ldap_lookup 2.0.1 → 2.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 393d3bdcafb4cadf5648c6916122ebfb7b0c6fefe79c5d50b6c6c57f6d6997cc
-  data.tar.gz: de8be14be88d2d4e3102971cf62d4a316cdc6a0aaa7e6268aee62659723e5ca2
+  metadata.gz: 8975eb645723483f8856a1a6d8db9cbc5a161c18a5508c81489999e86d8a2ccc
+  data.tar.gz: 0ac5979c0acde4809c80f5e3e38a16c22bdc20c07d631b5068f56c0521f90b63
 SHA512:
-  metadata.gz: 7dd298be615e445056d806602b27cb05e01a0783556fe09c32d1c5599ff877a18c286d1d2e845f1f5ec30c4b08745668ec5fd8f2717e4393cc7c45dd7e33254d
-  data.tar.gz: 6bb46112525a64c3c63fd1cb2d356e151ff48154515684040d5c1519464619681942f36a45ba275d0749abcd5b04afd81bc28ddb9a72d9c403eba5dc093d0970
+  metadata.gz: 95be63f67dab3e14af8aaa565caac8377415b9123e7cd575098b449ec485345c9913b7f0f2c5c1bc3a4548307c9aa34116e939149e900dfa8ab93061938a14c7
+  data.tar.gz: 6e0f98715d5f88726a5d5d3984d90de5af12846687edd62a84bacc2094c75384fadef71de26060b932f8303b42cc0897ef5f8a62d2ec2c20a2f96b16cf317e55

data/.env.example

@@ -2,13 +2,17 @@
 # Copy this file to .env and fill in your actual credentials
 # The .env file is gitignored and will not be committed
 
-# Your UM uniqname (username)
-LDAP_USERNAME=your_uniqname
+# Service account bind DN (recommended for UM LDAP)
+# Example: cn=LSA-TS-McDirApp004,ou=Applications,o=services
+LDAP_BIND_DN=your_service_account_bind_dn
 
-# Your UM password
+# Service account password (required with LDAP_BIND_DN)
 LDAP_PASSWORD=your_password
 
-# Leave LDAP_USERNAME and LDAP_PASSWORD unset for anonymous binds
+# If you are using a personal uniqname (non-service account), set:
+# LDAP_USERNAME=your_uniqname
+
+# UM LDAP does not allow anonymous binds. Leave these unset only if your LDAP server allows them.
 
 # Optional: Override default LDAP settings
 # LDAP_HOST=ldap.umich.edu
@@ -17,7 +21,15 @@ LDAP_PASSWORD=your_password
 # LDAP_ENCRYPTION=start_tls  # Use 'start_tls' for port 389 or 'simple_tls' for port 636 (LDAPS)
 # LDAP_DEPT_ATTRIBUTE=umichPostalAddressData
 # LDAP_GROUP_ATTRIBUTE=umichGroupEmail
-# LDAP_TLS_VERIFY=true   # Set to false to disable cert verification (dev only)
+# LDAP_DIAGNOSTIC_UID=your_uniqname
+# LDAP_TEST_UID=your_uniqname
+# LDAP_TEST_DISPLAY_NAME=Your Name
+# LDAP_TEST_EMAIL=your_uniqname@umich.edu
+# LDAP_TEST_DEPT=Your Department Name
+# LDAP_TEST_GROUP=example-group-name
+# LDAP_USER_BASE=ou=people,dc=umich,dc=edu
+# LDAP_GROUP_BASE=ou=user groups,ou=groups,dc=umich,dc=edu
+# LDAP_TLS_VERIFY=true   # Set to false to disable cert verification (local testing only)
 # LDAP_CA_CERT=/path/to/ca-bundle.pem
 #
 # If STARTTLS (port 389) doesn't work, try LDAPS:

data/.gitignore

@@ -5,6 +5,7 @@
 /doc/
 /pkg/
 /spec/reports/
+/.rspec_status
 /tmp/
 *.gem
 

data/.rspec_status

@@ -1,46 +1,46 @@
 example_id                            | status | run_time        |
 ------------------------------------- | ------ | --------------- |
-./spec/configuration_spec.rb[1:1:1:1] | passed | 0.00021 seconds |
-./spec/configuration_spec.rb[1:1:1:2] | passed | 0.00004 seconds |
+./spec/configuration_spec.rb[1:1:1:1] | passed | 0.00029 seconds |
+./spec/configuration_spec.rb[1:1:1:2] | passed | 0.00005 seconds |
 ./spec/configuration_spec.rb[1:1:1:3] | passed | 0.00004 seconds |
-./spec/configuration_spec.rb[1:1:2:1] | passed | 0.00149 seconds |
-./spec/configuration_spec.rb[1:1:2:2] | passed | 0.00004 seconds |
-./spec/configuration_spec.rb[1:1:3:1] | passed | 0.00004 seconds |
-./spec/configuration_spec.rb[1:1:3:2] | passed | 0.00005 seconds |
-./spec/configuration_spec.rb[1:2:1]   | passed | 0.00002 seconds |
+./spec/configuration_spec.rb[1:1:2:1] | passed | 0.00049 seconds |
+./spec/configuration_spec.rb[1:1:2:2] | passed | 0.00005 seconds |
+./spec/configuration_spec.rb[1:1:3:1] | passed | 0.00005 seconds |
+./spec/configuration_spec.rb[1:1:3:2] | passed | 0.00004 seconds |
+./spec/configuration_spec.rb[1:2:1]   | passed | 0.00003 seconds |
 ./spec/configuration_spec.rb[1:2:2]   | passed | 0.00003 seconds |
 ./spec/configuration_spec.rb[1:3:1]   | passed | 0.00003 seconds |
-./spec/configuration_spec.rb[1:3:2]   | passed | 0.00003 seconds |
-./spec/configuration_spec.rb[1:3:3]   | passed | 0.00003 seconds |
-./spec/ldap_lookup_spec.rb[1:1:1:1]   | passed | 0.63596 seconds |
-./spec/ldap_lookup_spec.rb[1:1:2:1]   | passed | 0.61562 seconds |
-./spec/ldap_lookup_spec.rb[1:1:3:1]   | passed | 0.60601 seconds |
-./spec/ldap_lookup_spec.rb[1:2:1:1]   | passed | 0.64499 seconds |
-./spec/ldap_lookup_spec.rb[1:2:2:1]   | passed | 0.6525 seconds  |
-./spec/ldap_lookup_spec.rb[1:3:1:1]   | passed | 0.66369 seconds |
-./spec/ldap_lookup_spec.rb[1:3:2:1]   | passed | 1.29 seconds    |
-./spec/ldap_lookup_spec.rb[1:4:1:1]   | passed | 0.64139 seconds |
-./spec/ldap_lookup_spec.rb[1:4:2:1]   | passed | 0.64128 seconds |
-./spec/ldap_lookup_spec.rb[1:5:1:1]   | passed | 1.69 seconds    |
-./spec/ldap_lookup_spec.rb[1:5:2:1]   | passed | 0.75576 seconds |
-./spec/ldap_lookup_spec.rb[1:5:3:1]   | passed | 0.70272 seconds |
-./spec/ldap_lookup_spec.rb[1:5:4:1]   | passed | 0.74101 seconds |
-./spec/ldap_lookup_spec.rb[1:6:1:1]   | passed | 0.78507 seconds |
-./spec/ldap_lookup_spec.rb[1:6:1:2]   | passed | 0.77477 seconds |
-./spec/ldap_lookup_spec.rb[1:6:1:3]   | passed | 0.74474 seconds |
-./spec/ldap_lookup_spec.rb[1:6:2:1]   | passed | 0.70436 seconds |
-./spec/ldap_lookup_spec.rb[1:7:1:1]   | passed | 13.94 seconds   |
-./spec/ldap_lookup_spec.rb[1:7:1:2]   | passed | 21.97 seconds   |
-./spec/ldap_lookup_spec.rb[1:7:1:3]   | passed | 27.87 seconds   |
-./spec/ldap_lookup_spec.rb[1:7:2:1]   | passed | 7.88 seconds    |
-./spec/ldap_lookup_spec.rb[1:8:1:1]   | passed | 0.0026 seconds  |
-./spec/ldap_lookup_spec.rb[1:8:1:2]   | passed | 0.00012 seconds |
-./spec/ldap_lookup_spec.rb[1:8:1:3]   | passed | 0.00009 seconds |
-./spec/ldap_lookup_spec.rb[1:8:2:1]   | passed | 0.0001 seconds  |
-./spec/ldap_lookup_spec.rb[1:8:3:1]   | passed | 0.0001 seconds  |
-./spec/ldap_lookup_spec.rb[1:9:1:1]   | passed | 0.0001 seconds  |
-./spec/ldap_lookup_spec.rb[1:9:2:1]   | passed | 0.00009 seconds |
-./spec/ldap_lookup_spec.rb[1:10:1:1]  | passed | 0.525 seconds   |
-./spec/ldap_lookup_spec.rb[1:10:2:1]  | passed | 0.46772 seconds |
-./spec/ldap_lookup_spec.rb[1:11:1:1]  | failed | 0.54755 seconds |
-./spec/ldap_lookup_spec.rb[1:11:2:1]  | passed | 0.47023 seconds |
+./spec/configuration_spec.rb[1:3:2]   | passed | 0.00005 seconds |
+./spec/configuration_spec.rb[1:3:3]   | passed | 0.00004 seconds |
+./spec/ldap_lookup_spec.rb[1:1:1:1]   | passed | 1.75 seconds    |
+./spec/ldap_lookup_spec.rb[1:1:2:1]   | passed | 0.51135 seconds |
+./spec/ldap_lookup_spec.rb[1:1:3:1]   | passed | 0.0003 seconds  |
+./spec/ldap_lookup_spec.rb[1:2:1:1]   | passed | 0.47541 seconds |
+./spec/ldap_lookup_spec.rb[1:2:2:1]   | passed | 0.4878 seconds  |
+./spec/ldap_lookup_spec.rb[1:3:1:1]   | passed | 0.52654 seconds |
+./spec/ldap_lookup_spec.rb[1:3:2:1]   | passed | 0.96146 seconds |
+./spec/ldap_lookup_spec.rb[1:4:1:1]   | passed | 0.51242 seconds |
+./spec/ldap_lookup_spec.rb[1:4:2:1]   | passed | 0.49175 seconds |
+./spec/ldap_lookup_spec.rb[1:5:1:1]   | passed | 0.47786 seconds |
+./spec/ldap_lookup_spec.rb[1:5:2:1]   | passed | 0.52746 seconds |
+./spec/ldap_lookup_spec.rb[1:5:3:1]   | passed | 0.50551 seconds |
+./spec/ldap_lookup_spec.rb[1:5:4:1]   | passed | 0.51433 seconds |
+./spec/ldap_lookup_spec.rb[1:6:1:1]   | passed | 0.54583 seconds |
+./spec/ldap_lookup_spec.rb[1:6:1:2]   | passed | 0.4901 seconds  |
+./spec/ldap_lookup_spec.rb[1:6:1:3]   | passed | 0.46969 seconds |
+./spec/ldap_lookup_spec.rb[1:6:2:1]   | passed | 0.49174 seconds |
+./spec/ldap_lookup_spec.rb[1:7:1:1]   | passed | 9.39 seconds    |
+./spec/ldap_lookup_spec.rb[1:7:1:2]   | passed | 8.56 seconds    |
+./spec/ldap_lookup_spec.rb[1:7:1:3]   | passed | 9.43 seconds    |
+./spec/ldap_lookup_spec.rb[1:7:2:1]   | passed | 4.31 seconds    |
+./spec/ldap_lookup_spec.rb[1:8:1:1]   | passed | 0.00299 seconds |
+./spec/ldap_lookup_spec.rb[1:8:1:2]   | passed | 0.00019 seconds |
+./spec/ldap_lookup_spec.rb[1:8:1:3]   | passed | 0.00118 seconds |
+./spec/ldap_lookup_spec.rb[1:8:2:1]   | passed | 0.00015 seconds |
+./spec/ldap_lookup_spec.rb[1:8:3:1]   | passed | 0.00016 seconds |
+./spec/ldap_lookup_spec.rb[1:9:1:1]   | passed | 0.00008 seconds |
+./spec/ldap_lookup_spec.rb[1:9:2:1]   | passed | 0.00007 seconds |
+./spec/ldap_lookup_spec.rb[1:10:1:1]  | passed | 0.4988 seconds  |
+./spec/ldap_lookup_spec.rb[1:10:2:1]  | passed | 0.50763 seconds |
+./spec/ldap_lookup_spec.rb[1:11:1:1]  | passed | 0.55333 seconds |
+./spec/ldap_lookup_spec.rb[1:11:2:1]  | passed | 0.55887 seconds |

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    ldap_lookup (0.1.8)
+    ldap_lookup (2.0.1)
       net-ldap (~> 0.18.0)
 
 GEM

data/README.md

@@ -1,64 +1,74 @@
 # LdapLookup for Ruby [![Gem Version](https://badge.fury.io/rb/ldap_lookup.svg)](https://badge.fury.io/rb/ldap_lookup)
 
-### Description
-This module is to be used for authenticated or anonymous lookup of user attributes in the MCommunity service provided at the University of Michigan. It supports authenticated LDAP binds with encryption as per UM IT Security requirements (effective Jan 20, 2026). It can be easily modified to use other LDAP server configurations.
+## Overview
 
----
+LdapLookup provides authenticated or anonymous lookups of user attributes in the University of Michigan MCommunity LDAP service. It supports encrypted binds per UM IT Security (effective Jan 28, 2026) and can be adapted for other LDAP servers.
 
-### Try it out
+### UM LDAP Requirements (as of Jan 28, 2026)
+
+* **Authenticated binds only** - UM LDAP does not allow anonymous binds.
+* Username and password are required for UM LDAP.
+* Encrypted connections (STARTTLS or LDAPS) are mandatory.
+* The gem uses LDAP "simple bind" authentication (authenticated with username/password).
+
+The gem can also perform **anonymous binds** for LDAP servers that allow them. To use anonymous binds, leave `LDAP_USERNAME` and `LDAP_PASSWORD` unset.
+
+## Quick Start (Local Test Runner)
+
+### Requirements
 
-Requirements:
 * Ruby at least 2.0.0
-* Gem 'net-ldap' ~> '0.18.0'
-> *The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has a Missing SSL Certificate Validation.*
+* Gem `net-ldap` ~> `0.18.0`
+
+> The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has a missing SSL certificate validation.
+
+1. Clone the repo.
+2. Copy the env template: `cp .env.example .env`.
+3. Load the env vars into your shell:
 
-To try the module out:
-1. Clone the repo
-2. Copy the env template and set credentials: `cp .env.example .env`
-3. Load the env vars into your shell (example):
    ```bash
    set -a
    source .env
    set +a
    ```
-4. Edit the configurations by opening ldaptest.rb and set the *CONFIGURATION BLOCK* to your environment (it reads from the `.env` values you just loaded).
-<pre>
-LdapLookup.configuration do |config|
-      config.host = ENV['LDAP_HOST'] || "ldap.umich.edu"
-      config.port = ENV['LDAP_PORT'] || "389"
-      config.base = ENV['LDAP_BASE'] || "dc=umich,dc=edu"
-      # Leave username/password unset for anonymous binds
-      config.username = ENV['LDAP_USERNAME']
-      config.password = ENV['LDAP_PASSWORD']
-      # Read encryption from ENV, default to start_tls
-      encryption_str = ENV['LDAP_ENCRYPTION'] || 'start_tls'
-      config.encryption = encryption_str.to_sym
-      config.dept_attribute = ENV['LDAP_DEPT_ATTRIBUTE'] || "umichPostalAddressData"
-      config.group_attribute = ENV['LDAP_GROUP_ATTRIBUTE'] || "umichGroupEmail"
-      # Enable LDAP debug logging in this test runner
-      debug_str = ENV['LDAP_DEBUG']
-      config.debug = debug_str ? debug_str.to_s.downcase == 'true' : true
-end
-</pre>
 
-**Important:** As of January 20, 2026, UM LDAP requires:
-- **Authenticated binds only** - Anonymous (unauthenticated) binds are not supported by UM LDAP
-- Username and password are required for UM LDAP connections
-- Encrypted connections (STARTTLS or LDAPS) are mandatory
-- The gem uses LDAP "simple bind" authentication (authenticated with username/password)
-
-The gem can also perform **anonymous binds** for LDAP servers that allow them. To use anonymous binds, leave `LDAP_USERNAME` and `LDAP_PASSWORD` unset.
+4. Edit the configuration in `ldaptest.rb` (reads from `.env`):
+
+   ```ruby
+   LdapLookup.configuration do |config|
+     config.host = ENV['LDAP_HOST'] || "ldap.umich.edu"
+     config.port = ENV['LDAP_PORT'] || "389"
+     config.base = ENV['LDAP_BASE'] || "dc=umich,dc=edu"
+     # Leave username/password unset for anonymous binds
+     config.username = ENV['LDAP_USERNAME']
+     config.password = ENV['LDAP_PASSWORD']
+     # Service account bind DN (preferred for UM LDAP)
+     config.bind_dn = ENV['LDAP_BIND_DN']
+     # Read encryption from ENV, default to start_tls
+     encryption_str = ENV['LDAP_ENCRYPTION'] || 'start_tls'
+     config.encryption = encryption_str.to_sym
+     config.dept_attribute = ENV['LDAP_DEPT_ATTRIBUTE'] || "umichPostalAddressData"
+     config.group_attribute = ENV['LDAP_GROUP_ATTRIBUTE'] || "umichGroupEmail"
+     # Optional diagnostic UID (used by LdapLookup.test_connection)
+     config.diagnostic_uid = ENV['LDAP_DIAGNOSTIC_UID'] if ENV['LDAP_DIAGNOSTIC_UID']
+     # Optional search bases for UM LDAP
+     config.user_base = ENV['LDAP_USER_BASE'] if ENV['LDAP_USER_BASE']
+     config.group_base = ENV['LDAP_GROUP_BASE'] if ENV['LDAP_GROUP_BASE']
+     # Enable LDAP debug logging in this test runner
+     debug_str = ENV['LDAP_DEBUG']
+     config.debug = debug_str ? debug_str.to_s.downcase == 'true' : false
+   end
+   ```
 
-5. run the ldaptest.rb script
-```ruby
-ruby ./ldaptest.rb
-```
+5. Run the test script:
 
----
+   ```bash
+   ruby ./ldaptest.rb
+   ```
 
-### Installation
+## Installation
 
-#### Step 1: Add to Gemfile
+### Step 1: Add to Gemfile
 
 Add this line to your application's Gemfile:
 
@@ -72,15 +82,17 @@ Then run:
 bundle install
 ```
 
-#### Step 2: Get LDAP Credentials
+### Step 2: Get LDAP Credentials
 
 **For Production Applications (Recommended):**
-Request a **service account** from your IT department. Service accounts are designed for automated applications and don't require password changes.
+
+Request a **service account** from your IT department. Service accounts are designed for automated applications and do not require password changes.
 
 **For Development/Testing:**
+
 You can use your personal UM uniqname and password temporarily, but switch to a service account for production.
 
-#### Step 3: Configure the Gem
+### Step 3: Configure the Gem
 
 **For Rails Applications:**
 
@@ -99,7 +111,8 @@ LdapLookup.configuration do |config|
   config.password = ENV['LDAP_PASSWORD']
 
   # If using a service account with custom bind DN, uncomment and set:
-  # config.bind_dn = 'cn=service-account,ou=Service Accounts,dc=umich,dc=edu'
+  # config.bind_dn = ENV['LDAP_BIND_DN']
+  # Note: LDAP_BIND_DN replaces LDAP_USERNAME (LDAP_USERNAME can be unset), not LDAP_PASSWORD.
 
   # Encryption - REQUIRED (defaults to STARTTLS)
   config.encryption = ENV.fetch('LDAP_ENCRYPTION', 'start_tls').to_sym
@@ -110,6 +123,13 @@ LdapLookup.configuration do |config|
   # Optional: Attribute Configuration
   config.dept_attribute = ENV.fetch('LDAP_DEPT_ATTRIBUTE', 'umichPostalAddressData')
   config.group_attribute = ENV.fetch('LDAP_GROUP_ATTRIBUTE', 'umichGroupEmail')
+
+  # Optional: Logger for debug output (responds to debug/info or call)
+  # config.logger = Rails.logger
+
+  # Optional: Separate search bases for users and groups (UM service accounts)
+  # config.user_base = ENV.fetch('LDAP_USER_BASE', 'ou=people,dc=umich,dc=edu')
+  # config.group_base = ENV.fetch('LDAP_GROUP_BASE', 'ou=user groups,ou=groups,dc=umich,dc=edu')
 end
 ```
 
@@ -119,6 +139,7 @@ Configure in your application startup:
 
 ```ruby
 require 'ldap_lookup'
+require 'logger'
 
 LdapLookup.configuration do |config|
   config.host = 'ldap.umich.edu'
@@ -126,17 +147,31 @@ LdapLookup.configuration do |config|
   config.username = ENV['LDAP_USERNAME']
   config.password = ENV['LDAP_PASSWORD']
   config.encryption = :start_tls
+  # Optional: Logger for debug output
+  # config.logger = Logger.new($stdout)
 end
 ```
 
-#### Step 4: Set Environment Variables
+### Logger and Debug Output
+
+* Debug logging is controlled by `config.debug` (default is false).
+* If `config.logger` is set, it is used in this order:
+  * `logger.debug(message)` if available.
+  * `logger.info(message)` if `debug` is not available.
+  * `logger.call(message)` if neither `debug` nor `info` are available.
+* If no logger is configured, debug output goes to STDOUT.
+* Security note: debug output can include identifiers (uids, group names, search filters). Avoid sharing logs publicly.
 
-**Never hardcode credentials in your code!** Use environment variables (Hatchbox, Heroku, etc.).
+## Environment Variables
+
+**Never hardcode credentials in your code.** Use environment variables (Hatchbox, Heroku, etc.).
+
+### Development with `.env.example` (Recommended)
 
-**Development with `.env.example` (recommended):**
 1. Copy the template: `cp .env.example .env`
 2. Update the values in `.env` for your environment.
 3. Load the variables into your shell (example):
+
    ```bash
    set -a
    source .env
@@ -144,118 +179,175 @@ end
    ```
 
 **Typical `.env` values:**
+
 ```bash
 LDAP_USERNAME=your_service_account_uniqname
 LDAP_PASSWORD=your_service_account_password
+LDAP_BIND_DN=cn=service-account,ou=Applications,o=services
 ```
 
-**Optional settings (override defaults as needed):**
+### Production (Hatchbox)
+
+Hatchbox uses environment variables per app or per deployment. Configure these in
+**Hatchbox > App > Environment Variables** (or your deployment pipeline), then redeploy or restart.
+
+**Minimum required for authenticated UM LDAP:**
+
 ```bash
+LDAP_USERNAME=service_account_uniqname
+LDAP_PASSWORD=service_account_password
+LDAP_ENCRYPTION=start_tls
 LDAP_HOST=ldap.umich.edu
 LDAP_PORT=389
 LDAP_BASE=dc=umich,dc=edu
-LDAP_ENCRYPTION=start_tls
+```
+
+**Recommended for service accounts with a custom bind DN:**
+
+```bash
+LDAP_BIND_DN=cn=service-account,ou=Applications,o=services
+```
+
+**Optional tuning:**
+
+```bash
 LDAP_TLS_VERIFY=true
 LDAP_CA_CERT=/path/to/ca-bundle.pem
+LDAP_USER_BASE=ou=people,dc=umich,dc=edu
+LDAP_GROUP_BASE=ou=user groups,ou=groups,dc=umich,dc=edu
 LDAP_DEPT_ATTRIBUTE=umichPostalAddressData
 LDAP_GROUP_ATTRIBUTE=umichGroupEmail
+LDAP_DIAGNOSTIC_UID=your_uniqname
 ```
 
-**Alternative: export in your shell**
+### Alternative: Export in Your Shell
+
 ```bash
 export LDAP_USERNAME=your_service_account_uniqname
 export LDAP_PASSWORD=your_service_account_password
 ```
 
-**For Production:**
-- Use your platform's secrets management (Rails credentials, AWS Secrets Manager, etc.)
-- Never commit credentials to version control
-- Use service accounts, not personal accounts
-
-#### Service Account Bind DN
+### Service Account Bind DN
 
 If your service account uses a non-standard bind DN format, you can specify it:
 
 ```ruby
-config.bind_dn = 'cn=my-service-account,ou=Service Accounts,dc=umich,dc=edu'
+config.bind_dn = 'cn=my-service-account,ou=Applications,o=services'
 ```
 
-If `bind_dn` is not set, it defaults to: `uid=username,ou=People,base`
+If `bind_dn` is not set, it defaults to: `uid=username,ou=People,base`.
 
----
+## Methods Available
 
-### Methods available
+**uid_exist?** returns true if uid is in LDAP.
 
-__uid_exist?:__ returns true if uid is in LDAP
-```
+```ruby
 LdapLookup.uid_exist?(uniqname)
 response: true or false (boolean)
 ```
-__get_simple_name:__ returns the Display Name
-```
+
+**get_simple_name** returns the display name or `"not available"`.
+
+```ruby
 LdapLookup.get_simple_name(uniqname = nil)
-response: name or "No #{attribute} found for #{uniqname}"
-```
-__get_dept:__ returns the users Department_name
+response: name or "not available"
 ```
+
+**get_dept** returns the user's department name or `nil`.
+
+```ruby
 LdapLookup.get_dept(uniqname = nil)
-response: dept name or "No #{nested_attribute} found for #{uniqname}"
-```
-__get_email:__ returns the users email address
+response: dept name or nil
 ```
+
+**get_email** returns the user's email address or `nil`.
+
+```ruby
 LdapLookup.get_email(uniqname = nil)
-response: email or "No #{attribute} found for #{uniqname}"
-```
-__is_member_of_group?:__ returns true/false if uniqname is a member of the specified group
+response: email or nil
 ```
+
+**is_member_of_group?** returns true/false if uniqname is a member of the specified group.
+
+```ruby
 LdapLookup.is_member_of_group?(uid = nil, group_name = nil)
 response: true or false (boolean)
 ```
-__get_email_distribution_list:__ Returns the list of emails that are associated to a group.
-```
+
+**get_email_distribution_list** returns a hash with group data or an empty hash.
+
+```ruby
 LdapLookup.get_email_distribution_list(group_name = nil)
 response: result_hash
 ```
-__all_groups_for_user:__ Returns the list of groups that a user is a member of.
-```
+
+**all_groups_for_user** returns the list of groups that a user is a member of.
+
+```ruby
 LdapLookup.all_groups_for_user(uniqname = nil)
 response: result_array
 ```
 
-### Running Tests
+## Troubleshooting
+
+### Auth failures
+
+* UM LDAP requires authenticated binds. Ensure `LDAP_USERNAME` and `LDAP_PASSWORD` are set.
+* For service accounts, set `LDAP_BIND_DN` to the DN provided by your IT team.
+* Confirm the account is enabled for LDAP and the password is current.
+
+### TLS/SSL errors
+
+* Use `LDAP_ENCRYPTION=start_tls` with port `389`, or `simple_tls` with port `636`.
+* If certificate validation fails, set `LDAP_CA_CERT` to a CA bundle path.
+* Avoid `LDAP_TLS_VERIFY=false` outside local testing.
+
+### Bind DN tips
+
+* Default bind DN is `uid=username,ou=People,base`.
+* Service accounts often require a custom DN; set `LDAP_BIND_DN` accordingly.
+
+## Running Tests
 
 **Security Note:** Never put passwords in command line arguments. They are visible in process lists and shell history.
 
-**Recommended: Use a .env file (most secure)**
+**Test Vars Note:** `LDAP_TEST_*` and `LDAP_DIAGNOSTIC_UID` are optional and only used by the test suite/diagnostics.
+
+### Recommended: Use a .env file (most secure)
+
 1. Copy the example file: `cp .env.example .env`
 2. Edit `.env` with your credentials:
-   ```
+
+   ```bash
    LDAP_USERNAME=your_uniqname
    LDAP_PASSWORD=your_password
    ```
+
 3. Run tests: `bundle exec rspec`
 
-**Alternative: Export environment variables**
+### Alternative: Export environment variables
+
 ```bash
 export LDAP_USERNAME=your_uniqname
 export LDAP_PASSWORD=your_password
 bundle exec rspec
 ```
 
-**Never do this (insecure):**
+### Never do this (insecure)
+
 ```bash
-# ❌ DON'T: Password visible in process list
+# DON'T: Password visible in process list
 LDAP_PASSWORD=xxx bundle exec rspec
 ```
 
-### Contributing
+## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/rsmoke/ldap_lookup. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
+Bug reports and pull requests are welcome on GitHub at [rsmoke/ldap_lookup](https://github.com/rsmoke/ldap_lookup). This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](https://www.contributor-covenant.org) code of conduct.
 
-### License
+## License
 
 The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
 
-### Code of Conduct
+## Code of Conduct
 
-Everyone interacting in the LdapLookup project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/[USERNAME]/ldap_lookup/blob/master/CODE_OF_CONDUCT.md).
+Everyone interacting in the LdapLookup project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/rsmoke/ldap_lookup/blob/master/CODE_OF_CONDUCT.md).

data/SETUP.md

@@ -1,14 +1,18 @@
 # Quick Setup Guide for Gem Users
 
-This guide will help you quickly set up `ldap_lookup` in your Rails application.
+This guide helps you set up `ldap_lookup` in a Rails app.
 
-## Prerequisites
+## Overview
 
-1. **Get LDAP Credentials**
-   - For production: Request a service account from your IT department
-   - For development: You can temporarily use your personal uniqname/password
+LdapLookup provides authenticated or anonymous lookups of user attributes in the University of Michigan MCommunity LDAP service. It supports encrypted binds per UM IT Security (effective Jan 28, 2026) and can be adapted for other LDAP servers.
 
-## Installation Steps
+### UM LDAP Requirements (as of Jan 28, 2026)
+
+- **Authenticated binds only** - UM LDAP does not allow anonymous binds.
+- Username and password are required for UM LDAP.
+- Encrypted connections (STARTTLS or LDAPS) are mandatory.
+
+## Installation
 
 ### 1. Add to Gemfile
 
@@ -16,12 +20,10 @@ This guide will help you quickly set up `ldap_lookup` in your Rails application.
 gem 'ldap_lookup'
 ```
 
-Run `bundle install`
+Run `bundle install`.
 
 ### 2. Create Initializer
 
-Copy the example initializer:
-
 ```bash
 # If you have the gem source
 cp config/initializers/ldap_lookup.rb.example config/initializers/ldap_lookup.rb
@@ -30,45 +32,92 @@ cp config/initializers/ldap_lookup.rb.example config/initializers/ldap_lookup.rb
 touch config/initializers/ldap_lookup.rb
 ```
 
-### 3. Configure Credentials
+### 3. Configure the Gem
 
 Edit `config/initializers/ldap_lookup.rb`:
 
 ```ruby
 LdapLookup.configuration do |config|
+  # Server Configuration (defaults work for UM LDAP)
   config.host = ENV.fetch('LDAP_HOST', 'ldap.umich.edu')
+  config.port = ENV.fetch('LDAP_PORT', '389')
   config.base = ENV.fetch('LDAP_BASE', 'dc=umich,dc=edu')
+
+  # Authentication (optional for anonymous binds)
   # Leave unset to use anonymous binds (if your LDAP server allows it)
   config.username = ENV['LDAP_USERNAME']
   config.password = ENV['LDAP_PASSWORD']
-  config.encryption = :start_tls
+
+  # If using a service account with custom bind DN, uncomment and set:
+  # config.bind_dn = ENV['LDAP_BIND_DN']
+  # Note: LDAP_BIND_DN replaces LDAP_USERNAME (LDAP_USERNAME can be unset), not LDAP_PASSWORD.
+
+  # Encryption - REQUIRED (defaults to STARTTLS)
+  config.encryption = ENV.fetch('LDAP_ENCRYPTION', 'start_tls').to_sym
+  # Use :simple_tls for LDAPS on port 636
+  # TLS verification (defaults to true). Set LDAP_TLS_VERIFY=false only for local testing.
+  # Optional custom CA bundle: set LDAP_CA_CERT=/path/to/ca-bundle.pem
+
+  # Optional: Logger for debug output (responds to debug/info or call)
+  # config.logger = Rails.logger
 end
 ```
 
-### 4. Set Environment Variables
+### Logger and Debug Output
+
+- Debug logging is controlled by `config.debug` (default is false).
+- If `config.logger` is set, it is used in this order:
+  - `logger.debug(message)` if available.
+  - `logger.info(message)` if `debug` is not available.
+  - `logger.call(message)` if neither `debug` nor `info` are available.
+- If no logger is configured, debug output goes to STDOUT.
+- Security note: debug output can include identifiers (uids, group names, search filters). Avoid sharing logs publicly.
+
+## Environment Variables
+
+### Development (.env File)
 
-**Development (.env file):**
 ```bash
 LDAP_USERNAME=your_service_account
 LDAP_PASSWORD=your_password
+LDAP_BIND_DN=cn=service-account,ou=Applications,o=services
+LDAP_DIAGNOSTIC_UID=your_uniqname
+```
+
+### Production (Hatchbox)
+
+Configure these in **Hatchbox > App > Environment Variables**, then redeploy or restart.
+
+**Minimum required for authenticated UM LDAP:**
+
+```bash
+LDAP_USERNAME=service_account_uniqname
+LDAP_PASSWORD=service_account_password
+LDAP_ENCRYPTION=start_tls
+LDAP_HOST=ldap.umich.edu
+LDAP_PORT=389
+LDAP_BASE=dc=umich,dc=edu
 ```
 
-**Production:**
-Use your platform's secrets management:
-- Rails: `config/credentials.yml.enc`
-- Heroku: `heroku config:set LDAP_USERNAME=xxx`
-- AWS: Secrets Manager
-- etc.
+**Recommended for service accounts with a custom bind DN:**
+
+```bash
+LDAP_BIND_DN=cn=service-account,ou=Applications,o=services
+```
 
-### 5. Service Account Bind DN (if needed)
+### Service Account Bind DN (if needed)
 
 If your service account uses a custom bind DN format, add:
 
 ```ruby
-config.bind_dn = 'cn=service-account,ou=Service Accounts,dc=umich,dc=edu'
+config.bind_dn = 'cn=service-account,ou=Applications,o=services'
 ```
 
-Your IT department will provide this if it's different from the default format.
+Your IT department can provide the correct DN.
+
+## Non-Rails Setup
+
+If you are not using Rails, configure `LdapLookup.configuration` during app startup and provide the same environment variables. See the Non-Rails example in `README.md` for a full snippet.
 
 ## Usage
 
@@ -94,24 +143,27 @@ LdapLookup.all_groups_for_user('uniqname')
 
 ## Troubleshooting
 
-**Anonymous bind fails**
-- Your LDAP server may require authenticated binds
-- Set `LDAP_USERNAME` and `LDAP_PASSWORD` (service account recommended)
-- Verify credentials are correct
+### Auth Failures
+
+- UM LDAP requires authenticated binds. Ensure `LDAP_USERNAME` and `LDAP_PASSWORD` are set.
+- For service accounts, set `LDAP_BIND_DN` to the DN provided by your IT team.
+- Confirm the account is enabled for LDAP and the password is current.
+
+### TLS/SSL Errors
+
+- Use `LDAP_ENCRYPTION=start_tls` with port `389`, or `simple_tls` with port `636`.
+- If certificate validation fails, set `LDAP_CA_CERT` to a CA bundle path.
+- Avoid `LDAP_TLS_VERIFY=false` outside local testing.
 
-**Error: Connection timeout or SSL errors**
-- Verify `config.host` is correct
-- Try `config.encryption = :simple_tls` with `config.port = '636'` for LDAPS
-- Check firewall rules allow outbound LDAP connections
+### Bind DN Tips
 
-**Service account not working**
-- Verify the bind DN format with your IT department
-- Set `config.bind_dn` if your service account uses a non-standard format
+- Default bind DN is `uid=username,ou=People,base`.
+- Service accounts often require a custom DN; set `LDAP_BIND_DN` accordingly.
 
 ## Security Reminders
 
-- ✅ Use environment variables for credentials
-- ✅ Use service accounts in production
-- ✅ Never commit credentials to version control
-- ❌ Don't hardcode passwords in code
-- ❌ Don't use personal accounts in production
+- Use environment variables for credentials.
+- Use service accounts in production.
+- Never commit credentials to version control.
+- Don't hardcode passwords in code.
+- Don't use personal accounts in production.

data/config/initializers/ldap_lookup.rb.example

@@ -9,24 +9,38 @@ LdapLookup.configuration do |config|
   config.host = ENV.fetch('LDAP_HOST', 'ldap.umich.edu')
   config.port = ENV.fetch('LDAP_PORT', '389')
   config.base = ENV.fetch('LDAP_BASE', 'dc=umich,dc=edu')
-  
-  # Authentication (optional for anonymous binds)
+
+  # UM LDAP requires authenticated binds. Ensure LDAP_USERNAME and LDAP_PASSWORD are set.
+  # Confirm the account is enabled for LDAP and the password is current.
   # Option 1: Use a service account (recommended for production)
   # Request a service account from your IT department
-  # Leave unset to use anonymous binds (if your LDAP server allows it)
+  # Leave unset only if your LDAP server allows anonymous binds
   config.username = ENV['LDAP_USERNAME']
   config.password = ENV['LDAP_PASSWORD']
-  
-  # Option 2: If your service account uses a custom bind DN format, specify it:
-  # config.bind_dn = 'cn=service-account,ou=Service Accounts,dc=umich,dc=edu'
+
+  # For service accounts, set LDAP_BIND_DN to the DN provided by your IT team.
+  # Note: LDAP_BIND_DN replaces LDAP_USERNAME (LDAP_USERNAME can be unset), not LDAP_PASSWORD.
+  # config.bind_dn = ENV['LDAP_BIND_DN']
+  # Example: cn=service-account,ou=Applications,o=services
   # (If bind_dn is not set, it defaults to: uid=username,ou=People,base)
-  
-  # Encryption - REQUIRED (as of Jan 20, 2026)
-  # Use :start_tls for port 389 or :simple_tls for LDAPS on port 636
+
+  # Use LDAP_ENCRYPTION=start_tls with port 389, or simple_tls with port 636.
   encryption_method = ENV.fetch('LDAP_ENCRYPTION', 'start_tls').to_sym
   config.encryption = encryption_method
-  
+
   # Optional: Attribute Configuration
   config.dept_attribute = ENV.fetch('LDAP_DEPT_ATTRIBUTE', 'umichPostalAddressData')
   config.group_attribute = ENV.fetch('LDAP_GROUP_ATTRIBUTE', 'umichGroupEmail')
+
+  # Optional: Diagnostic UID (used by LdapLookup.test_connection)
+  # config.diagnostic_uid = ENV['LDAP_DIAGNOSTIC_UID']
+
+  # Optional: Logger for debug output (responds to debug/info or call)
+  # Debug output is only emitted when config.debug is true.
+  # config.logger = Rails.logger
+
+  # Optional: Separate search bases for users and groups
+  # Example for UM service accounts:
+  # config.user_base = ENV.fetch('LDAP_USER_BASE', 'ou=people,dc=umich,dc=edu')
+  # config.group_base = ENV.fetch('LDAP_GROUP_BASE', 'ou=user groups,ou=groups,dc=umich,dc=edu')
 end

data/ldaptest.rb

@@ -17,17 +17,25 @@ class Ldaptest
     config.host = ENV['LDAP_HOST'] || "ldap.umich.edu"
     config.port = ENV['LDAP_PORT'] || "389"
     config.base = ENV['LDAP_BASE'] || "dc=umich,dc=edu"
-    # Leave username/password unset for anonymous binds
+    # UM LDAP requires authenticated binds. Ensure LDAP_USERNAME and LDAP_PASSWORD are set.
+    # Confirm the account is enabled for LDAP and the password is current.
     config.username = ENV['LDAP_USERNAME']
     config.password = ENV['LDAP_PASSWORD']
-    # Read encryption from ENV, default to start_tls
+    # For service accounts, set LDAP_BIND_DN to the DN provided by your IT team.
+    config.bind_dn = ENV['LDAP_BIND_DN']
+    # Optional diagnostic UID to avoid size-limit warnings
+    config.diagnostic_uid = ENV['LDAP_DIAGNOSTIC_UID'] if ENV['LDAP_DIAGNOSTIC_UID']
+    # Use LDAP_ENCRYPTION=start_tls with port 389, or simple_tls with port 636.
     encryption_str = ENV['LDAP_ENCRYPTION'] || 'start_tls'
     config.encryption = encryption_str.to_sym
     config.dept_attribute = ENV['LDAP_DEPT_ATTRIBUTE'] || "umichPostalAddressData"
     config.group_attribute = ENV['LDAP_GROUP_ATTRIBUTE'] || "umichGroupEmail"
+    # Optional search bases for UM LDAP
+    config.user_base = ENV['LDAP_USER_BASE'] if ENV['LDAP_USER_BASE']
+    config.group_base = ENV['LDAP_GROUP_BASE'] if ENV['LDAP_GROUP_BASE']
     # Enable LDAP debug logging in this test runner
     debug_str = ENV['LDAP_DEBUG']
-    config.debug = debug_str ? debug_str.to_s.downcase == 'true' : true
+    config.debug = debug_str ? debug_str.to_s.downcase == 'true' : false
   end
   #######################################################
 

data/lib/ldap_lookup/version.rb

@@ -1,3 +1,3 @@
 module LdapLookup
-  VERSION = "2.0.1"
+  VERSION = "2.1.0"
 end

data/lib/ldap_lookup.rb

@@ -13,13 +13,81 @@ module LdapLookup
   define_setting :username
   define_setting :password
   define_setting :bind_dn  # Optional: custom bind DN (for service accounts). If not set, uses uid=username,ou=People,base
+  define_setting :user_base  # Optional: base DN for people lookups (e.g., ou=people,dc=umich,dc=edu)
+  define_setting :group_base  # Optional: base DN for group lookups (e.g., ou=user groups,ou=groups,dc=umich,dc=edu)
+  define_setting :diagnostic_uid  # Optional: test UID for diagnostic searches
   define_setting :encryption, :start_tls  # :start_tls or :simple_tls (LDAPS)
   define_setting :debug, false
+  define_setting :logger  # Optional logger (responds to debug/info or call)
 
   def self.debug_log(message)
     return unless debug
 
-    puts "[LDAP DEBUG] #{message}"
+    formatted = "[LDAP DEBUG] #{message}"
+    log_target = logger
+    if log_target
+      if log_target.respond_to?(:debug)
+        log_target.debug(formatted)
+      elsif log_target.respond_to?(:info)
+        log_target.info(formatted)
+      elsif log_target.respond_to?(:call)
+        log_target.call(formatted)
+      else
+        puts formatted
+      end
+    else
+      puts formatted
+    end
+  end
+
+  def self.blank?(value)
+    value.nil? || value.to_s.strip.empty?
+  end
+
+  def self.extract_dn_attribute(dn_value, attribute)
+    return nil if blank?(dn_value) || blank?(attribute)
+
+    attr_key = attribute.to_s.downcase
+    begin
+      parsed = Net::LDAP::DN.new(dn_value)
+      parsed.to_a.each do |rdn|
+        rdn.each do |pair|
+          attr, val, _type = pair
+          return val if attr.to_s.downcase == attr_key
+        end
+      end
+    rescue => e
+      debug_log("dn parse failed: #{e.class} #{e.message}")
+    end
+
+    # Fallback: basic parsing (may fail with escaped commas)
+    dn_value.split(',').each do |segment|
+      key, value = segment.split('=', 2)
+      return value if key && key.strip.downcase == attr_key
+    end
+
+    nil
+  end
+
+  def self.user_search_base
+    base_value = user_base.to_s.strip
+    return base_value unless base_value.empty?
+
+    base
+  end
+
+  def self.group_search_base
+    base_value = group_base.to_s.strip
+    return base_value unless base_value.empty?
+
+    base
+  end
+
+  def self.user_dn_base
+    base_value = user_base.to_s.strip
+    return base_value unless base_value.empty?
+
+    "ou=People,#{base}"
   end
 
   def self.perform_search(ldap, base: nil, filter:, attributes: nil, label: nil, options: {})
@@ -96,23 +164,33 @@ module LdapLookup
   def self.test_connection
     username_present = username && !username.to_s.strip.empty?
     password_present = password && !password.to_s.strip.empty?
-    auth_dn = if bind_dn
+    diagnostic_uid_value = diagnostic_uid.to_s.strip
+    diagnostic_uid_present = !diagnostic_uid_value.empty?
+    bind_dn_present = bind_dn && !bind_dn.to_s.strip.empty?
+    auth_dn = if bind_dn_present
       bind_dn
     elsif username_present
-      "uid=#{username},ou=People,#{base}"
+      "uid=#{username},#{user_dn_base}"
     end
 
-    search_base = username_present ? "ou=People,#{base}" : base
-    search_filter = username_present ? "(uid=#{username})" : "(objectClass=*)"
+    search_base = (diagnostic_uid_present || username_present || (user_base && !user_base.to_s.strip.empty?)) ? user_search_base : base
+    search_filter = if diagnostic_uid_present
+      "(uid=#{diagnostic_uid_value})"
+    elsif username_present
+      "(uid=#{username})"
+    else
+      "(uid=*)"
+    end
 
     result = {
       bind_dn: auth_dn,
       username: username,
+      diagnostic_uid: diagnostic_uid_present ? diagnostic_uid_value : nil,
       host: host,
       port: port,
       encryption: encryption,
       base: base,
-      auth_mode: (username_present && password_present) ? 'authenticated' : 'anonymous'
+      auth_mode: ((username_present || bind_dn_present) && password_present) ? 'authenticated' : 'anonymous'
     }
 
     begin
@@ -133,7 +211,7 @@ module LdapLookup
       # Net::LDAP binds automatically when performing operations (search, etc.)
       # Explicit bind may fail with Code 19 on STARTTLS, but actual operations work fine
       # Test by performing an actual search operation instead of explicit bind
-      
+
       # Try a simple search - this will trigger automatic bind
       search_result = perform_search(
         ldap,
@@ -253,9 +331,10 @@ module LdapLookup
     # Note: "simple" bind method = authenticated bind with username/password (not anonymous)
     auth_username = username.to_s.strip
     auth_password = password.to_s
-    if !auth_username.empty? && !auth_password.empty?
+    auth_bind_dn = bind_dn.to_s.strip
+    if !auth_password.empty? && (!auth_bind_dn.empty? || !auth_username.empty?)
       # Use custom bind_dn if provided (for service accounts), otherwise build standard DN
-      auth_bind_dn = bind_dn || "uid=#{auth_username},ou=People,#{base}"
+      auth_bind_dn = auth_bind_dn.empty? ? "uid=#{auth_username},#{user_dn_base}" : auth_bind_dn
       connection_params[:auth] = {
         method: :simple,  # Simple bind = authenticated bind with username/password
         username: auth_bind_dn,
@@ -280,6 +359,8 @@ module LdapLookup
   end
 
   def self.get_user_attribute(uniqname, attribute, default_value = nil)
+    return default_value if blank?(uniqname) || blank?(attribute)
+
     ldap = ldap_connection
     search_param = uniqname
     result_attrs = [attribute]
@@ -289,6 +370,7 @@ module LdapLookup
 
     perform_search(
       ldap,
+      base: user_search_base,
       filter: search_filter,
       attributes: result_attrs,
       label: "get_user_attribute",
@@ -316,6 +398,8 @@ module LdapLookup
   end
 
   def self.get_nested_attribute(uniqname, nested_attribute)
+    return nil if blank?(uniqname) || blank?(nested_attribute)
+
     ldap = ldap_connection
     search_param = uniqname
     # Specify the full nested attribute path using dot notation
@@ -329,6 +413,7 @@ module LdapLookup
 
     perform_search(
       ldap,
+      base: user_search_base,
       filter: search_filter,
       attributes: result_attrs,
       label: "get_nested_attribute",
@@ -366,13 +451,22 @@ module LdapLookup
 
   # method to check if a uid exist in LDAP
   def self.uid_exist?(uniqname)
+    return false if blank?(uniqname)
+
     ldap = ldap_connection
     search_param = uniqname
     found = false
 
     search_filter = Net::LDAP::Filter.eq('uid', search_param)
 
-    perform_search(ldap, filter: search_filter, label: "uid_exist", options: { size: 1 }).each do |item|
+    perform_search(
+      ldap,
+      base: user_search_base,
+      filter: search_filter,
+      attributes: ['uid'],
+      label: "uid_exist",
+      options: { size: 1 }
+    ).each do |item|
       if item['uid'].first == search_param
         found = true
         break
@@ -410,6 +504,8 @@ module LdapLookup
   end
 
   def self.is_member_of_group?(uid, group_name)
+    return false if blank?(uid) || blank?(group_name)
+
     ldap = ldap_connection
     search_param = group_name
     result_attrs = ['member']
@@ -420,9 +516,9 @@ module LdapLookup
       Net::LDAP::Filter.eq('objectClass', 'group')
     )
 
-    perform_search(ldap, filter: search_filter, attributes: result_attrs, label: "is_member_of_group").each do |item|
+    perform_search(ldap, base: group_search_base, filter: search_filter, attributes: result_attrs, label: "is_member_of_group").each do |item|
       members = item['member']
-      if members && members.any? { |entry| entry.split(',').first.split('=')[1] == uid }
+      if members && members.any? { |entry| extract_dn_attribute(entry, 'uid') == uid }
         found = true
         break
       end
@@ -443,6 +539,8 @@ module LdapLookup
   end
 
   def self.get_email_distribution_list(group_name)
+    return {} if blank?(group_name)
+
     ldap = ldap_connection
     result_hash = {}
     found_data = false
@@ -455,11 +553,11 @@ module LdapLookup
       Net::LDAP::Filter.eq('objectClass', 'group')
     )
 
-    perform_search(ldap, filter: search_filter, attributes: result_attrs, label: "get_email_distribution_list").each do |item|
+    perform_search(ldap, base: group_search_base, filter: search_filter, attributes: result_attrs, label: "get_email_distribution_list").each do |item|
       found_data = true
       result_hash['group_name'] = item['cn']&.first
       result_hash['group_email'] = item['umichGroupEmail']&.first
-      members = item['member']&.map { |individual| individual.split(',').first.split('=')[1] }
+      members = item['member']&.map { |individual| extract_dn_attribute(individual, 'uid') }&.compact
       result_hash['members'] = members&.sort || []
     end
 
@@ -477,15 +575,20 @@ module LdapLookup
   end
 
   def self.all_groups_for_user(uid)
+    return [] if blank?(uid)
+
     ldap = ldap_connection
     result_array = []
 
     result_attrs = ['dn']
 
     # Use configured base instead of hardcoded dc=umich,dc=edu
-    member_dn = "uid=#{uid},ou=People,#{base}"
-    perform_search(ldap, filter: "member=#{member_dn}", attributes: result_attrs, label: "all_groups_for_user").each do |item|
-      item.each { |key, value| result_array << value.first.split('=')[1].split(',')[0] }
+    member_dn = "uid=#{uid},#{user_dn_base}"
+    search_filter = Net::LDAP::Filter.eq('member', member_dn)
+    perform_search(ldap, base: group_search_base, filter: search_filter, attributes: result_attrs, label: "all_groups_for_user").each do |item|
+      dn_value = item.respond_to?(:dn) ? item.dn : item['dn']&.first
+      group_name = extract_dn_attribute(dn_value, 'cn')
+      result_array << group_name if group_name
     end
 
     # Check response - may raise Constraint Violation for regular users

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ldap_lookup
 version: !ruby/object:Gem::Version
-  version: 2.0.1
+  version: 2.1.0
 platform: ruby
 authors:
 - Rick Smoke