net-ldap 0.11 → 0.12.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 093221df6c10572671e2d05af258d473d1c17e78
-  data.tar.gz: e27ca24638d8d46f2a8a39900fb90d8ca6a7f1fe
+  metadata.gz: 8c96669822fdcf032465b410615500b91a2f31ec
+  data.tar.gz: 643738d3f05ae5469ef1eb773326d5943eacf923
 SHA512:
-  metadata.gz: 7f1bdba62c083cfc5b128226107f94815fb6d8b2d4d04fb47e30271289d6ffa193dc5e9363a2f44a04b7d5a30af08a97bba3d5afeda4ce035d7581f533db639a
-  data.tar.gz: 9ff4126e94e791948777a1ed4396c21cdf62fb9a446a4eb240364302367c08a27566243af69bdf907fd2f8bfbe92117513eccc033db97f3c47acefab348971a1
+  metadata.gz: 6a7a455c387b73745d6da20d890181c20776562751f0c4bd43b9eb9a7ad9d2637771e1dfdaecbeb7e951ba25bca9859219e32e1154a88eed12e162152f47df0e
+  data.tar.gz: e92116ed732575ba7f0f05fb52f1148bd9c432de28cd3d0391b72835a091294dd7fe260c3b5aa1c96266b31edc9dd861cedd5d6066f57520dfb5c19e05a7b727

data/.travis.yml

@@ -2,25 +2,28 @@ language: ruby
 rvm:
   - 1.9.3
   - 2.0.0
-  - 2.1.2
+  - 2.1
+  - 2.2
   # optional
+  - ruby-head
   - jruby-19mode
-  - rbx-19mode
+  - jruby-head
   - rbx-2
 
 env:
   - INTEGRATION=openldap
 
 install:
-  - if [ "$INTEGRATION" = "openldap" ]; then ./script/install-openldap; fi
+  - if [ "$INTEGRATION" = "openldap" ]; then sudo script/install-openldap; fi
   - bundle install
 
 script: bundle exec rake ci
 
 matrix:
   allow_failures:
+    - rvm: ruby-head
     - rvm: jruby-19mode
-    - rvm: rbx-19mode
+    - rvm: jruby-head
     - rvm: rbx-2
   fast_finish: true
 

data/History.rdoc

@@ -1,3 +1,21 @@
+=== Net::LDAP 0.12.0
+
+* DRY up connection handling logic {#224}[https://github.com/ruby-ldap/ruby-net-ldap/pull/224]
+* Define auth adapters {#226}[https://github.com/ruby-ldap/ruby-net-ldap/pull/226]
+* add slash to attribute value filter {#225}[https://github.com/ruby-ldap/ruby-net-ldap/pull/225]
+* Add the ability to provide a list of hosts for a connection {#223}[https://github.com/ruby-ldap/ruby-net-ldap/pull/223]
+* Specify the port of LDAP server by giving INTEGRATION_PORT {#221}[https://github.com/ruby-ldap/ruby-net-ldap/pull/221]
+* Correctly set BerIdentifiedString values to UTF-8  {#212}[https://github.com/ruby-ldap/ruby-net-ldap/pull/212]
+* Raise Net::LDAP::ConnectionRefusedError when new connection is refused. {#213}[https://github.com/ruby-ldap/ruby-net-ldap/pull/213]
+* obscure auth password upon #inspect, added test, closes #216 {#217}[https://github.com/ruby-ldap/ruby-net-ldap/pull/217]
+* Fixing incorrect error class name {#207}[https://github.com/ruby-ldap/ruby-net-ldap/pull/207]
+* Travis update {#205}[https://github.com/ruby-ldap/ruby-net-ldap/pull/205]
+* Remove obsolete rbx-19mode from Travis {#204}[https://github.com/ruby-ldap/ruby-net-ldap/pull/204]
+* mv "sudo" from script/install-openldap to .travis.yml {#199}[https://github.com/ruby-ldap/ruby-net-ldap/pull/199]
+* Remove meaningless shebang {#200}[https://github.com/ruby-ldap/ruby-net-ldap/pull/200]
+* Fix Travis CI build {#202}[https://github.com/ruby-ldap/ruby-net-ldap/pull/202]
+* README.rdoc: fix travis link {#195}[https://github.com/ruby-ldap/ruby-net-ldap/pull/195]
+
 === Net::LDAP 0.11
 * Major enhancements:
   * #183 Specific errors subclassing Net::LDAP::Error

data/README.rdoc

@@ -1,4 +1,4 @@
-= Net::LDAP for Ruby {<img src="https://travis-ci.org/ruby-ldap/ruby-net-ldap.png" />}[https://travis-ci.org/github/ruby-net-ldap]
+= Net::LDAP for Ruby {<img src="https://travis-ci.org/ruby-ldap/ruby-net-ldap.png" />}[https://travis-ci.org/ruby-ldap/ruby-net-ldap]
 
 == Description
 
@@ -37,6 +37,14 @@ sources.
 
 Simply require either 'net-ldap' or 'net/ldap'.
 
+== Extensions
+
+This library focuses on the core LDAP RFCs referenced in the description.
+However, we recognize there are commonly used extensions to the spec that are
+useful. If there is another library which handles it, we list it here.
+
+* {resolv-srv}[https://rubygems.org/gems/resolv-srv]: Support RFC2782 SRV record lookup and failover
+
 == Develop
 
 This task will run the test suite and the
@@ -55,10 +63,11 @@ To run the integration tests against an LDAP server:
 
 This section is for gem maintainers to cut a new version of the gem.
 
+* Check out a new branch `release-VERSION`
 * Update lib/net/ldap/version.rb to next version number X.X.X following {semver}(http://semver.org/).
-* Update `History.rdoc`. Get latest changes with `git log --oneline vLAST_RELEASE..HEAD | grep Merge`
-
-* On the master branch, run `script/release`
+* Update `History.rdoc`. Get latest changes with `script/changelog`
+* Open a pull request with these changes for review
+* After merging, on the master branch, run `script/release`
 
 :include: Contributors.rdoc
 

data/Rakefile

@@ -1,4 +1,3 @@
-#!/usr/bin/env rake
 # -*- ruby encoding: utf-8 -*-
 # vim: syntax=ruby
 

data/lib/net/ber.rb

@@ -296,9 +296,11 @@ end
 class Net::BER::BerIdentifiedString < String
   attr_accessor :ber_identifier
   def initialize args
-    super args
-    # LDAP uses UTF-8 encoded strings
-    self.encode('UTF-8') if self.respond_to?(:encoding) rescue self
+    super begin
+      args.respond_to?(:encode) ? args.encode('UTF-8') : args
+    rescue
+      args
+    end
   end
 end
 

data/lib/net/ldap.rb

@@ -27,6 +27,12 @@ require 'net/ldap/instrumentation'
 require 'net/ldap/connection'
 require 'net/ldap/version'
 require 'net/ldap/error'
+require 'net/ldap/auth_adapter'
+require 'net/ldap/auth_adapter/simple'
+require 'net/ldap/auth_adapter/sasl'
+
+Net::LDAP::AuthAdapter.register([:simple, :anon, :anonymous], Net::LDAP::AuthAdapter::Simple)
+Net::LDAP::AuthAdapter.register(:sasl, Net::LDAP::AuthAdapter::Sasl)
 
 # == Quick-start for the Impatient
 # === Quick Example of a user-authentication against an LDAP directory:
@@ -432,6 +438,7 @@ class Net::LDAP
 
   attr_accessor :host
   attr_accessor :port
+  attr_accessor :hosts
   attr_accessor :base
 
   # Instantiate an object of type Net::LDAP to perform directory operations.
@@ -440,6 +447,8 @@ class Net::LDAP
   # described below. The following arguments are supported:
   # * :host => the LDAP server's IP-address (default 127.0.0.1)
   # * :port => the LDAP server's TCP port (default 389)
+  # * :hosts => an enumerable of pairs of hosts and corresponding ports with
+  #   which to attempt opening connections (default [[host, port]])
   # * :auth => a Hash containing authorization parameters. Currently
   #   supported values include: {:method => :anonymous} and {:method =>
   #   :simple, :username => your_user_name, :password => your_password }
@@ -468,6 +477,7 @@ class Net::LDAP
   def initialize(args = {})
     @host = args[:host] || DefaultHost
     @port = args[:port] || DefaultPort
+    @hosts = args[:hosts]
     @verbose = false # Make this configurable with a switch on the class.
     @auth = args[:auth] || DefaultAuth
     @base = args[:base] || DefaultTreebase
@@ -1195,6 +1205,13 @@ class Net::LDAP
     @server_caps[:supportedcontrol].include?(Net::LDAP::LDAPControls::PAGED_RESULTS)
   end
 
+  # Mask auth password
+  def inspect
+    inspected = super
+    inspected.gsub! @auth[:password], "*******" if @auth[:password]
+    inspected
+  end
+
   private
 
   # Yields an open connection if there is one, otherwise establishes a new
@@ -1223,6 +1240,7 @@ class Net::LDAP
     Net::LDAP::Connection.new \
       :host                    => @host,
       :port                    => @port,
+      :hosts                   => @hosts,
       :encryption              => @encryption,
       :instrumentation_service => @instrumentation_service
   end

data/lib/net/ldap/auth_adapter.rb

@@ -0,0 +1,29 @@
+module Net
+  class LDAP
+    class AuthAdapter
+      def self.register(names, adapter)
+        names = Array(names)
+        @adapters ||= {}
+        names.each do |name|
+          @adapters[name] = adapter
+        end
+      end
+
+      def self.[](name)
+        a = @adapters[name]
+        if a.nil?
+          raise Net::LDAP::AuthMethodUnsupportedError, "Unsupported auth method (#{name})"
+        end
+        return a
+      end
+
+      def initialize(conn)
+        @connection = conn
+      end
+
+      def bind
+        raise "bind method must be overwritten"
+      end
+    end
+  end
+end

data/lib/net/ldap/auth_adapter/gss_spnego.rb

@@ -0,0 +1,40 @@
+require 'net/ldap/auth_adapter'
+require 'net/ldap/auth_adapter/sasl'
+
+module Net
+  class LDAP
+    module AuthAdapers
+      #--
+      # PROVISIONAL, only for testing SASL implementations. DON'T USE THIS YET.
+      # Uses Kohei Kajimoto's Ruby/NTLM. We have to find a clean way to
+      # integrate it without introducing an external dependency.
+      #
+      # This authentication method is accessed by calling #bind with a :method
+      # parameter of :gss_spnego. It requires :username and :password
+      # attributes, just like the :simple authentication method. It performs a
+      # GSS-SPNEGO authentication with the server, which is presumed to be a
+      # Microsoft Active Directory.
+      #++
+      class GSS_SPNEGO < Net::LDAP::AuthAdapter
+        def bind(auth)
+          require 'ntlm'
+
+          user, psw = [auth[:username] || auth[:dn], auth[:password]]
+          raise Net::LDAP::BindingInformationInvalidError, "Invalid binding information" unless (user && psw)
+
+          nego = proc { |challenge|
+            t2_msg = NTLM::Message.parse(challenge)
+            t3_msg = t2_msg.response({ :user => user, :password => psw },
+                                     { :ntlmv2 => true })
+            t3_msg.serialize
+          }
+
+          Net::LDAP::AuthAdapter::Sasl.new(@connection).
+            bind(:method => :sasl, :mechanism => "GSS-SPNEGO",
+                    :initial_credential => NTLM::Message::Type1.new.serialize,
+                    :challenge_response => nego)
+        end
+      end
+    end
+  end
+end

data/lib/net/ldap/auth_adapter/sasl.rb

@@ -0,0 +1,60 @@
+require 'net/ldap/auth_adapter'
+
+module Net
+  class LDAP
+    class AuthAdapter
+      class Sasl < Net::LDAP::AuthAdapter
+        #--
+        # Required parameters: :mechanism, :initial_credential and
+        # :challenge_response
+        #
+        # Mechanism is a string value that will be passed in the SASL-packet's
+        # "mechanism" field.
+        #
+        # Initial credential is most likely a string. It's passed in the initial
+        # BindRequest that goes to the server. In some protocols, it may be empty.
+        #
+        # Challenge-response is a Ruby proc that takes a single parameter and
+        # returns an object that will typically be a string. The
+        # challenge-response block is called when the server returns a
+        # BindResponse with a result code of 14 (saslBindInProgress). The
+        # challenge-response block receives a parameter containing the data
+        # returned by the server in the saslServerCreds field of the LDAP
+        # BindResponse packet. The challenge-response block may be called multiple
+        # times during the course of a SASL authentication, and each time it must
+        # return a value that will be passed back to the server as the credential
+        # data in the next BindRequest packet.
+        #++
+        def bind(auth)
+          mech, cred, chall = auth[:mechanism], auth[:initial_credential],
+            auth[:challenge_response]
+          raise Net::LDAP::BindingInformationInvalidError, "Invalid binding information" unless (mech && cred && chall)
+
+          message_id = @connection.next_msgid
+
+          n = 0
+          loop {
+            sasl = [mech.to_ber, cred.to_ber].to_ber_contextspecific(3)
+            request = [
+              Net::LDAP::Connection::LdapVersion.to_ber, "".to_ber, sasl
+            ].to_ber_appsequence(Net::LDAP::PDU::BindRequest)
+
+            @connection.send(:write, request, nil, message_id)
+            pdu = @connection.queued_read(message_id)
+
+            if !pdu || pdu.app_tag != Net::LDAP::PDU::BindResult
+              raise Net::LDAP::NoBindResultError, "no bind result"
+            end
+
+            return pdu unless pdu.result_code == Net::LDAP::ResultCodeSaslBindInProgress
+            raise Net::LDAP::SASLChallengeOverflowError, "sasl-challenge overflow" if ((n += 1) > MaxSaslChallenges)
+
+            cred = chall.call(pdu.result_server_sasl_creds)
+          }
+
+          raise Net::LDAP::SASLChallengeOverflowError, "why are we here?"
+        end
+      end
+    end
+  end
+end

data/lib/net/ldap/auth_adapter/simple.rb

@@ -0,0 +1,34 @@
+require 'net/ldap/auth_adapter'
+
+module Net
+  class LDAP
+    class AuthAdapter
+      class Simple < AuthAdapter
+        def bind(auth)
+          user, psw = if auth[:method] == :simple
+                        [auth[:username] || auth[:dn], auth[:password]]
+                      else
+                        ["", ""]
+                      end
+
+          raise Net::LDAP::BindingInformationInvalidError, "Invalid binding information" unless (user && psw)
+
+          message_id = @connection.next_msgid
+          request    = [
+            Net::LDAP::Connection::LdapVersion.to_ber, user.to_ber,
+            psw.to_ber_contextspecific(0)
+          ].to_ber_appsequence(Net::LDAP::PDU::BindRequest)
+
+          @connection.send(:write, request, nil, message_id)
+          pdu = @connection.queued_read(message_id)
+
+          if !pdu || pdu.app_tag != Net::LDAP::PDU::BindResult
+            raise Net::LDAP::NoBindResultError, "no bind result"
+          end
+
+          pdu
+        end
+      end
+    end
+  end
+end

data/lib/net/ldap/connection.rb

@@ -9,23 +9,42 @@ class Net::LDAP::Connection #:nodoc:
   def initialize(server)
     @instrumentation_service = server[:instrumentation_service]
 
-    begin
-      @conn = server[:socket] || TCPSocket.new(server[:host], server[:port])
-    rescue SocketError
-      raise Net::LDAP::Error, "No such address or other socket error."
-    rescue Errno::ECONNREFUSED
-      raise Net::LDAP::Error, "Server #{server[:host]} refused connection on port #{server[:port]}."
-    rescue Errno::EHOSTUNREACH => error
-      raise Net::LDAP::Error, "Host #{server[:host]} was unreachable (#{error.message})"
-    rescue Errno::ETIMEDOUT
-      raise Net::LDAP::Error, "Connection to #{server[:host]} timed out."
+    if server[:socket]
+      prepare_socket(server)
+    else
+      server[:hosts] = [[server[:host], server[:port]]] if server[:hosts].nil?
+      open_connection(server)
     end
 
-    if server[:encryption]
-      setup_encryption server[:encryption]
+    yield self if block_given?
+  end
+
+  def prepare_socket(server)
+    socket = server[:socket]
+    encryption = server[:encryption]
+
+    @conn = socket
+    setup_encryption encryption if encryption
+  end
+
+  def open_connection(server)
+    hosts = server[:hosts]
+    encryption = server[:encryption]
+
+    errors = []
+    hosts.each do |host, port|
+      begin
+        prepare_socket(server.merge(socket: TCPSocket.new(host, port)))
+        return
+      rescue Net::LDAP::Error, SocketError, SystemCallError,
+             OpenSSL::SSL::SSLError => e
+        # Ensure the connection is closed in the event a setup failure.
+        close
+        errors << [e, host, port]
+      end
     end
 
-    yield self if block_given?
+    raise Net::LDAP::ConnectionError.new(errors)
   end
 
   module GetbyteForSSLSocket
@@ -63,18 +82,18 @@ class Net::LDAP::Connection #:nodoc:
   end
 
   #--
-  # Helper method called only from new, and only after we have a
-  # successfully-opened @conn instance variable, which is a TCP connection.
-  # Depending on the received arguments, we establish SSL, potentially
-  # replacing the value of @conn accordingly. Don't generate any errors here
-  # if no encryption is requested. DO raise Net::LDAP::Error objects if encryption
-  # is requested and we have trouble setting it up. That includes if OpenSSL
-  # is not set up on the machine. (Question: how does the Ruby OpenSSL
-  # wrapper react in that case?) DO NOT filter exceptions raised by the
-  # OpenSSL library. Let them pass back to the user. That should make it
-  # easier for us to debug the problem reports. Presumably (hopefully?) that
-  # will also produce recognizable errors if someone tries to use this on a
-  # machine without OpenSSL.
+  # Helper method called only from prepare_socket or open_connection, and only
+  # after we have a successfully-opened @conn instance variable, which is a TCP
+  # connection.  Depending on the received arguments, we establish SSL,
+  # potentially replacing the value of @conn accordingly. Don't generate any
+  # errors here if no encryption is requested. DO raise Net::LDAP::Error objects
+  # if encryption is requested and we have trouble setting it up. That includes
+  # if OpenSSL is not set up on the machine. (Question: how does the Ruby
+  # OpenSSL wrapper react in that case?) DO NOT filter exceptions raised by the
+  # OpenSSL library. Let them pass back to the user. That should make it easier
+  # for us to debug the problem reports. Presumably (hopefully?) that will also
+  # produce recognizable errors if someone tries to use this on a machine
+  # without OpenSSL.
   #
   # The simple_tls method is intended as the simplest, stupidest, easiest
   # solution for people who want nothing more than encrypted comms with the
@@ -124,6 +143,7 @@ class Net::LDAP::Connection #:nodoc:
   # have to call it, but perhaps it will come in handy someday.
   #++
   def close
+    return if @conn.nil?
     @conn.close
     @conn = nil
   end
@@ -218,130 +238,11 @@ class Net::LDAP::Connection #:nodoc:
   def bind(auth)
     instrument "bind.net_ldap_connection" do |payload|
       payload[:method] = meth = auth[:method]
-      if [:simple, :anonymous, :anon].include?(meth)
-        bind_simple auth
-      elsif meth == :sasl
-        bind_sasl(auth)
-      elsif meth == :gss_spnego
-        bind_gss_spnego(auth)
-      else
-        raise Net::LDAP::AuthMethodUnsupportedError, "Unsupported auth method (#{meth})"
-      end
+      adapter = Net::LDAP::AuthAdapter[meth]
+      adapter.new(self).bind(auth)
     end
   end
 
-  #--
-  # Implements a simple user/psw authentication. Accessed by calling #bind
-  # with a method of :simple or :anonymous.
-  #++
-  def bind_simple(auth)
-    user, psw = if auth[:method] == :simple
-                  [auth[:username] || auth[:dn], auth[:password]]
-                else
-                  ["", ""]
-                end
-
-    raise Net::LDAP::BindingInformationInvalidError, "Invalid binding information" unless (user && psw)
-
-    message_id = next_msgid
-    request    = [
-      LdapVersion.to_ber, user.to_ber,
-      psw.to_ber_contextspecific(0)
-    ].to_ber_appsequence(Net::LDAP::PDU::BindRequest)
-
-    write(request, nil, message_id)
-    pdu = queued_read(message_id)
-
-    if !pdu || pdu.app_tag != Net::LDAP::PDU::BindResult
-      raise Net::LDAP::NoBindResultError, "no bind result"
-    end
-
-    pdu
-  end
-
-  #--
-  # Required parameters: :mechanism, :initial_credential and
-  # :challenge_response
-  #
-  # Mechanism is a string value that will be passed in the SASL-packet's
-  # "mechanism" field.
-  #
-  # Initial credential is most likely a string. It's passed in the initial
-  # BindRequest that goes to the server. In some protocols, it may be empty.
-  #
-  # Challenge-response is a Ruby proc that takes a single parameter and
-  # returns an object that will typically be a string. The
-  # challenge-response block is called when the server returns a
-  # BindResponse with a result code of 14 (saslBindInProgress). The
-  # challenge-response block receives a parameter containing the data
-  # returned by the server in the saslServerCreds field of the LDAP
-  # BindResponse packet. The challenge-response block may be called multiple
-  # times during the course of a SASL authentication, and each time it must
-  # return a value that will be passed back to the server as the credential
-  # data in the next BindRequest packet.
-  #++
-  def bind_sasl(auth)
-    mech, cred, chall = auth[:mechanism], auth[:initial_credential],
-      auth[:challenge_response]
-    raise Net::LDAP::BindingInformationInvalidError, "Invalid binding information" unless (mech && cred && chall)
-
-    message_id = next_msgid
-
-    n = 0
-    loop {
-      sasl = [mech.to_ber, cred.to_ber].to_ber_contextspecific(3)
-      request = [
-        LdapVersion.to_ber, "".to_ber, sasl
-      ].to_ber_appsequence(Net::LDAP::PDU::BindRequest)
-
-      write(request, nil, message_id)
-      pdu = queued_read(message_id)
-
-      if !pdu || pdu.app_tag != Net::LDAP::PDU::BindResult
-        raise Net::LDAP::NoBindResultError, "no bind result"
-      end
-
-      return pdu unless pdu.result_code == Net::LDAP::ResultCodeSaslBindInProgress
-      raise Net::LDAP::SASLChallengeOverflowError, "sasl-challenge overflow" if ((n += 1) > MaxSaslChallenges)
-
-      cred = chall.call(pdu.result_server_sasl_creds)
-    }
-
-    raise Net::LDAP::SASLChallengeOverflowError, "why are we here?"
-  end
-  private :bind_sasl
-
-  #--
-  # PROVISIONAL, only for testing SASL implementations. DON'T USE THIS YET.
-  # Uses Kohei Kajimoto's Ruby/NTLM. We have to find a clean way to
-  # integrate it without introducing an external dependency.
-  #
-  # This authentication method is accessed by calling #bind with a :method
-  # parameter of :gss_spnego. It requires :username and :password
-  # attributes, just like the :simple authentication method. It performs a
-  # GSS-SPNEGO authentication with the server, which is presumed to be a
-  # Microsoft Active Directory.
-  #++
-  def bind_gss_spnego(auth)
-    require 'ntlm'
-
-    user, psw = [auth[:username] || auth[:dn], auth[:password]]
-    raise Net::LDAP::BindingInformationInvalidError, "Invalid binding information" unless (user && psw)
-
-    nego = proc { |challenge|
-      t2_msg = NTLM::Message.parse(challenge)
-      t3_msg = t2_msg.response({ :user => user, :password => psw },
-                               { :ntlmv2 => true })
-      t3_msg.serialize
-    }
-
-    bind_sasl(:method => :sasl, :mechanism => "GSS-SPNEGO",
-              :initial_credential => NTLM::Message::Type1.new.serialize,
-              :challenge_response => nego)
-  end
-  private :bind_gss_spnego
-
-
   #--
   # Allow the caller to specify a sort control
   #
@@ -652,7 +553,7 @@ class Net::LDAP::Connection #:nodoc:
     pdu = queued_read(message_id)
 
     if !pdu || pdu.app_tag != Net::LDAP::PDU::AddResponse
-      raise Net::LDAP::ResponseMissingError, "response missing or invalid"
+      raise Net::LDAP::ResponseMissingOrInvalidError, "response missing or invalid"
     end
 
     pdu

data/lib/net/ldap/error.rb

@@ -9,7 +9,41 @@ class Net::LDAP
 
   class AlreadyOpenedError < Error; end
   class SocketError < Error; end
-  class ConnectionRefusedError < Error; end
+  class ConnectionRefusedError < Error;
+    def initialize(*args)
+      warn_deprecation_message
+      super
+    end
+
+    def message
+      warn_deprecation_message
+      super
+    end
+
+    private
+    def warn_deprecation_message
+      warn "Deprecation warning: Net::LDAP::ConnectionRefused will be deprecated. Use Errno::ECONNREFUSED instead."
+    end
+  end
+  class ConnectionError < Error
+    def self.new(errors)
+      error = errors.first.first
+      if errors.size == 1
+        if error.kind_of? Errno::ECONNREFUSED
+          return Net::LDAP::ConnectionRefusedError.new(error.message)
+        end
+
+        return Net::LDAP::Error.new(error.message)
+      end
+
+      super
+    end
+
+    def initialize(errors)
+      message = "Unable to connect to any given server: \n  #{errors.map { |e, h, p| "#{e.class}: #{e.message} (#{h}:#{p})" }.join("\n  ")}"
+      super(message)
+    end
+  end
   class NoOpenSSLError < Error; end
   class NoStartTLSResultError < Error; end
   class NoSearchBaseError < Error; end

data/lib/net/ldap/filter.rb

@@ -752,7 +752,7 @@ class Net::LDAP::Filter
         scanner.scan(/\s*/)
         if op = scanner.scan(/<=|>=|!=|:=|=/)
           scanner.scan(/\s*/)
-          if value = scanner.scan(/(?:[-\[\]{}\w*.+:@=,#\$%&!'^~\s\xC3\x80-\xCA\xAF]|[^\x00-\x7F]|\\[a-fA-F\d]{2})+/u)
+          if value = scanner.scan(/(?:[-\[\]{}\w*.+\/:@=,#\$%&!'^~\s\xC3\x80-\xCA\xAF]|[^\x00-\x7F]|\\[a-fA-F\d]{2})+/u)
             # 20100313 AZ: Assumes that "(uid=george*)" is the same as
             # "(uid=george* )". The standard doesn't specify, but I can find
             # no examples that suggest otherwise.

data/lib/net/ldap/version.rb

@@ -1,5 +1,5 @@
 module Net
   class LDAP
-    VERSION = "0.11"
+    VERSION = "0.12.0"
   end
 end

data/net-ldap.gemspec

@@ -32,4 +32,5 @@ the most recent LDAP RFCs (4510-4519, plutions of 4520-4532).}
   s.add_development_dependency("flexmock", "~> 1.3")
   s.add_development_dependency("rake", "~> 10.0")
   s.add_development_dependency("rubocop", "~> 0.28.0")
+  s.add_development_dependency("test-unit")
 end

data/script/changelog

@@ -0,0 +1,47 @@
+#!/bin/bash
+# Usage: script/changelog [-r <repo>] [-b <base>] [-h <head>]
+#
+#  repo: BASE string of GitHub REPOsitory url. e.g. "user_or_org/REPOsitory". Defaults to git remote url.
+#  base: git ref to compare from. e.g. "v1.3.1". Defaults to latest git tag.
+#  head: git ref to compare to. Defaults to "HEAD".
+#
+# Generate a changelog preview from pull requests merged between `base` and
+# `head`.
+#
+# https://github.com/jch/release-scripts/blob/master/changelog
+set -e
+
+[ $# -eq 0 ] && set -- --help
+while [[ $# > 1 ]]
+do
+  key="$1"
+  case $key in
+    -r|--repo)
+    repo="$2"
+    shift
+    ;;
+    -b|--base)
+    base="$2"
+    shift
+    ;;
+    -h|--head)
+    head="$2"
+    shift
+    ;;
+    *)
+    ;;
+  esac
+  shift
+done
+
+repo="${repo:-$(git remote -v | grep push | awk '{print $2}' | cut -d'/' -f4- | sed 's/\.git//')}"
+base="${base:-$(git tag -l | sort -t. -k 1,1n -k 2,2n -k 3,3n | tail -n 1)}"
+head="${head:-HEAD}"
+api_url="https://api.github.com"
+
+# get merged PR's. Better way is to query the API for these, but this is easier
+for pr in $(git log --oneline $base..$head | grep "Merge pull request" | awk '{gsub("#",""); print $5}')
+do
+  # frustrated with trying to pull out the right values, fell back to ruby
+  curl -s "$api_url/repos/$repo/pulls/$pr" | ruby -rjson -e 'pr=JSON.parse(STDIN.read); puts "* #{pr[%q(title)]} {##{pr[%q(number)]}}[#{pr[%q(html_url)]}]"'
+done

data/script/install-openldap

@@ -6,68 +6,69 @@ BASE_PATH="$( cd `dirname $0`/../test/fixtures/openldap && pwd )"
 SEED_PATH="$( cd `dirname $0`/../test/fixtures          && pwd )"
 
 dpkg -s slapd time ldap-utils gnutls-bin ssl-cert > /dev/null ||\
-  DEBIAN_FRONTEND=noninteractive sudo -E apt-get install -y --force-yes slapd time ldap-utils gnutls-bin ssl-cert
+  DEBIAN_FRONTEND=noninteractive apt-get update  -y --force-yes && \
+  DEBIAN_FRONTEND=noninteractive apt-get install -y --force-yes slapd time ldap-utils gnutls-bin ssl-cert
 
-sudo /etc/init.d/slapd stop
+/etc/init.d/slapd stop
 
 TMPDIR=$(mktemp -d)
 cd $TMPDIR
 
 # Delete data and reconfigure.
-sudo cp -v /var/lib/ldap/DB_CONFIG ./DB_CONFIG
-sudo rm -rf /etc/ldap/slapd.d/*
-sudo rm -rf /var/lib/ldap/*
-sudo cp -v ./DB_CONFIG /var/lib/ldap/DB_CONFIG
-sudo slapadd -F /etc/ldap/slapd.d -b "cn=config" -l $BASE_PATH/slapd.conf.ldif
+cp -v /var/lib/ldap/DB_CONFIG ./DB_CONFIG
+rm -rf /etc/ldap/slapd.d/*
+rm -rf /var/lib/ldap/*
+cp -v ./DB_CONFIG /var/lib/ldap/DB_CONFIG
+slapadd -F /etc/ldap/slapd.d -b "cn=config" -l $BASE_PATH/slapd.conf.ldif
 # Load memberof and ref-int overlays and configure them.
-sudo slapadd -F /etc/ldap/slapd.d -b "cn=config" -l $BASE_PATH/memberof.ldif
+slapadd -F /etc/ldap/slapd.d -b "cn=config" -l $BASE_PATH/memberof.ldif
 # Load retcode overlay and configure
-sudo slapadd -F /etc/ldap/slapd.d -b "cn=config" -l $BASE_PATH/retcode.ldif
+slapadd -F /etc/ldap/slapd.d -b "cn=config" -l $BASE_PATH/retcode.ldif
 
 # Add base domain.
-sudo slapadd -F /etc/ldap/slapd.d <<EOM
+slapadd -F /etc/ldap/slapd.d <<EOM
 dn: dc=rubyldap,dc=com
 objectClass: top
 objectClass: domain
 dc: rubyldap
 EOM
 
-sudo chown -R openldap.openldap /etc/ldap/slapd.d
-sudo chown -R openldap.openldap /var/lib/ldap
+chown -R openldap.openldap /etc/ldap/slapd.d
+chown -R openldap.openldap /var/lib/ldap
 
-sudo /etc/init.d/slapd start
+/etc/init.d/slapd start
 
 # Import seed data.
 # NOTE: use ldapadd in order for memberOf and refint to apply, instead of:
-# cat $SEED_PATH/seed.ldif | sudo slapadd -F /etc/ldap/slapd.d
-/usr/bin/time sudo ldapadd -x -D "cn=admin,dc=rubyldap,dc=com" -w passworD1 \
+# cat $SEED_PATH/seed.ldif | slapadd -F /etc/ldap/slapd.d
+/usr/bin/time ldapadd -x -D "cn=admin,dc=rubyldap,dc=com" -w passworD1 \
              -h localhost -p 389 \
              -f $SEED_PATH/seed.ldif
 
-sudo rm -rf $TMPDIR
+rm -rf $TMPDIR
 
 # SSL
 
-sudo sh -c "certtool --generate-privkey > /etc/ssl/private/cakey.pem"
+sh -c "certtool --generate-privkey > /etc/ssl/private/cakey.pem"
 
-sudo sh -c "cat > /etc/ssl/ca.info <<EOF
+sh -c "cat > /etc/ssl/ca.info <<EOF
 cn = rubyldap
 ca
 cert_signing_key
 EOF"
 
 # Create the self-signed CA certificate:
-sudo certtool --generate-self-signed \
+certtool --generate-self-signed \
 --load-privkey /etc/ssl/private/cakey.pem \
 --template /etc/ssl/ca.info \
 --outfile /etc/ssl/certs/cacert.pem
 
 # Make a private key for the server:
-sudo certtool --generate-privkey \
+certtool --generate-privkey \
 --bits 1024 \
 --outfile /etc/ssl/private/ldap01_slapd_key.pem
 
-sudo sh -c "cat > /etc/ssl/ldap01.info <<EOF
+sh -c "cat > /etc/ssl/ldap01.info <<EOF
 organization = Example Company
 cn = ldap01.example.com
 tls_www_server
@@ -77,14 +78,14 @@ expiration_days = 3650
 EOF"
 
 # Create the server certificate
-sudo certtool --generate-certificate \
+certtool --generate-certificate \
   --load-privkey /etc/ssl/private/ldap01_slapd_key.pem \
   --load-ca-certificate /etc/ssl/certs/cacert.pem \
   --load-ca-privkey /etc/ssl/private/cakey.pem \
   --template /etc/ssl/ldap01.info \
   --outfile /etc/ssl/certs/ldap01_slapd_cert.pem
 
-sudo ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF | true
+ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF | true
 dn: cn=config
 add: olcTLSCACertificateFile
 olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
@@ -101,11 +102,11 @@ EOF
 # protected by TLS/SSL whereas LDAPS, like HTTPS, is a distinct
 # encrypted-from-the-start protocol that operates over TCP port 636. But we
 # enable it for testing here.
-sudo sed -i -e 's|^SLAPD_SERVICES="\(.*\)"|SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"|' /etc/default/slapd
+sed -i -e 's|^SLAPD_SERVICES="\(.*\)"|SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"|' /etc/default/slapd
 
-sudo adduser openldap ssl-cert
-sudo chgrp ssl-cert /etc/ssl/private/ldap01_slapd_key.pem
-sudo chmod g+r /etc/ssl/private/ldap01_slapd_key.pem
-sudo chmod o-r /etc/ssl/private/ldap01_slapd_key.pem
+adduser openldap ssl-cert
+chgrp ssl-cert /etc/ssl/private/ldap01_slapd_key.pem
+chmod g+r /etc/ssl/private/ldap01_slapd_key.pem
+chmod o-r /etc/ssl/private/ldap01_slapd_key.pem
 
-sudo service slapd restart
+service slapd restart

data/test/test_auth_adapter.rb

@@ -0,0 +1,11 @@
+require 'test_helper'
+
+class TestAuthAdapter < Test::Unit::TestCase
+  def test_undefined_auth_adapter
+    flexmock(TCPSocket).should_receive(:new).ordered.with('ldap.example.com', 379).once.and_return(nil)
+    conn = Net::LDAP::Connection.new(host: 'ldap.example.com', port: 379)
+    assert_raise Net::LDAP::AuthMethodUnsupportedError, "Unsupported auth method (foo)" do
+      conn.bind(method: :foo)
+    end
+  end
+end

data/test/test_filter_parser.rb

@@ -14,6 +14,10 @@ class TestFilterParser < Test::Unit::TestCase
     assert_kind_of Net::LDAP::Filter, Net::LDAP::Filter::FilterParser.parse("(cn=[{something}])")
   end
 
+  def test_slash
+    assert_kind_of Net::LDAP::Filter, Net::LDAP::Filter::FilterParser.parse("(departmentNumber=FOO//BAR/FOO)")
+  end
+
   def test_colons
     assert_kind_of Net::LDAP::Filter, Net::LDAP::Filter::FilterParser.parse("(ismemberof=cn=edu:berkeley:app:calmessages:deans,ou=campus groups,dc=berkeley,dc=edu)")
   end

data/test/test_helper.rb

@@ -56,7 +56,7 @@ class LDAPIntegrationTestCase < Test::Unit::TestCase
     @service = MockInstrumentationService.new
     @ldap = Net::LDAP.new \
       host:           ENV.fetch('INTEGRATION_HOST', 'localhost'),
-      port:           389,
+      port:           ENV.fetch('INTEGRATION_PORT', 389),
       admin_user:     'uid=admin,dc=rubyldap,dc=com',
       admin_password: 'passworD1',
       search_domains: %w(dc=rubyldap,dc=com),

data/test/test_ldap.rb

@@ -57,4 +57,11 @@ class TestLDAPInstrumentation < Test::Unit::TestCase
     assert_equal "(uid=user1)", payload[:filter]
     assert_equal result.size, payload[:size]
   end
+
+  def test_obscure_auth
+    password = "opensesame"
+    assert_include(@subject.inspect, "anonymous")
+    @subject.auth "joe_user", password
+    assert_not_include(@subject.inspect, password)
+  end
 end

data/test/test_ldap_connection.rb

@@ -1,6 +1,52 @@
 require_relative 'test_helper'
 
 class TestLDAPConnection < Test::Unit::TestCase
+  def capture_stderr
+    stderr, $stderr = $stderr, StringIO.new
+    yield
+    $stderr.string
+  ensure
+    $stderr = stderr
+  end
+
+  def test_list_of_hosts_with_first_host_successful
+    hosts = [
+      ['test.mocked.com', 636],
+      ['test2.mocked.com', 636],
+      ['test3.mocked.com', 636],
+    ]
+    flexmock(TCPSocket).should_receive(:new).ordered.with(*hosts[0]).once.and_return(nil)
+    flexmock(TCPSocket).should_receive(:new).ordered.never
+    Net::LDAP::Connection.new(:hosts => hosts)
+  end
+
+  def test_list_of_hosts_with_first_host_failure
+    hosts = [
+      ['test.mocked.com', 636],
+      ['test2.mocked.com', 636],
+      ['test3.mocked.com', 636],
+    ]
+    flexmock(TCPSocket).should_receive(:new).ordered.with(*hosts[0]).once.and_raise(SocketError)
+    flexmock(TCPSocket).should_receive(:new).ordered.with(*hosts[1]).once.and_return(nil)
+    flexmock(TCPSocket).should_receive(:new).ordered.never
+    Net::LDAP::Connection.new(:hosts => hosts)
+  end
+
+  def test_list_of_hosts_with_all_hosts_failure
+    hosts = [
+      ['test.mocked.com', 636],
+      ['test2.mocked.com', 636],
+      ['test3.mocked.com', 636],
+    ]
+    flexmock(TCPSocket).should_receive(:new).ordered.with(*hosts[0]).once.and_raise(SocketError)
+    flexmock(TCPSocket).should_receive(:new).ordered.with(*hosts[1]).once.and_raise(SocketError)
+    flexmock(TCPSocket).should_receive(:new).ordered.with(*hosts[2]).once.and_raise(SocketError)
+    flexmock(TCPSocket).should_receive(:new).ordered.never
+    assert_raise Net::LDAP::ConnectionError do
+      Net::LDAP::Connection.new(:hosts => hosts)
+    end
+  end
+
   def test_unresponsive_host
     assert_raise Net::LDAP::Error do
       Net::LDAP::Connection.new(:host => 'test.mocked.com', :port => 636)
@@ -14,6 +60,16 @@ class TestLDAPConnection < Test::Unit::TestCase
     end
   end
 
+  def test_connection_refused
+    flexmock(TCPSocket).should_receive(:new).and_raise(Errno::ECONNREFUSED)
+    stderr = capture_stderr do
+      assert_raise Net::LDAP::ConnectionRefusedError do
+        Net::LDAP::Connection.new(:host => 'test.mocked.com', :port => 636)
+      end
+    end
+    assert_equal("Deprecation warning: Net::LDAP::ConnectionRefused will be deprecated. Use Errno::ECONNREFUSED instead.\n",  stderr)
+  end
+
   def test_raises_unknown_exceptions
     error = Class.new(StandardError)
     flexmock(TCPSocket).should_receive(:new).and_raise(error)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: net-ldap
 version: !ruby/object:Gem::Version
-  version: '0.11'
+  version: 0.12.0
 platform: ruby
 authors:
 - Francis Cianfrocca
@@ -13,7 +13,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-01-21 00:00:00.000000000 Z
+date: 2015-10-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: flexmock
@@ -57,6 +57,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.28.0
+- !ruby/object:Gem::Dependency
+  name: test-unit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: |-
   Net::LDAP for Ruby (also called net-ldap) implements client access for the
   Lightweight Directory Access Protocol (LDAP), an IETF standard protocol for
@@ -106,6 +120,10 @@ files:
 - lib/net/ber/core_ext/string.rb
 - lib/net/ber/core_ext/true_class.rb
 - lib/net/ldap.rb
+- lib/net/ldap/auth_adapter.rb
+- lib/net/ldap/auth_adapter/gss_spnego.rb
+- lib/net/ldap/auth_adapter/sasl.rb
+- lib/net/ldap/auth_adapter/simple.rb
 - lib/net/ldap/connection.rb
 - lib/net/ldap/dataset.rb
 - lib/net/ldap/dn.rb
@@ -118,6 +136,7 @@ files:
 - lib/net/ldap/version.rb
 - lib/net/snmp.rb
 - net-ldap.gemspec
+- script/changelog
 - script/install-openldap
 - script/package
 - script/release
@@ -139,6 +158,7 @@ files:
 - test/support/vm/openldap/.gitignore
 - test/support/vm/openldap/README.md
 - test/support/vm/openldap/Vagrantfile
+- test/test_auth_adapter.rb
 - test/test_dn.rb
 - test/test_entry.rb
 - test/test_filter.rb
@@ -177,7 +197,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.2.2
+rubygems_version: 2.2.3
 signing_key: 
 specification_version: 4
 summary: Net::LDAP for Ruby (also called net-ldap) implements client access for the
@@ -202,6 +222,7 @@ test_files:
 - test/support/vm/openldap/.gitignore
 - test/support/vm/openldap/README.md
 - test/support/vm/openldap/Vagrantfile
+- test/test_auth_adapter.rb
 - test/test_dn.rb
 - test/test_entry.rb
 - test/test_filter.rb