#!/usr/local/bin/ruby
require 'rubygems'
require 'net/ldap'
begin
user = "testuser"
pass = "testpass"
treebase = "ou=People,dc=example,dc=com"
ldap = Net::LDAP.new :host => "<server ip>",
:port => 636,
:encryption => :simple_tls,
:base => treebase,
:auth => {
:method => :simple,
:username => "uid=#{user},#{treebase}",
:password => pass
}
if not ldap.bind
puts "LDAP connection failed"
puts "Result: #{ldap.get_operation_result.code}"
puts "Message: #{ldap.get_operation_result.message}"
else
puts "LDAP connection successful"
puts "Result: #{ldap.get_operation_result.code}"
puts "Message: #{ldap.get_operation_result.message}"
end
filterBase = Net::LDAP::Filter.present("objectClass")
filter1 = Net::LDAP::Filter.eq( "uid", user )
filter = filterBase & filter1
scope = Net::LDAP::SearchScope_WholeSubtree
attributes = ["dn", "mail"]
puts "LDAP search parameters - base : #{treebase}, scope #{scope}, filter #{filter}, attributes #{attributes}"
if not ldap.search( :base => treebase, :scope => scope, :filter => filter, :attributes => attributes, :return_result => false)
puts "Search failed"
puts "Result: #{ldap.get_operation_result.code}"
puts "Message: #{ldap.get_operation_result.message}"
else
ldap.search( :base => treebase, :scope => scope, :filter => filter, :attributes => attributes, :return_result => true) do |entry|
puts "DN: #{entry.dn}"
end
end
result = ldap.bind_as(
:base => treebase,
:filter => filter,
:password => pass
)
if result
puts "Authenticated #{result.first.dn}"
else
puts "Authentication FAILED."
puts "Result: #{ldap.get_operation_result.code}"
puts "Message: #{ldap.get_operation_result.message}"
end
end
Which results in:
~/ruby% ./idm_ldap.rb
LDAP connection successful
Result: 0
Message: Success
LDAP search parameters - base : ou=People,dc=example,dc=com, scope 2, filter (&(objectClass=*)(uid=testuser)), attributes ["dn", "mail"]
Search failed
Result: 50
Message: Insufficient Access Rights
Authentication FAILED.
Result: 50
Message: Insufficient Access Rights
Before you say it I am not actually using dc=example,dc=com in the script, that is just to protect the innocent.
However on the same server I can run a query using the same user DN, password, base DN and filter with ldapsearch and get results??
I know that some of the attributes in the LDAP server are restricted, so if Net::LDAP was pulling all attributes and filtering that could be a problem, but from what I see it is not doing this.
Any help would be appreciated.
cheers,
Jared