ldap_lookup 0.1.8 → 2.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 775477e51275859dcb210f1b996b14b10b9814bc7443df7a3fa9c63736460298
-  data.tar.gz: f1248f24d49b795c196a16f1b5edcaff1b4ab435127561fce5d24c320bd99630
+  metadata.gz: 393d3bdcafb4cadf5648c6916122ebfb7b0c6fefe79c5d50b6c6c57f6d6997cc
+  data.tar.gz: de8be14be88d2d4e3102971cf62d4a316cdc6a0aaa7e6268aee62659723e5ca2
 SHA512:
-  metadata.gz: ba6cfe2623779bc3e73fde5258bf15bfc83fe0018d04ae8e7f052e95952f216e9a23c30a379bb3e4748453d60160f49c4a95636cda3966f39000714ecf479385
-  data.tar.gz: 84e07889f3a1b37d45c57fc690f62e878246c18b8da37c49a0ad5d65de5691ad2b160869c937af459fc02590297ec07474013fce30658f1a2870f8c0294ffbbb
+  metadata.gz: 7dd298be615e445056d806602b27cb05e01a0783556fe09c32d1c5599ff877a18c286d1d2e845f1f5ec30c4b08745668ec5fd8f2717e4393cc7c45dd7e33254d
+  data.tar.gz: 6bb46112525a64c3c63fd1cb2d356e151ff48154515684040d5c1519464619681942f36a45ba275d0749abcd5b04afd81bc28ddb9a72d9c403eba5dc093d0970

data/.env.example

@@ -0,0 +1,25 @@
+# LDAP Configuration for Testing
+# Copy this file to .env and fill in your actual credentials
+# The .env file is gitignored and will not be committed
+
+# Your UM uniqname (username)
+LDAP_USERNAME=your_uniqname
+
+# Your UM password
+LDAP_PASSWORD=your_password
+
+# Leave LDAP_USERNAME and LDAP_PASSWORD unset for anonymous binds
+
+# Optional: Override default LDAP settings
+# LDAP_HOST=ldap.umich.edu
+# LDAP_PORT=389          # Use 389 for STARTTLS or 636 for LDAPS
+# LDAP_BASE=dc=umich,dc=edu
+# LDAP_ENCRYPTION=start_tls  # Use 'start_tls' for port 389 or 'simple_tls' for port 636 (LDAPS)
+# LDAP_DEPT_ATTRIBUTE=umichPostalAddressData
+# LDAP_GROUP_ATTRIBUTE=umichGroupEmail
+# LDAP_TLS_VERIFY=true   # Set to false to disable cert verification (dev only)
+# LDAP_CA_CERT=/path/to/ca-bundle.pem
+#
+# If STARTTLS (port 389) doesn't work, try LDAPS:
+# LDAP_PORT=636
+# LDAP_ENCRYPTION=simple_tls

data/.gitignore

@@ -7,3 +7,8 @@
 /spec/reports/
 /tmp/
 *.gem
+
+# Environment variables
+.env
+.env.local
+.env.*.local

data/.rspec

@@ -0,0 +1,3 @@
+--require spec_helper
+--format documentation
+--color

data/.rspec_status

@@ -0,0 +1,46 @@
+example_id                            | status | run_time        |
+------------------------------------- | ------ | --------------- |
+./spec/configuration_spec.rb[1:1:1:1] | passed | 0.00021 seconds |
+./spec/configuration_spec.rb[1:1:1:2] | passed | 0.00004 seconds |
+./spec/configuration_spec.rb[1:1:1:3] | passed | 0.00004 seconds |
+./spec/configuration_spec.rb[1:1:2:1] | passed | 0.00149 seconds |
+./spec/configuration_spec.rb[1:1:2:2] | passed | 0.00004 seconds |
+./spec/configuration_spec.rb[1:1:3:1] | passed | 0.00004 seconds |
+./spec/configuration_spec.rb[1:1:3:2] | passed | 0.00005 seconds |
+./spec/configuration_spec.rb[1:2:1]   | passed | 0.00002 seconds |
+./spec/configuration_spec.rb[1:2:2]   | passed | 0.00003 seconds |
+./spec/configuration_spec.rb[1:3:1]   | passed | 0.00003 seconds |
+./spec/configuration_spec.rb[1:3:2]   | passed | 0.00003 seconds |
+./spec/configuration_spec.rb[1:3:3]   | passed | 0.00003 seconds |
+./spec/ldap_lookup_spec.rb[1:1:1:1]   | passed | 0.63596 seconds |
+./spec/ldap_lookup_spec.rb[1:1:2:1]   | passed | 0.61562 seconds |
+./spec/ldap_lookup_spec.rb[1:1:3:1]   | passed | 0.60601 seconds |
+./spec/ldap_lookup_spec.rb[1:2:1:1]   | passed | 0.64499 seconds |
+./spec/ldap_lookup_spec.rb[1:2:2:1]   | passed | 0.6525 seconds  |
+./spec/ldap_lookup_spec.rb[1:3:1:1]   | passed | 0.66369 seconds |
+./spec/ldap_lookup_spec.rb[1:3:2:1]   | passed | 1.29 seconds    |
+./spec/ldap_lookup_spec.rb[1:4:1:1]   | passed | 0.64139 seconds |
+./spec/ldap_lookup_spec.rb[1:4:2:1]   | passed | 0.64128 seconds |
+./spec/ldap_lookup_spec.rb[1:5:1:1]   | passed | 1.69 seconds    |
+./spec/ldap_lookup_spec.rb[1:5:2:1]   | passed | 0.75576 seconds |
+./spec/ldap_lookup_spec.rb[1:5:3:1]   | passed | 0.70272 seconds |
+./spec/ldap_lookup_spec.rb[1:5:4:1]   | passed | 0.74101 seconds |
+./spec/ldap_lookup_spec.rb[1:6:1:1]   | passed | 0.78507 seconds |
+./spec/ldap_lookup_spec.rb[1:6:1:2]   | passed | 0.77477 seconds |
+./spec/ldap_lookup_spec.rb[1:6:1:3]   | passed | 0.74474 seconds |
+./spec/ldap_lookup_spec.rb[1:6:2:1]   | passed | 0.70436 seconds |
+./spec/ldap_lookup_spec.rb[1:7:1:1]   | passed | 13.94 seconds   |
+./spec/ldap_lookup_spec.rb[1:7:1:2]   | passed | 21.97 seconds   |
+./spec/ldap_lookup_spec.rb[1:7:1:3]   | passed | 27.87 seconds   |
+./spec/ldap_lookup_spec.rb[1:7:2:1]   | passed | 7.88 seconds    |
+./spec/ldap_lookup_spec.rb[1:8:1:1]   | passed | 0.0026 seconds  |
+./spec/ldap_lookup_spec.rb[1:8:1:2]   | passed | 0.00012 seconds |
+./spec/ldap_lookup_spec.rb[1:8:1:3]   | passed | 0.00009 seconds |
+./spec/ldap_lookup_spec.rb[1:8:2:1]   | passed | 0.0001 seconds  |
+./spec/ldap_lookup_spec.rb[1:8:3:1]   | passed | 0.0001 seconds  |
+./spec/ldap_lookup_spec.rb[1:9:1:1]   | passed | 0.0001 seconds  |
+./spec/ldap_lookup_spec.rb[1:9:2:1]   | passed | 0.00009 seconds |
+./spec/ldap_lookup_spec.rb[1:10:1:1]  | passed | 0.525 seconds   |
+./spec/ldap_lookup_spec.rb[1:10:2:1]  | passed | 0.46772 seconds |
+./spec/ldap_lookup_spec.rb[1:11:1:1]  | failed | 0.54755 seconds |
+./spec/ldap_lookup_spec.rb[1:11:2:1]  | passed | 0.47023 seconds |

data/Gemfile.lock

@@ -1,14 +1,15 @@
 PATH
   remote: .
   specs:
-    ldap_lookup (0.1.7)
-      net-ldap (~> 0.17.0)
+    ldap_lookup (0.1.8)
+      net-ldap (~> 0.18.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
     diff-lcs (1.3)
-    net-ldap (0.17.1)
+    dotenv (2.8.1)
+    net-ldap (0.18.0)
     rake (13.0.1)
     rspec (3.7.0)
       rspec-core (~> 3.7.0)
@@ -29,6 +30,7 @@ PLATFORMS
 
 DEPENDENCIES
   bundler (~> 2.2.26)
+  dotenv (~> 2.8)
   ldap_lookup!
   rake (~> 13.0)
   rspec (~> 3.7.0)

data/README.md

@@ -1,7 +1,7 @@
 # LdapLookup for Ruby [![Gem Version](https://badge.fury.io/rb/ldap_lookup.svg)](https://badge.fury.io/rb/ldap_lookup)
 
 ### Description
-This module is to be used for anonymous lookup of user attributes in the MCommunity service provide at the University of Michigan. It can be easily modifed to use other LDAP server configurations.
+This module is to be used for authenticated or anonymous lookup of user attributes in the MCommunity service provided at the University of Michigan. It supports authenticated LDAP binds with encryption as per UM IT Security requirements (effective Jan 20, 2026). It can be easily modified to use other LDAP server configurations.
 
 ---
 
@@ -9,23 +9,47 @@ This module is to be used for anonymous lookup of user attributes in the MCommun
 
 Requirements:
 * Ruby at least 2.0.0
-* Gem 'net-ldap' ~> '0.17.0'
+* Gem 'net-ldap' ~> '0.18.0'
 > *The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has a Missing SSL Certificate Validation.*
 
 To try the module out:
 1. Clone the repo
-2. Edit the configurations by opening ldaptest.rb and set the *CONFIGURATION BLOCK* to your environment.
+2. Copy the env template and set credentials: `cp .env.example .env`
+3. Load the env vars into your shell (example):
+   ```bash
+   set -a
+   source .env
+   set +a
+   ```
+4. Edit the configurations by opening ldaptest.rb and set the *CONFIGURATION BLOCK* to your environment (it reads from the `.env` values you just loaded).
 <pre>
 LdapLookup.configuration do |config|
-      config.host = <em>< your host ></em> # "ldap.umich.edu"
-      config.port = <em>< your port ></em> # "986" the default is set to "389" so this optional
-      config.base = <em>< your LDAP base ></em> # "dc=umich,dc=edu"
-      config.dept_attribute = <em>< your dept attribute ></em> # "umichPostalAddressData"
-      config.group_attribute = <em>< your group email attribute ></em> # "umichGroupEmail"
+      config.host = ENV['LDAP_HOST'] || "ldap.umich.edu"
+      config.port = ENV['LDAP_PORT'] || "389"
+      config.base = ENV['LDAP_BASE'] || "dc=umich,dc=edu"
+      # Leave username/password unset for anonymous binds
+      config.username = ENV['LDAP_USERNAME']
+      config.password = ENV['LDAP_PASSWORD']
+      # Read encryption from ENV, default to start_tls
+      encryption_str = ENV['LDAP_ENCRYPTION'] || 'start_tls'
+      config.encryption = encryption_str.to_sym
+      config.dept_attribute = ENV['LDAP_DEPT_ATTRIBUTE'] || "umichPostalAddressData"
+      config.group_attribute = ENV['LDAP_GROUP_ATTRIBUTE'] || "umichGroupEmail"
+      # Enable LDAP debug logging in this test runner
+      debug_str = ENV['LDAP_DEBUG']
+      config.debug = debug_str ? debug_str.to_s.downcase == 'true' : true
 end
 </pre>
 
-3. run the ldaptest.rb script
+**Important:** As of January 20, 2026, UM LDAP requires:
+- **Authenticated binds only** - Anonymous (unauthenticated) binds are not supported by UM LDAP
+- Username and password are required for UM LDAP connections
+- Encrypted connections (STARTTLS or LDAPS) are mandatory
+- The gem uses LDAP "simple bind" authentication (authenticated with username/password)
+
+The gem can also perform **anonymous binds** for LDAP servers that allow them. To use anonymous binds, leave `LDAP_USERNAME` and `LDAP_PASSWORD` unset.
+
+5. run the ldaptest.rb script
 ```ruby
 ruby ./ldaptest.rb
 ```
@@ -34,30 +58,129 @@ ruby ./ldaptest.rb
 
 ### Installation
 
+#### Step 1: Add to Gemfile
+
 Add this line to your application's Gemfile:
 
 ```ruby
 gem 'ldap_lookup'
 ```
 
-And then execute:
+Then run:
 
-    $ bundle
+```bash
+bundle install
+```
 
-Or install it yourself as:
+#### Step 2: Get LDAP Credentials
 
-    $ gem install ldap_lookup
+**For Production Applications (Recommended):**
+Request a **service account** from your IT department. Service accounts are designed for automated applications and don't require password changes.
+
+**For Development/Testing:**
+You can use your personal UM uniqname and password temporarily, but switch to a service account for production.
+
+#### Step 3: Configure the Gem
+
+**For Rails Applications:**
+
+Create `config/initializers/ldap_lookup.rb`:
+
+```ruby
+LdapLookup.configuration do |config|
+  # Server Configuration (defaults work for UM LDAP)
+  config.host = ENV.fetch('LDAP_HOST', 'ldap.umich.edu')
+  config.port = ENV.fetch('LDAP_PORT', '389')
+  config.base = ENV.fetch('LDAP_BASE', 'dc=umich,dc=edu')
+
+  # Authentication (optional for anonymous binds)
+  # Leave unset to use anonymous binds (if your LDAP server allows it)
+  config.username = ENV['LDAP_USERNAME']
+  config.password = ENV['LDAP_PASSWORD']
+
+  # If using a service account with custom bind DN, uncomment and set:
+  # config.bind_dn = 'cn=service-account,ou=Service Accounts,dc=umich,dc=edu'
+
+  # Encryption - REQUIRED (defaults to STARTTLS)
+  config.encryption = ENV.fetch('LDAP_ENCRYPTION', 'start_tls').to_sym
+  # Use :simple_tls for LDAPS on port 636
+  # TLS verification (defaults to true). Set LDAP_TLS_VERIFY=false only for local testing.
+  # Optional custom CA bundle: set LDAP_CA_CERT=/path/to/ca-bundle.pem
+
+  # Optional: Attribute Configuration
+  config.dept_attribute = ENV.fetch('LDAP_DEPT_ATTRIBUTE', 'umichPostalAddressData')
+  config.group_attribute = ENV.fetch('LDAP_GROUP_ATTRIBUTE', 'umichGroupEmail')
+end
+```
+
+**For Non-Rails Applications:**
+
+Configure in your application startup:
+
+```ruby
+require 'ldap_lookup'
 
-In your application create a file config/initializers/ldap_lookup.rb
-<pre>
 LdapLookup.configuration do |config|
-    config.host = <em>< your host ></em> # "ldap.umich.edu"
-    config.port = <em>< your port ></em> # "954" port 389 is set by default
-    config.base = <em>< your LDAP base ></em> # "dc=umich,dc=edu"
-    config.dept_attribute = <em>< your dept attribute ></em> # "umichPostalAddressData"
-    config.group_attribute = <em>< your group email attribute ></em> # "umichGroupEmail"
+  config.host = 'ldap.umich.edu'
+  config.base = 'dc=umich,dc=edu'
+  config.username = ENV['LDAP_USERNAME']
+  config.password = ENV['LDAP_PASSWORD']
+  config.encryption = :start_tls
 end
-</pre>
+```
+
+#### Step 4: Set Environment Variables
+
+**Never hardcode credentials in your code!** Use environment variables (Hatchbox, Heroku, etc.).
+
+**Development with `.env.example` (recommended):**
+1. Copy the template: `cp .env.example .env`
+2. Update the values in `.env` for your environment.
+3. Load the variables into your shell (example):
+   ```bash
+   set -a
+   source .env
+   set +a
+   ```
+
+**Typical `.env` values:**
+```bash
+LDAP_USERNAME=your_service_account_uniqname
+LDAP_PASSWORD=your_service_account_password
+```
+
+**Optional settings (override defaults as needed):**
+```bash
+LDAP_HOST=ldap.umich.edu
+LDAP_PORT=389
+LDAP_BASE=dc=umich,dc=edu
+LDAP_ENCRYPTION=start_tls
+LDAP_TLS_VERIFY=true
+LDAP_CA_CERT=/path/to/ca-bundle.pem
+LDAP_DEPT_ATTRIBUTE=umichPostalAddressData
+LDAP_GROUP_ATTRIBUTE=umichGroupEmail
+```
+
+**Alternative: export in your shell**
+```bash
+export LDAP_USERNAME=your_service_account_uniqname
+export LDAP_PASSWORD=your_service_account_password
+```
+
+**For Production:**
+- Use your platform's secrets management (Rails credentials, AWS Secrets Manager, etc.)
+- Never commit credentials to version control
+- Use service accounts, not personal accounts
+
+#### Service Account Bind DN
+
+If your service account uses a non-standard bind DN format, you can specify it:
+
+```ruby
+config.bind_dn = 'cn=my-service-account,ou=Service Accounts,dc=umich,dc=edu'
+```
+
+If `bind_dn` is not set, it defaults to: `uid=username,ou=People,base`
 
 ---
 
@@ -66,30 +189,63 @@ end
 __uid_exist?:__ returns true if uid is in LDAP
 ```
 LdapLookup.uid_exist?(uniqname)
+response: true or false (boolean)
 ```
 __get_simple_name:__ returns the Display Name
 ```
 LdapLookup.get_simple_name(uniqname = nil)
+response: name or "No #{attribute} found for #{uniqname}"
 ```
 __get_dept:__ returns the users Department_name
 ```
 LdapLookup.get_dept(uniqname = nil)
+response: dept name or "No #{nested_attribute} found for #{uniqname}"
 ```
 __get_email:__ returns the users email address
 ```
 LdapLookup.get_email(uniqname = nil)
+response: email or "No #{attribute} found for #{uniqname}"
 ```
 __is_member_of_group?:__ returns true/false if uniqname is a member of the specified group
 ```
 LdapLookup.is_member_of_group?(uid = nil, group_name = nil)
+response: true or false (boolean)
 ```
 __get_email_distribution_list:__ Returns the list of emails that are associated to a group.
 ```
 LdapLookup.get_email_distribution_list(group_name = nil)
+response: result_hash
 ```
 __all_groups_for_user:__ Returns the list of groups that a user is a member of.
 ```
 LdapLookup.all_groups_for_user(uniqname = nil)
+response: result_array
+```
+
+### Running Tests
+
+**Security Note:** Never put passwords in command line arguments. They are visible in process lists and shell history.
+
+**Recommended: Use a .env file (most secure)**
+1. Copy the example file: `cp .env.example .env`
+2. Edit `.env` with your credentials:
+   ```
+   LDAP_USERNAME=your_uniqname
+   LDAP_PASSWORD=your_password
+   ```
+3. Run tests: `bundle exec rspec`
+
+**Alternative: Export environment variables**
+```bash
+export LDAP_USERNAME=your_uniqname
+export LDAP_PASSWORD=your_password
+bundle exec rspec
+```
+
+**Never do this (insecure):**
+```bash
+# ❌ DON'T: Password visible in process list
+LDAP_PASSWORD=xxx bundle exec rspec
 ```
 
 ### Contributing

data/SETUP.md

@@ -0,0 +1,117 @@
+# Quick Setup Guide for Gem Users
+
+This guide will help you quickly set up `ldap_lookup` in your Rails application.
+
+## Prerequisites
+
+1. **Get LDAP Credentials**
+   - For production: Request a service account from your IT department
+   - For development: You can temporarily use your personal uniqname/password
+
+## Installation Steps
+
+### 1. Add to Gemfile
+
+```ruby
+gem 'ldap_lookup'
+```
+
+Run `bundle install`
+
+### 2. Create Initializer
+
+Copy the example initializer:
+
+```bash
+# If you have the gem source
+cp config/initializers/ldap_lookup.rb.example config/initializers/ldap_lookup.rb
+
+# Or create it manually
+touch config/initializers/ldap_lookup.rb
+```
+
+### 3. Configure Credentials
+
+Edit `config/initializers/ldap_lookup.rb`:
+
+```ruby
+LdapLookup.configuration do |config|
+  config.host = ENV.fetch('LDAP_HOST', 'ldap.umich.edu')
+  config.base = ENV.fetch('LDAP_BASE', 'dc=umich,dc=edu')
+  # Leave unset to use anonymous binds (if your LDAP server allows it)
+  config.username = ENV['LDAP_USERNAME']
+  config.password = ENV['LDAP_PASSWORD']
+  config.encryption = :start_tls
+end
+```
+
+### 4. Set Environment Variables
+
+**Development (.env file):**
+```bash
+LDAP_USERNAME=your_service_account
+LDAP_PASSWORD=your_password
+```
+
+**Production:**
+Use your platform's secrets management:
+- Rails: `config/credentials.yml.enc`
+- Heroku: `heroku config:set LDAP_USERNAME=xxx`
+- AWS: Secrets Manager
+- etc.
+
+### 5. Service Account Bind DN (if needed)
+
+If your service account uses a custom bind DN format, add:
+
+```ruby
+config.bind_dn = 'cn=service-account,ou=Service Accounts,dc=umich,dc=edu'
+```
+
+Your IT department will provide this if it's different from the default format.
+
+## Usage
+
+```ruby
+# Check if a user exists
+LdapLookup.uid_exist?('uniqname')
+
+# Get user's name
+LdapLookup.get_simple_name('uniqname')
+
+# Get user's email
+LdapLookup.get_email('uniqname')
+
+# Get user's department
+LdapLookup.get_dept('uniqname')
+
+# Check group membership
+LdapLookup.is_member_of_group?('uniqname', 'group-name')
+
+# Get all groups for a user
+LdapLookup.all_groups_for_user('uniqname')
+```
+
+## Troubleshooting
+
+**Anonymous bind fails**
+- Your LDAP server may require authenticated binds
+- Set `LDAP_USERNAME` and `LDAP_PASSWORD` (service account recommended)
+- Verify credentials are correct
+
+**Error: Connection timeout or SSL errors**
+- Verify `config.host` is correct
+- Try `config.encryption = :simple_tls` with `config.port = '636'` for LDAPS
+- Check firewall rules allow outbound LDAP connections
+
+**Service account not working**
+- Verify the bind DN format with your IT department
+- Set `config.bind_dn` if your service account uses a non-standard format
+
+## Security Reminders
+
+- ✅ Use environment variables for credentials
+- ✅ Use service accounts in production
+- ✅ Never commit credentials to version control
+- ❌ Don't hardcode passwords in code
+- ❌ Don't use personal accounts in production

data/config/initializers/ldap_lookup.rb.example

@@ -0,0 +1,32 @@
+# LDAP Lookup Configuration
+# Copy this file to config/initializers/ldap_lookup.rb and configure with your credentials
+#
+# IMPORTANT: Never commit credentials to version control!
+# Use environment variables or a secrets management system.
+
+LdapLookup.configuration do |config|
+  # LDAP Server Configuration
+  config.host = ENV.fetch('LDAP_HOST', 'ldap.umich.edu')
+  config.port = ENV.fetch('LDAP_PORT', '389')
+  config.base = ENV.fetch('LDAP_BASE', 'dc=umich,dc=edu')
+  
+  # Authentication (optional for anonymous binds)
+  # Option 1: Use a service account (recommended for production)
+  # Request a service account from your IT department
+  # Leave unset to use anonymous binds (if your LDAP server allows it)
+  config.username = ENV['LDAP_USERNAME']
+  config.password = ENV['LDAP_PASSWORD']
+  
+  # Option 2: If your service account uses a custom bind DN format, specify it:
+  # config.bind_dn = 'cn=service-account,ou=Service Accounts,dc=umich,dc=edu'
+  # (If bind_dn is not set, it defaults to: uid=username,ou=People,base)
+  
+  # Encryption - REQUIRED (as of Jan 20, 2026)
+  # Use :start_tls for port 389 or :simple_tls for LDAPS on port 636
+  encryption_method = ENV.fetch('LDAP_ENCRYPTION', 'start_tls').to_sym
+  config.encryption = encryption_method
+  
+  # Optional: Attribute Configuration
+  config.dept_attribute = ENV.fetch('LDAP_DEPT_ATTRIBUTE', 'umichPostalAddressData')
+  config.group_attribute = ENV.fetch('LDAP_GROUP_ATTRIBUTE', 'umichGroupEmail')
+end

data/ldap_lookup.gemspec

@@ -9,8 +9,8 @@ Gem::Specification.new do |spec|
   spec.authors       = ["Rick Smoke"]
   spec.email         = ["rsmoke@umich.edu"]
 
-  spec.summary       = %q{For anonymous lookup of user LDAP attributes.}
-  spec.description   = %q{This module is to be used for anonymous lookup of attributes in the MCommunity service provide at the University of Michigan. It can be easily modifed to use other LDAP server configurations.}
+  spec.summary       = %q{Authenticated LDAP lookup for MCommunity user attributes at University of Michigan.}
+  spec.description   = %q{This gem provides authenticated LDAP lookups for user attributes in the MCommunity service at the University of Michigan. It supports encrypted connections (STARTTLS/LDAPS) and service accounts as required by UM IT Security (effective Jan 20, 2026). Can be easily modified for other LDAP server configurations.}
   spec.homepage      = "https://github.com/rsmoke/ldap_lookup.git"
   spec.license       = "MIT"
 
@@ -24,5 +24,6 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "bundler", "~> 2.2.26"
   spec.add_development_dependency "rake", "~> 13.0"
   spec.add_development_dependency "rspec", "~> 3.7.0"
+  spec.add_development_dependency "dotenv", "~> 2.8"
   spec.add_dependency 'net-ldap', '~> 0.18.0'
 end

data/ldaptest.rb

@@ -1,5 +1,12 @@
 #!/usr/bin/env ruby
 
+# Load .env file if it exists (for local development)
+begin
+  require 'dotenv/load'
+rescue LoadError
+  # dotenv not available, will use environment variables or fallbacks
+end
+
 require_relative "lib/ldap_lookup"
 
 class Ldaptest
@@ -7,10 +14,20 @@ class Ldaptest
 
   ############## CONFIGURATION BLOCK ###################
   LdapLookup.configuration do |config|
-    config.host = "ldap.umich.edu"
-    config.base = "dc=umich,dc=edu"
-    config.dept_attribute = "umichPostalAddressData"
-    config.group_attribute = "umichGroupEmail"
+    config.host = ENV['LDAP_HOST'] || "ldap.umich.edu"
+    config.port = ENV['LDAP_PORT'] || "389"
+    config.base = ENV['LDAP_BASE'] || "dc=umich,dc=edu"
+    # Leave username/password unset for anonymous binds
+    config.username = ENV['LDAP_USERNAME']
+    config.password = ENV['LDAP_PASSWORD']
+    # Read encryption from ENV, default to start_tls
+    encryption_str = ENV['LDAP_ENCRYPTION'] || 'start_tls'
+    config.encryption = encryption_str.to_sym
+    config.dept_attribute = ENV['LDAP_DEPT_ATTRIBUTE'] || "umichPostalAddressData"
+    config.group_attribute = ENV['LDAP_GROUP_ATTRIBUTE'] || "umichGroupEmail"
+    # Enable LDAP debug logging in this test runner
+    debug_str = ENV['LDAP_DEBUG']
+    config.debug = debug_str ? debug_str.to_s.downcase == 'true' : true
   end
   #######################################################
 
@@ -32,7 +49,7 @@ class Ldaptest
   end
 
   def result_box(answer)
-    print "\e[2J\e[f"
+    # print "\e[2J\e[f"
     2.times { puts " " }
     puts "Your Results"
     puts "======================================================"
@@ -65,6 +82,7 @@ class Ldaptest
     puts "7: check if uid is member of a group"
     puts "+++++++++++++++++++++++++"
     puts "8: what time is it?"
+    puts "99: test LDAP connection (diagnostic)"
     puts "0: exit"
     puts ""
     print "Enter a number: "
@@ -80,6 +98,7 @@ class Ldaptest
     when 6 then result_box(LdapLookup.get_email_distribution_list(@group_uid))
     when 7 then result_box(LdapLookup.is_member_of_group?(@uid, @group_uid))
     when 8 then result_box(timestamp)
+    when 99 then result_box(LdapLookup.test_connection.inspect)
     when 0 then puts "you chose exit!"
 throw(:done)
     else

data/lib/ldap_lookup/version.rb

@@ -1,3 +1,3 @@
 module LdapLookup
-  VERSION = "0.1.8"
+  VERSION = "2.0.1"
 end

data/lib/ldap_lookup.rb

@@ -1,5 +1,6 @@
 require_relative 'helpers/configuration'
 require 'net/ldap'
+require 'openssl'
 
 module LdapLookup
   extend Configuration
@@ -9,114 +10,442 @@ module LdapLookup
   define_setting :base
   define_setting :dept_attribute
   define_setting :group_attribute
+  define_setting :username
+  define_setting :password
+  define_setting :bind_dn  # Optional: custom bind DN (for service accounts). If not set, uses uid=username,ou=People,base
+  define_setting :encryption, :start_tls  # :start_tls or :simple_tls (LDAPS)
+  define_setting :debug, false
+
+  def self.debug_log(message)
+    return unless debug
+
+    puts "[LDAP DEBUG] #{message}"
+  end
+
+  def self.perform_search(ldap, base: nil, filter:, attributes: nil, label: nil, options: {})
+    search_base = base || ldap.base
+    filter_str = filter.respond_to?(:to_s) ? filter.to_s : filter.inspect
+    attrs_list = attributes ? Array(attributes).map(&:to_s) : ['*']
+    label_prefix = label ? "#{label} " : ""
+
+    debug_log("#{label_prefix}search base=#{search_base} filter=#{filter_str} attrs=#{attrs_list.join(',')}")
+
+    params = { base: search_base, filter: filter }
+    params[:attributes] = attributes if attributes
+    params.merge!(options) if options && !options.empty?
+
+    results = ldap.search(params) || []
+    entry_count = results ? results.size : 0
+    returned_attrs = []
+    if results && !results.empty?
+      returned_attrs = results.first.attribute_names.map(&:to_s).sort
+    end
+
+    debug_log("#{label_prefix}search results count=#{entry_count} returned_attrs=#{returned_attrs.join(',')}")
+
+    results
+  end
+
+  def self.operation_details(response)
+    details = {
+      code: response.code,
+      message: response.message
+    }
+
+    if response.respond_to?(:error_message) && response.error_message && !response.error_message.empty?
+      details[:error_message] = response.error_message
+    end
+
+    if response.respond_to?(:matched_dn) && response.matched_dn && !response.matched_dn.empty?
+      details[:matched_dn] = response.matched_dn
+    end
+
+    if response.respond_to?(:referrals) && response.referrals && !response.referrals.empty?
+      details[:referrals] = response.referrals
+    end
+
+    details
+  end
 
   def self.get_ldap_response(ldap)
     response = ldap.get_operation_result
-    raise "Response Code: #{response.code}, Message: #{response.message}" unless response.code.zero?
+    unless response.code.zero?
+      error_msg = "Response Code: #{response.code}, Message: #{response.message}"
+      if response.respond_to?(:error_message) && response.error_message && !response.error_message.empty?
+        error_msg += ", Diagnostic: #{response.error_message}"
+      end
+      if response.respond_to?(:matched_dn) && response.matched_dn && !response.matched_dn.empty?
+        error_msg += ", Matched DN: #{response.matched_dn}"
+      end
+      # Provide more helpful error messages for common codes
+      case response.code
+      when 19
+        error_msg += " (Constraint Violation - may require administrative access)"
+      when 49
+        error_msg += " (Invalid Credentials - check username/password)"
+      when 50
+        error_msg += " (Insufficient Access Rights)"
+      when 81
+        error_msg += " (Server Unavailable)"
+      end
+      raise error_msg
+    end
   end
 
-  def self.ldap_connection
-    Net::LDAP.new(
+  # Diagnostic method to test LDAP connection and bind
+  def self.test_connection
+    username_present = username && !username.to_s.strip.empty?
+    password_present = password && !password.to_s.strip.empty?
+    auth_dn = if bind_dn
+      bind_dn
+    elsif username_present
+      "uid=#{username},ou=People,#{base}"
+    end
+
+    search_base = username_present ? "ou=People,#{base}" : base
+    search_filter = username_present ? "(uid=#{username})" : "(objectClass=*)"
+
+    result = {
+      bind_dn: auth_dn,
+      username: username,
       host: host,
       port: port,
+      encryption: encryption,
       base: base,
-      auth: { method: :anonymous }
-    )
+      auth_mode: (username_present && password_present) ? 'authenticated' : 'anonymous'
+    }
+
+    begin
+      ldap = ldap_connection
+
+      bind_response = nil
+      bind_exception = nil
+
+      # Try an explicit bind for diagnostics only (can return Code 19 even if searches work)
+      begin
+        bind_success = ldap.bind
+        bind_response = ldap.get_operation_result
+      rescue => e
+        bind_success = false
+        bind_exception = { class: e.class.name, message: e.message }
+      end
+
+      # Net::LDAP binds automatically when performing operations (search, etc.)
+      # Explicit bind may fail with Code 19 on STARTTLS, but actual operations work fine
+      # Test by performing an actual search operation instead of explicit bind
+      
+      # Try a simple search - this will trigger automatic bind
+      search_result = perform_search(
+        ldap,
+        base: search_base,
+        filter: search_filter,
+        attributes: ['uid', 'mail', 'displayName', 'cn', 'givenName', 'sn'],
+        label: "diagnostic",
+        options: { size: 1 }
+      )
+      search_response = ldap.get_operation_result
+      returned_attributes = []
+      if search_result && !search_result.empty?
+        entry = search_result.first
+        returned_attributes = entry.attribute_names.map(&:to_s).sort
+      end
+
+      if search_response.code.zero? || (search_response.code == 4 && (search_result && !search_result.empty?))
+        # Success! Bind worked (automatically during search)
+        result.merge!(
+          success: true,
+          bind_successful: true,
+          bind_attempted: true,
+          bind_result: bind_success,
+          bind_details: bind_response ? operation_details(bind_response) : nil,
+          bind_exception: bind_exception,
+          bind_code: 0,
+          bind_message: "Bind successful (via automatic bind during search)",
+          search_code: search_response.code,
+          search_message: search_response.message,
+          search_details: operation_details(search_response),
+          search_base: search_base,
+          search_filter: search_filter,
+          search_entry_count: search_result ? search_result.size : 0,
+          search_returned_attributes: returned_attributes,
+          note: "Explicit bind may show Code 19, but operations work correctly"
+        )
+      else
+        # Search failed - check if it's a bind issue or search issue
+        result.merge!(
+          success: false,
+          bind_successful: false,
+          bind_attempted: true,
+          bind_result: bind_success,
+          bind_details: bind_response ? operation_details(bind_response) : nil,
+          bind_exception: bind_exception,
+          search_code: search_response.code,
+          search_message: search_response.message,
+          search_details: operation_details(search_response),
+          search_base: search_base,
+          search_filter: search_filter,
+          search_entry_count: search_result ? search_result.size : 0,
+          search_returned_attributes: returned_attributes,
+          error: "Search failed: Code #{search_response.code}, #{search_response.message}"
+        )
+
+        case search_response.code
+        when 19
+          result[:suggestion] = "Constraint Violation. Your account may not be enabled for LDAP access or may need administrative access for this operation."
+        when 49
+          result[:suggestion] = "Invalid Credentials. Check your username and password."
+        when 50
+          result[:suggestion] = "Insufficient Access Rights. Your account may need LDAP access enabled."
+        when 4
+          result[:suggestion] = "Size Limit Exceeded. Try a more specific search base or ensure filters are indexed."
+        end
+      end
+
+    rescue OpenSSL::SSL::SSLError => e
+      # Certificate or SSL/TLS connection error
+      result.merge!(
+        success: false,
+        error: "SSL/TLS Error: #{e.message}",
+        exception: e.class.name,
+        suggestion: "Certificate verification failed. Most systems trust InCommon certificates. If needed, download USERTrust RSA Certification Authority root certificate from ITS: SSL Server Certificates"
+      )
+    rescue => e
+      result.merge!(
+        success: false,
+        error: e.message,
+        exception: e.class.name
+      )
+    end
+
+    result
+  end
+
+  def self.ldap_connection
+    connection_params = {
+      host: host,
+      port: port.to_i,
+      base: base
+    }
+
+    # Configure encryption - REQUIRED for authenticated binds per UM documentation
+    # UM requires secure connection: TLS on port 389 (STARTTLS) or SSL on port 636 (LDAPS)
+    # Most operating systems already trust InCommon certificates per UM documentation
+    tls_verify = ENV.fetch('LDAP_TLS_VERIFY', 'true').to_s.downcase != 'false'
+    tls_options = {
+      verify_mode: tls_verify ? OpenSSL::SSL::VERIFY_PEER : OpenSSL::SSL::VERIFY_NONE
+    }
+    ca_cert_path = ENV['LDAP_CA_CERT']
+    tls_options[:ca_file] = ca_cert_path if ca_cert_path && !ca_cert_path.to_s.strip.empty?
+
+    if encryption == :start_tls
+      connection_params[:encryption] = {
+        method: :start_tls,
+        tls_options: tls_options
+      }
+    elsif encryption == :simple_tls
+      connection_params[:encryption] = {
+        method: :simple_tls,
+        tls_options: tls_options
+      }
+    end
+
+    # Configure authenticated bind (if username/password provided)
+    # Note: "simple" bind method = authenticated bind with username/password (not anonymous)
+    auth_username = username.to_s.strip
+    auth_password = password.to_s
+    if !auth_username.empty? && !auth_password.empty?
+      # Use custom bind_dn if provided (for service accounts), otherwise build standard DN
+      auth_bind_dn = bind_dn || "uid=#{auth_username},ou=People,#{base}"
+      connection_params[:auth] = {
+        method: :simple,  # Simple bind = authenticated bind with username/password
+        username: auth_bind_dn,
+        password: auth_password
+      }
+    end
+
+    ldap = Net::LDAP.new(connection_params)
+
+    # For STARTTLS, ensure TLS is started before returning connection
+    # Net::LDAP should handle this automatically, but let's be explicit
+    if encryption == :start_tls
+      begin
+        # The bind will trigger STARTTLS automatically, but we can verify connection works
+        # by attempting a bind (which will fail if TLS isn't established)
+      rescue => e
+        raise "Failed to establish TLS connection: #{e.message}"
+      end
+    end
+
+    ldap
   end
 
-  def self.get_user_attribute(uniqname, attribute)
+  def self.get_user_attribute(uniqname, attribute, default_value = nil)
     ldap = ldap_connection
     search_param = uniqname
     result_attrs = [attribute]
+    found_value = nil
 
     search_filter = Net::LDAP::Filter.eq('uid', search_param)
 
-    ldap.search(filter: search_filter, attributes: result_attrs) do |item|
+    perform_search(
+      ldap,
+      filter: search_filter,
+      attributes: result_attrs,
+      label: "get_user_attribute",
+      options: { size: 1 }
+    ).each do |item|
       value = item[attribute]&.first
-      return value unless value.nil?
+      if value
+        found_value = value
+        break
+      end
     end
 
-    "No #{attribute} found for #{uniqname}"
-  ensure
-    get_ldap_response(ldap)
+    # Check response - Code 19 may occur even when data is found
+    response = ldap.get_operation_result
+    if (response.code == 19 || response.code == 4) && found_value.nil?
+      # Constraint violation and no data found - may need admin access
+      return default_value
+    elsif response.code != 0 && found_value.nil?
+      # Other error and no data found
+      raise "Response Code: #{response.code}, Message: #{response.message}"
+    end
+
+    # Return found value or default
+    found_value || default_value
   end
 
   def self.get_nested_attribute(uniqname, nested_attribute)
     ldap = ldap_connection
     search_param = uniqname
     # Specify the full nested attribute path using dot notation
-    result_attrs = [nested_attribute.split('.').first]
-  
+    attr_name = nested_attribute.split('.').first
+    # Try using the configured attribute name if available, otherwise use the provided name
+    search_attr = dept_attribute || attr_name
+    result_attrs = [search_attr]
+    found_value = nil
+
     search_filter = Net::LDAP::Filter.eq('uid', search_param)
-  
-    ldap.search(filter: search_filter, attributes: result_attrs) do |item|
-      # Split the string into key-value pairs
-      if string1 = item[nested_attribute.split('.').first]&.first
+
+    perform_search(
+      ldap,
+      filter: search_filter,
+      attributes: result_attrs,
+      label: "get_nested_attribute",
+      options: { size: 1 }
+    ).each do |item|
+      # Net::LDAP::Entry provides case-insensitive access, try the search attribute first
+      string1 = item[search_attr]&.first || item[attr_name]&.first
+      if string1
         key_value_pairs = string1.split('}:{')
-        # Find the key-value pair for addr1
-        target_pair = key_value_pairs.find { |pair| pair.include?("#{nested_attribute.split('.').last}=") } 
+        # Find the key-value pair for the nested attribute
+        target_pair = key_value_pairs.find { |pair| pair.include?("#{nested_attribute.split('.').last}=") }
         # Extract the target value
-        target_pair_value = target_pair.split('=').last
-        return target_pair_value unless target_pair_value.nil?
+        if target_pair
+          target_pair_value = target_pair.split('=').last
+          if target_pair_value
+            found_value = target_pair_value
+            break
+          end
+        end
       end
     end
-    "No #{nested_attribute} found for #{uniqname}"
 
-  ensure
-    get_ldap_response(ldap)
+    # Check response - Code 19 may occur even when data is found
+    response = ldap.get_operation_result
+    if (response.code == 19 || response.code == 4) && found_value.nil?
+      # Constraint violation and no data found - may need admin access
+      return nil
+    elsif response.code != 0 && found_value.nil?
+      # Other error and no data found
+      raise "Response Code: #{response.code}, Message: #{response.message}"
+    end
+
+    found_value
   end
 
   # method to check if a uid exist in LDAP
   def self.uid_exist?(uniqname)
     ldap = ldap_connection
     search_param = uniqname
+    found = false
 
     search_filter = Net::LDAP::Filter.eq('uid', search_param)
 
-    ldap.search(filter: search_filter) do |item|
-      return true if item['uid'].first == search_param
+    perform_search(ldap, filter: search_filter, label: "uid_exist", options: { size: 1 }).each do |item|
+      if item['uid'].first == search_param
+        found = true
+        break
+      end
+    end
+
+    # Check response - Code 19 may occur even when user is found
+    response = ldap.get_operation_result
+    if (response.code == 19 || response.code == 4) && !found
+      # Constraint violation and user not found - may need admin access
+      return false
+    elsif response.code != 0 && !found
+      # Other error and user not found
+      raise "Response Code: #{response.code}, Message: #{response.message}"
     end
 
-    false
-  ensure
-    get_ldap_response(ldap)
+    found
   end
 
   def self.get_simple_name(uniqname)
-    get_user_attribute(uniqname, 'displayname')
+    get_user_attribute(uniqname, 'displayname', 'not available')
   end
 
   def self.get_email(uniqname)
-    get_user_attribute(uniqname, 'mail')
+    get_user_attribute(uniqname, 'mail', nil)
   end
 
   def self.get_dept(uniqname)
-    get_nested_attribute(uniqname, 'umichpostaladdressdata.addr1')
+    dept = get_nested_attribute(uniqname, 'umichpostaladdressdata.addr1')
+    return dept if dept
+
+    # Fallback to raw attribute if nested parsing fails or attribute is restricted
+    raw_attr = dept_attribute || 'umichPostalAddressData'
+    get_user_attribute(uniqname, raw_attr, nil)
   end
 
   def self.is_member_of_group?(uid, group_name)
     ldap = ldap_connection
     search_param = group_name
     result_attrs = ['member']
+    found = false
 
     search_filter = Net::LDAP::Filter.join(
       Net::LDAP::Filter.eq('cn', search_param),
       Net::LDAP::Filter.eq('objectClass', 'group')
     )
 
-    ldap.search(filter: search_filter, attributes: result_attrs) do |item|
+    perform_search(ldap, filter: search_filter, attributes: result_attrs, label: "is_member_of_group").each do |item|
       members = item['member']
-      return true if members&.any? { |entry| entry.split(',').first.split('=')[1] == uid }
+      if members && members.any? { |entry| entry.split(',').first.split('=')[1] == uid }
+        found = true
+        break
+      end
     end
 
-    false
-  ensure
-    get_ldap_response(ldap)
+    # Check response - Code 19 may occur for group operations (requires admin access)
+    response = ldap.get_operation_result
+    if response.code == 19
+      # Constraint violation - group operations may require admin access
+      # Return false if not found, true if found (even with Code 19)
+      return found
+    elsif response.code != 0 && !found
+      # Other error and not found
+      raise "Response Code: #{response.code}, Message: #{response.message}"
+    end
+
+    found
   end
 
   def self.get_email_distribution_list(group_name)
     ldap = ldap_connection
     result_hash = {}
+    found_data = false
 
     search_param = group_name
     result_attrs = %w[cn umichGroupEmail member]
@@ -126,16 +455,25 @@ module LdapLookup
       Net::LDAP::Filter.eq('objectClass', 'group')
     )
 
-    ldap.search(filter: search_filter, attributes: result_attrs) do |item|
+    perform_search(ldap, filter: search_filter, attributes: result_attrs, label: "get_email_distribution_list").each do |item|
+      found_data = true
       result_hash['group_name'] = item['cn']&.first
       result_hash['group_email'] = item['umichGroupEmail']&.first
       members = item['member']&.map { |individual| individual.split(',').first.split('=')[1] }
       result_hash['members'] = members&.sort || []
     end
 
+    # Check response - Code 19 may occur for group operations (requires admin access)
+    response = ldap.get_operation_result
+    if response.code == 19 && !found_data
+      # Constraint violation and no data found - group operations may require admin access
+      return {}
+    elsif response.code != 0 && !found_data
+      # Other error and no data found
+      raise "Response Code: #{response.code}, Message: #{response.message}"
+    end
+
     result_hash
-  ensure
-    get_ldap_response(ldap)
   end
 
   def self.all_groups_for_user(uid)
@@ -144,12 +482,22 @@ module LdapLookup
 
     result_attrs = ['dn']
 
-    ldap.search(filter: "member=uid=#{uid},ou=People,dc=umich,dc=edu", attributes: result_attrs) do |item|
+    # Use configured base instead of hardcoded dc=umich,dc=edu
+    member_dn = "uid=#{uid},ou=People,#{base}"
+    perform_search(ldap, filter: "member=#{member_dn}", attributes: result_attrs, label: "all_groups_for_user").each do |item|
       item.each { |key, value| result_array << value.first.split('=')[1].split(',')[0] }
     end
 
+    # Check response - may raise Constraint Violation for regular users
+    response = ldap.get_operation_result
+    if response.code == 19  # Constraint Violation
+      # Regular authenticated users may not have permission to search groups by member
+      # Return empty array instead of raising error
+      return []
+    elsif response.code != 0
+      raise "Response Code: #{response.code}, Message: #{response.message}"
+    end
+
     result_array.sort
-  ensure
-    get_ldap_response(ldap)
   end
-end
+end

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: ldap_lookup
 version: !ruby/object:Gem::Version
-  version: 0.1.8
+  version: 2.0.1
 platform: ruby
 authors:
 - Rick Smoke
-autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-09-12 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -52,6 +51,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 3.7.0
+- !ruby/object:Gem::Dependency
+  name: dotenv
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.8'
 - !ruby/object:Gem::Dependency
   name: net-ldap
   requirement: !ruby/object:Gem::Requirement
@@ -66,25 +79,31 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.18.0
-description: This module is to be used for anonymous lookup of attributes in the MCommunity
-  service provide at the University of Michigan. It can be easily modifed to use other
-  LDAP server configurations.
+description: This gem provides authenticated LDAP lookups for user attributes in the
+  MCommunity service at the University of Michigan. It supports encrypted connections
+  (STARTTLS/LDAPS) and service accounts as required by UM IT Security (effective Jan
+  20, 2026). Can be easily modified for other LDAP server configurations.
 email:
 - rsmoke@umich.edu
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".env.example"
 - ".github/dependabot.yml"
 - ".gitignore"
+- ".rspec"
+- ".rspec_status"
 - CODE_OF_CONDUCT.md
 - Gemfile
 - Gemfile.lock
 - LICENSE.txt
 - README.md
 - Rakefile
+- SETUP.md
 - bin/console
 - bin/setup
+- config/initializers/ldap_lookup.rb.example
 - ldap_lookup.gemspec
 - ldaptest.rb
 - lib/helpers/configuration.rb
@@ -94,7 +113,6 @@ homepage: https://github.com/rsmoke/ldap_lookup.git
 licenses:
 - MIT
 metadata: {}
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -109,8 +127,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.16
-signing_key:
+rubygems_version: 3.6.9
 specification_version: 4
-summary: For anonymous lookup of user LDAP attributes.
+summary: Authenticated LDAP lookup for MCommunity user attributes at University of
+  Michigan.
 test_files: []