app_tag != Net::LDAP::PDU::ModifyRDNResponse raise Net::LDAP::ResponseMissingOrInvalidError.new "response missing or invalid" end pdu end |
#search(args = nil) ⇒ Object
– Alternate implementation, this yields each search entry to the caller as it are received.
TODO: certain search parameters are hardcoded. TODO: if we mis-parse the server results or the results are wrong, we can block forever. That’s because we keep reading results until we get a type-5 packet, which might never come. We need to support the time-limit in the protocol. ++
322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 |
# File 'lib/net/ldap/connection.rb', line 322 def search(args = nil) args ||= {} # filtering, scoping, search base # filter: https://tools.ietf.org/html/rfc4511#section-4.5.1.7 # base: https://tools.ietf.org/html/rfc4511#section-4.5.1.1 # scope: https://tools.ietf.org/html/rfc4511#section-4.5.1.2 filter = args[:filter] || Net::LDAP::Filter.eq("objectClass", "*") base = args[:base] scope = args[:scope] || Net::LDAP::SearchScope_WholeSubtree # attr handling # attrs: https://tools.ietf.org/html/rfc4511#section-4.5.1.8 # attrs_only: https://tools.ietf.org/html/rfc4511#section-4.5.1.6 attrs = Array(args[:attributes]) attrs_only = args[:attributes_only] == true # references # refs: https://tools.ietf.org/html/rfc4511#section-4.5.3 # deref: https://tools.ietf.org/html/rfc4511#section-4.5.1.3 refs = args[:return_referrals] == true deref = args[:deref] || Net::LDAP::DerefAliases_Never # limiting, paging, sorting # size: https://tools.ietf.org/html/rfc4511#section-4.5.1.4 # time: https://tools.ietf.org/html/rfc4511#section-4.5.1.5 size = args[:size].to_i time = args[:time].to_i paged = args[:paged_searches_supported] sort = args.fetch(:sort_controls, false) # arg validation raise ArgumentError, "search base is required" unless base raise ArgumentError, "invalid search-size" unless size >= 0 raise ArgumentError, "invalid search scope" unless Net::LDAP::SearchScopes.include?(scope) raise ArgumentError, "invalid alias dereferencing value" unless Net::LDAP::DerefAliasesArray.include?(deref) # arg transforms filter = Net::LDAP::Filter.construct(filter) if filter.is_a?(String) ber_attrs = attrs.map { |attr| attr.to_s.to_ber } ber_sort = encode_sort_controls(sort) # An interesting value for the size limit would be close to A/D's # built-in page limit of 1000 records, but openLDAP newer than version # 2.2.0 chokes on anything bigger than 126. You get a silent error that # is easily visible by running slapd in debug mode. Go figure. # # Changed this around 06Sep06 to support a caller-specified search-size # limit. Because we ALWAYS do paged searches, we have to work around the # problem that it's not legal to specify a "normal" sizelimit (in the # body of the search request) that is larger than the page size we're # requesting. Unfortunately, I have the feeling that this will break # with LDAP servers that don't support paged searches!!! # # (Because we pass zero as the sizelimit on search rounds when the # remaining limit is larger than our max page size of 126. In these # cases, I think the caller's search limit will be ignored!) # # CONFIRMED: This code doesn't work on LDAPs that don't support paged # searches when the size limit is larger than 126. We're going to have # to do a root-DSE record search and not do a paged search if the LDAP # doesn't support it. Yuck. = [126, ""] result_pdu = nil n_results = 0 = next_msgid instrument "search.net_ldap_connection", message_id: , filter: filter, base: base, scope: scope, size: size, time: time, sort: sort, referrals: refs, deref: deref, attributes: attrs do |payload| loop do # should collect this into a private helper to clarify the structure query_limit = 0 if size > 0 query_limit = if paged (((size - n_results) < 126) ? (size - n_results) : 0) else size end end request = [ base.to_ber, scope.to_ber_enumerated, deref.to_ber_enumerated, query_limit.to_ber, # size limit time.to_ber, attrs_only.to_ber, filter.to_ber, ber_attrs.to_ber_sequence, ].to_ber_appsequence(Net::LDAP::PDU::SearchRequest) # rfc2696_cookie sometimes contains binary data from Microsoft Active Directory # this breaks when calling to_ber. (Can't force binary data to UTF-8) # we have to disable paging (even though server supports it) to get around this... user_controls = args.fetch(:controls, []) controls = [] controls << [ Net::LDAP::LDAPControls::PAGED_RESULTS.to_ber, # Criticality MUST be false to interoperate with normal LDAPs. false.to_ber, .map(&:to_ber).to_ber_sequence.to_s.to_ber, ].to_ber_sequence if paged controls << ber_sort if ber_sort if controls.empty? && user_controls.empty? controls = nil else controls += user_controls controls = controls.to_ber_contextspecific(0) end write(request, controls, ) result_pdu = nil controls = [] while pdu = queued_read() case pdu.app_tag when Net::LDAP::PDU::SearchReturnedData n_results += 1 yield pdu.search_entry if block_given? when Net::LDAP::PDU::SearchResultReferral if refs if block_given? se = Net::LDAP::Entry.new se[:search_referrals] = (pdu.search_referrals || []) yield se end end when Net::LDAP::PDU::SearchResult result_pdu = pdu controls = pdu.result_controls if refs && pdu.result_code == Net::LDAP::ResultCodeReferral if block_given? se = Net::LDAP::Entry.new se[:search_referrals] = (pdu.search_referrals || []) yield se end end break else raise Net::LDAP::ResponseTypeInvalidError, "invalid response-type in search: #{pdu.app_tag}" end end if result_pdu.nil? raise Net::LDAP::ResponseMissingOrInvalidError, "response missing" end # count number of pages of results payload[:page_count] ||= 0 payload[:page_count] += 1 # When we get here, we have seen a type-5 response. If there is no # error AND there is an RFC-2696 cookie, then query again for the next # page of results. If not, we're done. Don't screw this up or we'll # break every search we do. # # Noticed 02Sep06, look at the read_ber call in this loop, shouldn't # that have a parameter of AsnSyntax? Does this just accidentally # work? According to RFC-2696, the value expected in this position is # of type OCTET STRING, covered in the default syntax supported by # read_ber, so I guess we're ok. more_pages = false if result_pdu.result_code == Net::LDAP::ResultCodeSuccess and controls controls.each do |c| if c.oid == Net::LDAP::LDAPControls::PAGED_RESULTS # just in case some bogus server sends us more than 1 of these. more_pages = false if c.value and c.value.length > 0 = c.value.read_ber[1] if and .length > 0 [1] = more_pages = true end end end end end break unless more_pages end # loop # track total result count payload[:result_count] = n_results result_pdu || OpenStruct.new(:status => :failure, :result_code => Net::LDAP::ResultCodeOperationsError, :message => "Invalid search") end # instrument ensure # clean up message queue for this search = .delete() # in the exceptional case some messages were *not* consumed from the queue, # instrument the event but do not fail. if !.nil? && !.empty? instrument "search_messages_unread.net_ldap_connection", message_id: , messages: end end |
#setup_encryption(args, timeout = nil, hostname = nil) ⇒ Object
– Helper method called only from prepare_socket or open_connection, and only after we have a successfully-opened @conn instance variable, which is a TCP connection. Depending on the received arguments, we establish SSL, potentially replacing the value of @conn accordingly. Don’t generate any errors here if no encryption is requested. DO raise Net::LDAP::Error objects if encryption is requested and we have trouble setting it up. That includes if OpenSSL is not set up on the machine. (Question: how does the Ruby OpenSSL wrapper react in that case?) DO NOT filter exceptions raised by the OpenSSL library. Let them pass back to the user. That should make it easier for us to debug the problem reports. Presumably (hopefully?) that will also produce recognizable errors if someone tries to use this on a machine without OpenSSL.
The simple_tls method is intended as the simplest, stupidest, easiest solution for people who want nothing more than encrypted comms with the LDAP server. It doesn’t do any server-cert validation and requires nothing in the way of key files and root-cert files, etc etc. OBSERVE: WE REPLACE the value of @conn, which is presumed to be a connected TCPSocket object.
The start_tls method is supported by many servers over the standard LDAP port. It does not require an alternative port for encrypted communications, as with simple_tls. Thanks for Kouhei Sutou for generously contributing the :start_tls path. ++
152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 |
# File 'lib/net/ldap/connection.rb', line 152 def setup_encryption(args, timeout=nil, hostname=nil) args[:tls_options] ||= {} case args[:method] when :simple_tls @conn = self.class.wrap_with_ssl(@conn, args[:tls_options], timeout, hostname) # additional branches requiring server validation and peer certs, etc. # go here. when :start_tls = next_msgid request = [ Net::LDAP::StartTlsOid.to_ber_contextspecific(0), ].to_ber_appsequence(Net::LDAP::PDU::ExtendedRequest) write(request, nil, ) pdu = queued_read() if pdu.nil? || pdu.app_tag != Net::LDAP::PDU::ExtendedResponse raise Net::LDAP::NoStartTLSResultError, "no start_tls result" end raise Net::LDAP::StartTLSError, "start_tls failed: #{pdu.result_code}" unless pdu.result_code.zero? @conn = self.class.wrap_with_ssl(@conn, args[:tls_options], timeout, hostname) else raise Net::LDAP::EncMethodUnsupportedError, "unsupported encryption method #{args[:method]}" end end |
#socket ⇒ Object
Internal: Returns a Socket like object used internally to communicate with LDAP server.
Typically a TCPSocket, but can be a OpenSSL::SSL::SSLSocket
726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 |
# File 'lib/net/ldap/connection.rb', line 726 def socket return @conn if defined?(@conn) && !@conn.nil? # First refactoring uses the existing methods open_connection and # prepare_socket to set @conn. Next cleanup would centralize connection # handling here. if @server[:socket] prepare_socket(@server) else @server[:hosts] = [[@server[:host], @server[:port]]] if @server[:hosts].nil? open_connection(@server) end @conn end |
#socket_class=(socket_class) ⇒ Object
29 30 31 |
# File 'lib/net/ldap/connection.rb', line 29 def socket_class=(socket_class) @socket_class = socket_class end |