search

bearded / ruby-ldap

Ruby/LDAP is an extension library for Ruby. It provides the interface to some LDAP libraries (e.g. OpenLDAP, Netscape SDK and Active Directory). The common API for application development is described in RFC1823 and is supported by Ruby/LDAP.
http://rubyforge.org/projects/ruby-ldap/
Other
66 stars 34 forks source link

sasl_bind discards OPT_REFERRALS #29

Open hadmut opened 10 years ago

hadmut commented 10 years ago

Hi,

I just ran into several problems when using ruby-ldap to query users from a Microsoft Active Directory server, using Kerberos authentication.

A major problem was that Active Directory always responds with three referrals to the Active Directory with different host names and different ldap paths. The ldap lib tries to follow them, fails because of the missing bind, and aborts with an error message.

The solution is to use these two settings:

conn.set_option(LDAP::LDAP_OPT_PROTOCOL_VERSION,3) conn.set_option(LDAP::LDAP_OPT_REFERRALS,0)

With these options, the queries work.

Unfortunately, the sasl_bind() does reset the OPT_REFERRALS, which means that this option needs to be set after every sasl_bind (in contrast to simple bind, which keeps the previous value). Since there are additional libraries to be used on top of ruby-ldap (e.g. active ldap), it is not easy to achieve to have this option set after every sasl_bind.

Would be nice if sasl_bind could preserve the general value, like simple_bind.

regards