net-ldap 0.11 → 0.16.0

data/test/integration/test_bind.rb

@@ -2,11 +2,23 @@ require_relative '../test_helper'
 
 class TestBindIntegration < LDAPIntegrationTestCase
   def test_bind_success
-    assert @ldap.bind(method: :simple, username: "uid=user1,ou=People,dc=rubyldap,dc=com", password: "passworD1"), @ldap.get_operation_result.inspect
+    assert @ldap.bind(BIND_CREDS),
+           @ldap.get_operation_result.inspect
+  end
+
+  def test_bind_timeout
+    @ldap.port = 8389
+    error = assert_raise Net::LDAP::Error do
+      @ldap.bind BIND_CREDS
+    end
+    msgs = ['Operation timed out - user specified timeout',
+            'Connection timed out - user specified timeout']
+    assert_send([msgs, :include?, error.message])
   end
 
   def test_bind_anonymous_fail
-    refute @ldap.bind(method: :simple, username: "uid=user1,ou=People,dc=rubyldap,dc=com", password: ""), @ldap.get_operation_result.inspect
+    refute @ldap.bind(BIND_CREDS.merge(password: '')),
+           @ldap.get_operation_result.inspect
 
     result = @ldap.get_operation_result
     assert_equal Net::LDAP::ResultCodeUnwillingToPerform, result.code
@@ -17,18 +29,216 @@ class TestBindIntegration < LDAPIntegrationTestCase
   end
 
   def test_bind_fail
-    refute @ldap.bind(method: :simple, username: "uid=user1,ou=People,dc=rubyldap,dc=com", password: "not my password"), @ldap.get_operation_result.inspect
+    refute @ldap.bind(BIND_CREDS.merge(password: "not my password")),
+           @ldap.get_operation_result.inspect
   end
 
   def test_bind_tls_with_cafile
-    tls_options = OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.merge(:ca_file => CA_FILE)
-    @ldap.encryption(method: :start_tls, tls_options: tls_options)
-    assert @ldap.bind(method: :simple, username: "uid=user1,ou=People,dc=rubyldap,dc=com", password: "passworD1"), @ldap.get_operation_result.inspect
+    @ldap.encryption(
+      method:      :start_tls,
+      tls_options: TLS_OPTS.merge(ca_file: CA_FILE),
+    )
+    assert @ldap.bind(BIND_CREDS),
+           @ldap.get_operation_result.inspect
+  end
+
+  def test_bind_tls_with_bad_hostname_verify_none_no_ca_passes
+    @ldap.host = '127.0.0.1'
+    @ldap.encryption(
+      method:      :start_tls,
+      tls_options: { verify_mode: OpenSSL::SSL::VERIFY_NONE },
+    )
+    assert @ldap.bind(BIND_CREDS),
+           @ldap.get_operation_result.inspect
+  end
+
+  def test_bind_tls_with_bad_hostname_verify_none_no_ca_opt_merge_passes
+    @ldap.host = '127.0.0.1'
+    @ldap.encryption(
+      method:      :start_tls,
+      tls_options: TLS_OPTS.merge(verify_mode: OpenSSL::SSL::VERIFY_NONE),
+    )
+    assert @ldap.bind(BIND_CREDS),
+           @ldap.get_operation_result.inspect
+  end
+
+  def test_bind_tls_with_bad_hostname_verify_peer_ca_fails
+    @ldap.host = '127.0.0.1'
+    @ldap.encryption(
+      method:      :start_tls,
+      tls_options: { verify_mode: OpenSSL::SSL::VERIFY_PEER,
+                     ca_file:     CA_FILE },
+    )
+    error = assert_raise Net::LDAP::Error,
+                         Net::LDAP::ConnectionRefusedError do
+      @ldap.bind BIND_CREDS
+    end
+    assert_equal(
+      "hostname \"#{@ldap.host}\" does not match the server certificate",
+      error.message,
+    )
+  end
+
+  def test_bind_tls_with_bad_hostname_ca_default_opt_merge_fails
+    @ldap.host = '127.0.0.1'
+    @ldap.encryption(
+      method:      :start_tls,
+      tls_options: TLS_OPTS.merge(ca_file: CA_FILE),
+    )
+    error = assert_raise Net::LDAP::Error,
+                         Net::LDAP::ConnectionRefusedError do
+      @ldap.bind BIND_CREDS
+    end
+    assert_equal(
+      "hostname \"#{@ldap.host}\" does not match the server certificate",
+      error.message,
+    )
+  end
+
+  def test_bind_tls_with_bad_hostname_ca_no_opt_merge_fails
+    @ldap.host = '127.0.0.1'
+    @ldap.encryption(
+      method:      :start_tls,
+      tls_options: { ca_file: CA_FILE },
+    )
+    error = assert_raise Net::LDAP::Error,
+                         Net::LDAP::ConnectionRefusedError do
+      @ldap.bind BIND_CREDS
+    end
+    assert_equal(
+      "hostname \"#{@ldap.host}\" does not match the server certificate",
+      error.message,
+    )
+  end
+
+  def test_bind_tls_with_valid_hostname_default_opts_passes
+    @ldap.host = 'localhost'
+    @ldap.encryption(
+      method:      :start_tls,
+      tls_options: TLS_OPTS.merge(verify_mode: OpenSSL::SSL::VERIFY_PEER,
+                                  ca_file:     CA_FILE),
+    )
+    assert @ldap.bind(BIND_CREDS),
+           @ldap.get_operation_result.inspect
+  end
+
+  def test_bind_tls_with_valid_hostname_just_verify_peer_ca_passes
+    @ldap.host = 'localhost'
+    @ldap.encryption(
+      method:      :start_tls,
+      tls_options: { verify_mode: OpenSSL::SSL::VERIFY_PEER,
+                     ca_file:     CA_FILE },
+    )
+    assert @ldap.bind(BIND_CREDS),
+           @ldap.get_operation_result.inspect
+  end
+
+  def test_bind_tls_with_bogus_hostname_system_ca_fails
+    @ldap.host = '127.0.0.1'
+    @ldap.encryption(method: :start_tls, tls_options: {})
+    error = assert_raise Net::LDAP::Error,
+                         Net::LDAP::ConnectionRefusedError do
+      @ldap.bind BIND_CREDS
+    end
+    assert_equal(
+      "hostname \"#{@ldap.host}\" does not match the server certificate",
+      error.message,
+    )
   end
 
-  def test_bind_tls_with_verify_none
-    tls_options = OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.merge(:verify_mode => OpenSSL::SSL::VERIFY_NONE)
-    @ldap.encryption(method: :start_tls, tls_options: tls_options)
-    assert @ldap.bind(method: :simple, username: "uid=user1,ou=People,dc=rubyldap,dc=com", password: "passworD1"), @ldap.get_operation_result.inspect
+  # The following depend on /etc/hosts hacking.
+  # We can do that on CI, but it's less than cool on people's dev boxes
+  def test_bind_tls_with_multiple_hosts
+    omit_unless ENV['TRAVIS'] == 'true'
+
+    @ldap.host = nil
+    @ldap.hosts = [['ldap01.example.com', 389], ['ldap02.example.com', 389]]
+    @ldap.encryption(
+      method:      :start_tls,
+      tls_options: TLS_OPTS.merge(verify_mode: OpenSSL::SSL::VERIFY_PEER,
+                                  ca_file:     CA_FILE),
+    )
+    assert @ldap.bind(BIND_CREDS),
+           @ldap.get_operation_result.inspect
+  end
+
+  def test_bind_tls_with_multiple_bogus_hosts
+    omit_unless ENV['TRAVIS'] == 'true'
+
+    @ldap.host = nil
+    @ldap.hosts = [['127.0.0.1', 389], ['bogus.example.com', 389]]
+    @ldap.encryption(
+      method:      :start_tls,
+      tls_options: TLS_OPTS.merge(verify_mode: OpenSSL::SSL::VERIFY_PEER,
+                                  ca_file:     CA_FILE),
+    )
+    error = assert_raise Net::LDAP::Error,
+                         Net::LDAP::ConnectionError do
+      @ldap.bind BIND_CREDS
+    end
+    assert_equal("Unable to connect to any given server: ",
+                 error.message.split("\n").shift)
+  end
+
+  def test_bind_tls_with_multiple_bogus_hosts_no_verification
+    omit_unless ENV['TRAVIS'] == 'true'
+
+    @ldap.host = nil
+    @ldap.hosts = [['127.0.0.1', 389], ['bogus.example.com', 389]]
+    @ldap.encryption(
+      method:      :start_tls,
+      tls_options: TLS_OPTS.merge(verify_mode: OpenSSL::SSL::VERIFY_NONE),
+    )
+    assert @ldap.bind(BIND_CREDS),
+           @ldap.get_operation_result.inspect
+  end
+
+  def test_bind_tls_with_multiple_bogus_hosts_ca_check_only_fails
+    omit_unless ENV['TRAVIS'] == 'true'
+
+    @ldap.host = nil
+    @ldap.hosts = [['127.0.0.1', 389], ['bogus.example.com', 389]]
+    @ldap.encryption(
+      method: :start_tls,
+      tls_options: { ca_file: CA_FILE },
+    )
+    error = assert_raise Net::LDAP::Error,
+                         Net::LDAP::ConnectionError do
+      @ldap.bind BIND_CREDS
+    end
+    assert_equal("Unable to connect to any given server: ",
+                 error.message.split("\n").shift)
+  end
+
+  # This test is CI-only because we can't add the fixture CA
+  # to the system CA store on people's dev boxes.
+  def test_bind_tls_valid_hostname_system_ca_on_travis_passes
+    omit_unless ENV['TRAVIS'] == 'true'
+
+    @ldap.encryption(
+      method: :start_tls,
+      tls_options: { verify_mode: OpenSSL::SSL::VERIFY_PEER },
+    )
+    assert @ldap.bind(BIND_CREDS),
+           @ldap.get_operation_result.inspect
+  end
+
+  # Inverse of the above! Don't run this on Travis, only on Vagrant.
+  # Since Vagrant's hypervisor *won't* have the CA in the system
+  # x509 store, we can assume validation will fail
+  def test_bind_tls_valid_hostname_system_on_vagrant_fails
+    omit_if ENV['TRAVIS'] == 'true'
+
+    @ldap.encryption(
+      method: :start_tls,
+      tls_options: { verify_mode: OpenSSL::SSL::VERIFY_PEER },
+    )
+    error = assert_raise Net::LDAP::Error do
+      @ldap.bind BIND_CREDS
+    end
+    assert_equal(
+      "SSL_connect returned=1 errno=0 state=error: certificate verify failed",
+      error.message,
+    )
   end
 end

data/test/integration/test_delete.rb

@@ -12,7 +12,7 @@ class TestDeleteIntegration < LDAPIntegrationTestCase
       uid:  "delete-user1",
       cn:   "delete-user1",
       sn:   "delete-user1",
-      mail: "delete-user1@rubyldap.com"
+      mail: "delete-user1@rubyldap.com",
     }
     unless @ldap.search(base: @dn, scope: Net::LDAP::SearchScope_BaseObject)
       assert @ldap.add(dn: @dn, attributes: attrs), @ldap.get_operation_result.inspect

data/test/integration/test_open.rb

@@ -63,7 +63,7 @@ class TestBindIntegration < LDAPIntegrationTestCase
       uid:  "nested-open-added-user1",
       cn:   "nested-open-added-user1",
       sn:   "nested-open-added-user1",
-      mail: "nested-open-added-user1@rubyldap.com"
+      mail: "nested-open-added-user1@rubyldap.com",
     }
 
     @ldap.authenticate "cn=admin,dc=rubyldap,dc=com", "passworD1"

data/test/integration/test_password_modify.rb

@@ -0,0 +1,80 @@
+require_relative '../test_helper'
+
+class TestPasswordModifyIntegration < LDAPIntegrationTestCase
+  def setup
+    super
+    @ldap.authenticate 'cn=admin,dc=rubyldap,dc=com', 'passworD1'
+
+    @dn = 'uid=modify-password-user1,ou=People,dc=rubyldap,dc=com'
+
+    attrs = {
+      objectclass: %w(top inetOrgPerson organizationalPerson person),
+      uid: 'modify-password-user1',
+      cn: 'modify-password-user1',
+      sn: 'modify-password-user1',
+      mail: 'modify-password-user1@rubyldap.com',
+      userPassword: 'passworD1',
+    }
+    unless @ldap.search(base: @dn, scope: Net::LDAP::SearchScope_BaseObject)
+      assert @ldap.add(dn: @dn, attributes: attrs), @ldap.get_operation_result.inspect
+    end
+    assert @ldap.search(base: @dn, scope: Net::LDAP::SearchScope_BaseObject)
+
+    @auth = {
+      method: :simple,
+      username: @dn,
+      password: 'passworD1',
+    }
+  end
+
+  def test_password_modify
+    assert @ldap.password_modify(dn: @dn,
+                                 auth: @auth,
+                                 old_password: 'passworD1',
+                                 new_password: 'passworD2')
+
+    assert @ldap.get_operation_result.extended_response.nil?,
+      'Should not have generated a new password'
+
+    refute @ldap.bind(username: @dn, password: 'passworD1', method: :simple),
+      'Old password should no longer be valid'
+
+    assert @ldap.bind(username: @dn, password: 'passworD2', method: :simple),
+      'New password should be valid'
+  end
+
+  def test_password_modify_generate
+    assert @ldap.password_modify(dn: @dn,
+                                 auth: @auth,
+                                 old_password: 'passworD1')
+
+    generated_password = @ldap.get_operation_result.extended_response[0][0]
+
+    assert generated_password, 'Should have generated a password'
+
+    refute @ldap.bind(username: @dn, password: 'passworD1', method: :simple),
+      'Old password should no longer be valid'
+
+    assert @ldap.bind(username: @dn, password: generated_password, method: :simple),
+      'New password should be valid'
+  end
+
+  def test_password_modify_generate_no_old_password
+    assert @ldap.password_modify(dn: @dn,
+                                 auth: @auth)
+
+    generated_password = @ldap.get_operation_result.extended_response[0][0]
+
+    assert generated_password, 'Should have generated a password'
+
+    refute @ldap.bind(username: @dn, password: 'passworD1', method: :simple),
+      'Old password should no longer be valid'
+
+    assert @ldap.bind(username: @dn, password: generated_password, method: :simple),
+      'New password should be valid'
+  end
+
+  def teardown
+    @ldap.delete dn: @dn
+  end
+end

data/test/integration/test_search.rb

@@ -57,7 +57,7 @@ class TestSearchIntegration < LDAPIntegrationTestCase
       entries << entry
     end
 
-    payload, _ = events.pop
+    payload, = events.pop
     assert_equal 5, payload[:time]
     assert_equal entries, result
   end

data/test/support/vm/openldap/README.md

@@ -1,8 +1,31 @@
 # Local OpenLDAP Integration Testing
 
-Set up a [Vagrant](http://www.vagrantup.com/) VM to run integration tests against OpenLDAP locally.
+Set up a [Vagrant](http://www.vagrantup.com/) VM to run integration
+tests against OpenLDAP locally. *NOTE*: To support some of the SSL tests,
+Vagrant forwards localhost port 9389 to VM host port 9389. The port mapping
+goes away when you run `vagrant destroy`.
 
-To run integration tests locally:
+## Install Vagrant
+
+*NOTE*: The Vagrant gem (`gem install vagrant`) is
+[no longer supported](https://www.vagrantup.com/docs/installation/). If you've
+previously installed it, run `gem uninstall vagrant`. If you're an rbenv
+user, you probably want to follow that up with `rbenv rehash; hash -r`.
+
+If you use Homebrew on macOS:
+``` bash
+$ brew update
+$ brew cask install virtualbox
+$ brew cask install vagrant
+$ brew cask install vagrant-manager
+$ vagrant plugin install vagrant-vbguest
+```
+
+Installing Vagrant and virtualbox on other operating systems is left
+as an exercise to the reader. Note the `vagrant-vbguest` plugin is required
+to update the VirtualBox guest extensions in the guest VM image.
+
+## Run the tests
 
 ``` bash
 # start VM (from the correct directory)
@@ -15,6 +38,9 @@ $ ip=$(vagrant ssh -- "ifconfig eth1 | grep -o -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]
 # change back to root project directory
 $ cd ../../../..
 
+# set the TCP port for testing
+$ export INTEGRATION_PORT=9389
+
 # run all tests, including integration tests
 $ time INTEGRATION=openldap INTEGRATION_HOST=$ip bundle exec rake
 
@@ -27,6 +53,12 @@ $ export INTEGRATION_HOST=$ip
 
 # now run tests without having to set ENV variables
 $ time bundle exec rake
+
+# Once you're all done
+$ cd test/support/vm/openldap
+$ vagrant destroy
 ```
 
-You may need to `gem install vagrant` first in order to provision the VM.
+If at any point your VM appears to have broken itself, `vagrant destroy`
+from the `test/support/vm/openldap` directory will blow it away. You can
+then do `vagrant up` and start over.

data/test/support/vm/openldap/Vagrantfile

@@ -10,6 +10,7 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
   config.vm.box = "hashicorp/precise64"
 
   config.vm.network "private_network", type: :dhcp
+  config.vm.network "forwarded_port", guest: 389, host: 9389
 
   config.ssh.forward_agent = true
 

data/test/test_auth_adapter.rb

@@ -0,0 +1,15 @@
+require 'test_helper'
+
+class TestAuthAdapter < Test::Unit::TestCase
+  class FakeSocket
+    def initialize(*args)
+    end
+  end
+
+  def test_undefined_auth_adapter
+    conn = Net::LDAP::Connection.new(host: 'ldap.example.com', port: 379, :socket_class => FakeSocket)
+    assert_raise Net::LDAP::AuthMethodUnsupportedError, "Unsupported auth method (foo)" do
+      conn.bind(method: :foo)
+    end
+  end
+end

data/test/test_dn.rb

@@ -13,17 +13,17 @@ class TestDN < Test::Unit::TestCase
 
   def test_to_a
     dn = Net::LDAP::DN.new('cn=James, ou=Company\\,\\20LLC')
-    assert_equal ['cn','James','ou','Company, LLC'], dn.to_a
+    assert_equal ['cn', 'James', 'ou', 'Company, LLC'], dn.to_a
   end
 
   def test_to_a_parenthesis
     dn = Net::LDAP::DN.new('cn =  \ James , ou  =  "Comp\28ny"  ')
-    assert_equal ['cn',' James','ou','Comp(ny'], dn.to_a
+    assert_equal ['cn', ' James', 'ou', 'Comp(ny'], dn.to_a
   end
 
   def test_to_a_hash_symbol
     dn = Net::LDAP::DN.new('1.23.4=  #A3B4D5  ,ou=Company')
-    assert_equal ['1.23.4','#A3B4D5','ou','Company'], dn.to_a
+    assert_equal ['1.23.4', '#A3B4D5', 'ou', 'Company'], dn.to_a
   end
 
   # TODO: raise a more specific exception than RuntimeError

data/test/test_filter.rb

@@ -13,11 +13,11 @@ class TestFilter < Test::Unit::TestCase
   end
 
   def test_invalid_filter
-    assert_raises(Net::LDAP::OperatorError) {
+    assert_raises(Net::LDAP::OperatorError) do
       # This test exists to prove that our constructor blocks unknown filter
       # types. All filters must be constructed using helpers.
       Filter.__send__(:new, :xx, nil, nil)
-    }
+    end
   end
 
   def test_to_s
@@ -144,7 +144,7 @@ class TestFilterRSpec < Test::Unit::TestCase
     '(:dn:2.4.8.10:=Dino)',
     '(cn:dn:1.2.3.4.5:=John Smith)',
     '(sn:dn:2.4.6.8.10:=Barbara Jones)',
-    '(&(sn:dn:2.4.6.8.10:=Barbara Jones))'
+    '(&(sn:dn:2.4.6.8.10:=Barbara Jones))',
   ].each_with_index do |filter_str, index|
     define_method "test_decode_filter_#{index}" do
       filter = Net::LDAP::Filter.from_rfc2254(filter_str)
@@ -195,7 +195,7 @@ class TestFilterRSpec < Test::Unit::TestCase
       "foo" "\\2A\\5C" "bar",
       "foo" "\\2a\\5c" "bar",
       "foo" "\\2A\\5c" "bar",
-      "foo" "\\2a\\5C" "bar"
+      "foo" "\\2a\\5C" "bar",
     ].each do |escaped|
       # unescapes escaped characters
       filter = Net::LDAP::Filter.eq("objectclass", "#{escaped}*#{escaped}*#{escaped}")

data/test/test_filter_parser.rb

@@ -14,6 +14,10 @@ class TestFilterParser < Test::Unit::TestCase
     assert_kind_of Net::LDAP::Filter, Net::LDAP::Filter::FilterParser.parse("(cn=[{something}])")
   end
 
+  def test_slash
+    assert_kind_of Net::LDAP::Filter, Net::LDAP::Filter::FilterParser.parse("(departmentNumber=FOO//BAR/FOO)")
+  end
+
   def test_colons
     assert_kind_of Net::LDAP::Filter, Net::LDAP::Filter::FilterParser.parse("(ismemberof=cn=edu:berkeley:app:calmessages:deans,ou=campus groups,dc=berkeley,dc=edu)")
   end

data/test/test_helper.rb

@@ -14,10 +14,18 @@ CA_FILE =
     if File.exist?("/etc/ssl/certs/cacert.pem")
       "/etc/ssl/certs/cacert.pem"
     else
-      File.expand_path("fixtures/cacert.pem", File.dirname(__FILE__))
+      File.expand_path("fixtures/ca/cacert.pem", File.dirname(__FILE__))
     end
   end
 
+BIND_CREDS = {
+  method:   :simple,
+  username: "uid=user1,ou=People,dc=rubyldap,dc=com",
+  password: "passworD1",
+}.freeze
+
+TLS_OPTS = OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.merge({}).freeze
+
 if RUBY_VERSION < "2.0"
   class String
     def b
@@ -56,7 +64,7 @@ class LDAPIntegrationTestCase < Test::Unit::TestCase
     @service = MockInstrumentationService.new
     @ldap = Net::LDAP.new \
       host:           ENV.fetch('INTEGRATION_HOST', 'localhost'),
-      port:           389,
+      port:           ENV.fetch('INTEGRATION_PORT', 389),
       admin_user:     'uid=admin,dc=rubyldap,dc=com',
       admin_password: 'passworD1',
       search_domains: %w(dc=rubyldap,dc=com),

data/test/test_ldap.rb

@@ -1,6 +1,28 @@
 require 'test_helper'
 
 class TestLDAPInstrumentation < Test::Unit::TestCase
+  # Fake Net::LDAP::Connection for testing
+  class FakeConnection
+    # It's difficult to instantiate Net::LDAP::PDU objects. Faking out what we
+    # need here until that object is brought under test and has it's constructor
+    # cleaned up.
+    class Result < Struct.new(:success?, :result_code); end
+
+    def initialize
+      @bind_success = Result.new(true, Net::LDAP::ResultCodeSuccess)
+      @search_success = Result.new(true, Net::LDAP::ResultCodeSizeLimitExceeded)
+    end
+
+    def bind(args = {})
+      @bind_success
+    end
+
+    def search(*args)
+      yield @search_success if block_given?
+      @search_success
+    end
+  end
+
   def setup
     @connection = flexmock(:connection, :close => true)
     flexmock(Net::LDAP::Connection).should_receive(:new).and_return(@connection)
@@ -15,8 +37,9 @@ class TestLDAPInstrumentation < Test::Unit::TestCase
   def test_instrument_bind
     events = @service.subscribe "bind.net_ldap"
 
-    bind_result = flexmock(:bind_result, :success? => true)
-    flexmock(@connection).should_receive(:bind).with(Hash).and_return(bind_result)
+    fake_connection = FakeConnection.new
+    @subject.connection = fake_connection
+    bind_result = fake_connection.bind
 
     assert @subject.bind
 
@@ -28,10 +51,9 @@ class TestLDAPInstrumentation < Test::Unit::TestCase
   def test_instrument_search
     events = @service.subscribe "search.net_ldap"
 
-    flexmock(@connection).should_receive(:bind).and_return(flexmock(:bind_result, :result_code => Net::LDAP::ResultCodeSuccess))
-    flexmock(@connection).should_receive(:search).with(Hash, Proc).
-                yields(entry = Net::LDAP::Entry.new("uid=user1,ou=users,dc=example,dc=com")).
-                and_return(flexmock(:search_result, :success? => true, :result_code => Net::LDAP::ResultCodeSuccess))
+    fake_connection = FakeConnection.new
+    @subject.connection = fake_connection
+    entry = fake_connection.search
 
     refute_nil @subject.search(:filter => "(uid=user1)")
 
@@ -44,10 +66,9 @@ class TestLDAPInstrumentation < Test::Unit::TestCase
   def test_instrument_search_with_size
     events = @service.subscribe "search.net_ldap"
 
-    flexmock(@connection).should_receive(:bind).and_return(flexmock(:bind_result, :result_code => Net::LDAP::ResultCodeSuccess))
-    flexmock(@connection).should_receive(:search).with(Hash, Proc).
-                yields(entry = Net::LDAP::Entry.new("uid=user1,ou=users,dc=example,dc=com")).
-                and_return(flexmock(:search_result, :success? => true, :result_code => Net::LDAP::ResultCodeSizeLimitExceeded))
+    fake_connection = FakeConnection.new
+    @subject.connection = fake_connection
+    entry = fake_connection.search
 
     refute_nil @subject.search(:filter => "(uid=user1)", :size => 1)
 
@@ -57,4 +78,37 @@ class TestLDAPInstrumentation < Test::Unit::TestCase
     assert_equal "(uid=user1)", payload[:filter]
     assert_equal result.size, payload[:size]
   end
+
+  def test_obscure_auth
+    password = "opensesame"
+    assert_include(@subject.inspect, "anonymous")
+    @subject.auth "joe_user", password
+    assert_not_include(@subject.inspect, password)
+  end
+
+  def test_encryption
+    enc = @subject.encryption('start_tls')
+
+    assert_equal enc[:method], :start_tls
+  end
+
+  def test_normalize_encryption_symbol
+    enc = @subject.send(:normalize_encryption, :start_tls)
+    assert_equal enc, {:method => :start_tls, :tls_options => {}}
+  end
+
+  def test_normalize_encryption_nil
+    enc = @subject.send(:normalize_encryption, nil)
+    assert_equal enc, nil
+  end
+
+  def test_normalize_encryption_string
+    enc = @subject.send(:normalize_encryption, 'start_tls')
+    assert_equal enc, {:method => :start_tls, :tls_options => {}}
+  end
+
+  def test_normalize_encryption_hash
+    enc = @subject.send(:normalize_encryption, {:method => :start_tls, :tls_options => {:foo => :bar}})
+    assert_equal enc, {:method => :start_tls, :tls_options => {:foo => :bar}}
+  end
 end