Net::LDAP search issues

[Jared Whiklo]

Hi all,

New to Ruby and just trying to solve a particular problem. 

We have a Redmine installation which has been working fine. Recently it was decided to decommission the LDAP server we authenticate against. We have two options, an ActiveDirectory server and an alternate LDAP server.

I decided to go with the LDAP server.

However when I search the LDAP server for a user via Net::LDAP I get an "Insufficient Access Rights" error.

I cobbled together a simple script to test this out.

#!/usr/local/bin/ruby

require 'rubygems'
require 'net/ldap'

begin
  user = "testuser"
  pass = "testpass"
  treebase = "ou=People,dc=example,dc=com"

  ldap = Net::LDAP.new :host => "<server ip>",
     :port => 636,
     :encryption => :simple_tls,
     :base => treebase,
     :auth => {
       :method => :simple,
       :username => "uid=#{user},#{treebase}",
       :password => pass
     }

 if not ldap.bind
    puts "LDAP connection failed"
    puts "Result: #{ldap.get_operation_result.code}"
    puts "Message: #{ldap.get_operation_result.message}"
  else
    puts "LDAP connection successful"
    puts "Result: #{ldap.get_operation_result.code}"
    puts "Message: #{ldap.get_operation_result.message}"
  end

  filterBase = Net::LDAP::Filter.present("objectClass")
  filter1 = Net::LDAP::Filter.eq( "uid", user )

  filter = filterBase & filter1

  scope = Net::LDAP::SearchScope_WholeSubtree

  attributes = ["dn", "mail"]

  puts "LDAP search parameters - base : #{treebase}, scope #{scope}, filter #{filter}, attributes #{attributes}"

  if not ldap.search( :base => treebase, :scope => scope, :filter => filter, :attributes => attributes, :return_result => false)
      puts "Search failed"
      puts "Result: #{ldap.get_operation_result.code}"
      puts "Message: #{ldap.get_operation_result.message}"
   else
      ldap.search( :base => treebase, :scope => scope, :filter => filter, :attributes => attributes, :return_result => true) do |entry|
        puts "DN: #{entry.dn}"
      end
   end
   result = ldap.bind_as(
      :base => treebase,
      :filter => filter,
      :password => pass
   )

   if result
      puts "Authenticated #{result.first.dn}"
   else
      puts "Authentication FAILED."
      puts "Result: #{ldap.get_operation_result.code}"
      puts "Message: #{ldap.get_operation_result.message}"
   end

end

Which results in:

~/ruby% ./idm_ldap.rb 

LDAP connection successful

Result: 0

Message: Success

LDAP search parameters - base : ou=People,dc=example,dc=com, scope 2, filter (&(objectClass=*)(uid=testuser)), attributes ["dn", "mail"]

Search failed

Result: 50

Message: Insufficient Access Rights

Authentication FAILED.

Result: 50

Message: Insufficient Access Rights

Before you say it I am not actually using dc=example,dc=com in the script, that is just to protect the innocent.

However on the same server I can run a query using the same user DN, password, base DN and filter with ldapsearch and get results??

I know that some of the attributes in the LDAP server are restricted, so if Net::LDAP was pulling all attributes and filtering that could be a problem, but from what I see it is not doing this.

Any help would be appreciated.

cheers,

Jared

[Jerry Cheung]

Could you include the ldapsearch command you used for comparison? What happens when you drop the `:scope` parameter? It's hard to debug this without the actual LDAP server, so I'm trying to narrow down the issue.