net-ldap 0.14.0 → 0.16.3

data/.travis.yml

@@ -3,11 +3,24 @@ rvm:
   - 2.0.0
   - 2.1
   - 2.2
+  - 2.3
+  - 2.4
+  - 2.5
+  - 2.6
+  - 2.7
+  - jruby-9.2
   # optional
   - ruby-head
   - jruby-19mode
+  - jruby-9.2
   - jruby-head
-  - rbx-2
+
+addons:
+  hosts:
+    - ldap.example.org # needed for TLS verification
+
+services:
+  - docker
 
 env:
   - INTEGRATION=openldap
@@ -16,7 +29,18 @@ before_install:
   - gem update bundler
 
 install:
-  - if [ "$INTEGRATION" = "openldap" ]; then sudo script/install-openldap; fi
+  - >
+    docker run \
+      --hostname ldap.example.org \
+      --env LDAP_TLS_VERIFY_CLIENT=try \
+      -p 389:389 \
+      -p 636:636 \
+      -v "$(pwd)"/test/fixtures/ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom \
+      --name openldap \
+      --detach \
+      osixia/openldap:1.3.0 \
+        --copy-service \
+        --loglevel debug \
   - bundle install
 
 script: bundle exec rake ci
@@ -25,8 +49,8 @@ matrix:
   allow_failures:
     - rvm: ruby-head
     - rvm: jruby-19mode
+    - rvm: jruby-9.2
     - rvm: jruby-head
-    - rvm: rbx-2
   fast_finish: true
 
 notifications:

data/CONTRIBUTING.md

@@ -49,6 +49,6 @@ MyClass.new \
   baz: 'garply'
 ```
 
-[issues]: https://github.com/ruby-net-ldap/ruby-net-ldap/issues
+[issues]: https://github.com/ruby-ldap/ruby-net-ldap/issues
 [pr]: https://help.github.com/articles/using-pull-requests
 [travis]: https://travis-ci.org/ruby-ldap/ruby-net-ldap

data/History.rdoc

@@ -1,3 +1,24 @@
+=== Net::LDAP 0.16.2
+
+* Net::LDAP#open does not cache bind result {#334}[https://github.com/ruby-ldap/ruby-net-ldap/pull/334]
+* Fix CI build {#333}[https://github.com/ruby-ldap/ruby-net-ldap/pull/333]
+* Fix to "undefined method 'result_code'" {#308}[https://github.com/ruby-ldap/ruby-net-ldap/pull/308]
+* Fixed Exception: incompatible character encodings: ASCII-8BIT and UTF-8 in filter.rb {#285}[https://github.com/ruby-ldap/ruby-net-ldap/pull/285]
+
+=== Net::LDAP 0.16.1
+
+* Send DN and newPassword with password_modify request {#271}[https://github.com/ruby-ldap/ruby-net-ldap/pull/271]
+
+=== Net::LDAP 0.16.0
+
+* Sasl fix {#281}[https://github.com/ruby-ldap/ruby-net-ldap/pull/281]
+* enable TLS hostname validation {#279}[https://github.com/ruby-ldap/ruby-net-ldap/pull/279]
+* update rubocop to 0.42.0 {#278}[https://github.com/ruby-ldap/ruby-net-ldap/pull/278]
+
+=== Net::LDAP 0.15.0
+
+* Respect connect_timeout when establishing SSL connections {#273}[https://github.com/ruby-ldap/ruby-net-ldap/pull/273]
+
 === Net::LDAP 0.14.0
 
 * Normalize the encryption parameter passed to the LDAP constructor {#264}[https://github.com/ruby-ldap/ruby-net-ldap/pull/264]

data/README.rdoc

@@ -1,4 +1,4 @@
-= Net::LDAP for Ruby {<img src="https://travis-ci.org/ruby-ldap/ruby-net-ldap.png" />}[https://travis-ci.org/ruby-ldap/ruby-net-ldap]
+= Net::LDAP for Ruby {<img src="https://travis-ci.org/ruby-ldap/ruby-net-ldap.svg" />}[https://travis-ci.org/ruby-ldap/ruby-net-ldap]
 
 == Description
 
@@ -21,7 +21,7 @@ the most recent LDAP RFCs (4510–4519, plus portions of 4520–4532).
 
 == Synopsis
 
-See Net::LDAP for documentation and usage samples.
+See {Net::LDAP on rubydoc.info}[https://www.rubydoc.info/gems/net-ldap/Net/LDAP] for documentation and usage samples.
 
 == Requirements
 
@@ -52,12 +52,15 @@ This task will run the test suite and the
 
   rake rubotest
 
-To run the integration tests against an LDAP server:
+CI takes too long? If your local box supports
+{Docker}[https://www.docker.com/], you can also run integration tests locally.
+Simply run:
 
-  cd test/support/vm/openldap
-  vagrant up
-  cd ../../../..
-  INTEGRATION=openldap bundle exec rake rubotest
+  script/ldap-docker
+  INTEGRATION=openldap rake test
+
+CAVEAT: you need to add the following line to /etc/hosts
+    127.0.0.1 ldap.example.org
 
 == Release
 

data/Rakefile

@@ -15,7 +15,7 @@ Rake::TestTask.new do |t|
 end
 
 desc 'Run tests and RuboCop (RuboCop runs on mri only)'
-task ci: [:test]
+task ci: Bundler.current_ruby.mri? ? [:test, :rubocop] : [:test]
 
 desc 'Run tests and RuboCop'
 task rubotest: [:test, :rubocop]

data/lib/net-ldap.rb

@@ -1,2 +1,2 @@
 # -*- ruby encoding: utf-8 -*-
-require 'net/ldap'
+require_relative 'net/ldap'

data/lib/net/ber.rb

@@ -1,5 +1,5 @@
 # -*- ruby encoding: utf-8 -*-
-require 'net/ldap/version'
+require_relative 'ldap/version'
 
 module Net # :nodoc:
   ##
@@ -327,11 +327,10 @@ class Net::BER::BerIdentifiedString < String
     # Check the encoding of the newly created String and set the encoding
     # to 'UTF-8' (NOTE: we do NOT change the bytes, but only set the
     # encoding to 'UTF-8').
+    return unless encoding == Encoding::BINARY
     current_encoding = encoding
-    if current_encoding == Encoding::BINARY
-      force_encoding('UTF-8')
-      force_encoding(current_encoding) unless valid_encoding?
-    end
+    force_encoding('UTF-8')
+    force_encoding(current_encoding) unless valid_encoding?
   end
 end
 
@@ -350,4 +349,4 @@ module Net::BER
   Null = Net::BER::BerIdentifiedNull.new
 end
 
-require 'net/ber/core_ext'
+require_relative 'ber/core_ext'

data/lib/net/ber/ber_parser.rb

@@ -172,10 +172,10 @@ module Net::BER::BERParser
     yield id, content_length if block_given?
 
     if -1 == content_length
-      raise Net::BER::BerError, "Indeterminite BER content length not implemented."
-    else
-      data = read(content_length)
+      raise Net::BER::BerError,
+            "Indeterminite BER content length not implemented."
     end
+    data = read(content_length)
 
     parse_ber_object(syntax, id, data)
   end

data/lib/net/ber/core_ext.rb

@@ -1,5 +1,5 @@
 # -*- ruby encoding: utf-8 -*-
-require 'net/ber/ber_parser'
+require_relative 'ber_parser'
 # :stopdoc:
 class IO
   include Net::BER::BERParser
@@ -19,35 +19,35 @@ end
 module Net::BER::Extensions # :nodoc:
 end
 
-require 'net/ber/core_ext/string'
+require_relative 'core_ext/string'
 # :stopdoc:
 class String
   include Net::BER::BERParser
   include Net::BER::Extensions::String
 end
 
-require 'net/ber/core_ext/array'
+require_relative 'core_ext/array'
 # :stopdoc:
 class Array
   include Net::BER::Extensions::Array
 end
 # :startdoc:
 
-require 'net/ber/core_ext/integer'
+require_relative 'core_ext/integer'
 # :stopdoc:
 class Integer
   include Net::BER::Extensions::Integer
 end
 # :startdoc:
 
-require 'net/ber/core_ext/true_class'
+require_relative 'core_ext/true_class'
 # :stopdoc:
 class TrueClass
   include Net::BER::Extensions::TrueClass
 end
 # :startdoc:
 
-require 'net/ber/core_ext/false_class'
+require_relative 'core_ext/false_class'
 # :stopdoc:
 class FalseClass
   include Net::BER::Extensions::FalseClass

data/lib/net/ldap.rb

@@ -17,19 +17,19 @@ module Net # :nodoc:
 end
 require 'socket'
 
-require 'net/ber'
-require 'net/ldap/pdu'
-require 'net/ldap/filter'
-require 'net/ldap/dataset'
-require 'net/ldap/password'
-require 'net/ldap/entry'
-require 'net/ldap/instrumentation'
-require 'net/ldap/connection'
-require 'net/ldap/version'
-require 'net/ldap/error'
-require 'net/ldap/auth_adapter'
-require 'net/ldap/auth_adapter/simple'
-require 'net/ldap/auth_adapter/sasl'
+require_relative 'ber'
+require_relative 'ldap/pdu'
+require_relative 'ldap/filter'
+require_relative 'ldap/dataset'
+require_relative 'ldap/password'
+require_relative 'ldap/entry'
+require_relative 'ldap/instrumentation'
+require_relative 'ldap/connection'
+require_relative 'ldap/version'
+require_relative 'ldap/error'
+require_relative 'ldap/auth_adapter'
+require_relative 'ldap/auth_adapter/simple'
+require_relative 'ldap/auth_adapter/sasl'
 
 Net::LDAP::AuthAdapter.register([:simple, :anon, :anonymous], Net::LDAP::AuthAdapter::Simple)
 Net::LDAP::AuthAdapter.register(:sasl, Net::LDAP::AuthAdapter::Sasl)
@@ -476,61 +476,73 @@ class Net::LDAP
   #   specify a treebase. If you give a treebase value in any particular
   #   call to #search, that value will override any treebase value you give
   #   here.
+  # * :force_no_page => Set to true to prevent paged results even if your
+  #   server says it supports them. This is a fix for MS Active Directory
+  # * :instrumentation_service => An object responsible for instrumenting
+  #   operations, compatible with ActiveSupport::Notifications' public API.
   # * :encryption => specifies the encryption to be used in communicating
   #   with the LDAP server. The value must be a Hash containing additional
   #   parameters, which consists of two keys:
   #     method: - :simple_tls or :start_tls
-  #     options: - Hash of options for that method
+  #     tls_options: - Hash of options for that method
   #   The :simple_tls encryption method encrypts <i>all</i> communications
   #   with the LDAP server. It completely establishes SSL/TLS encryption with
   #   the LDAP server before any LDAP-protocol data is exchanged. There is no
   #   plaintext negotiation and no special encryption-request controls are
   #   sent to the server. <i>The :simple_tls option is the simplest, easiest
   #   way to encrypt communications between Net::LDAP and LDAP servers.</i>
-  #   It's intended for cases where you have an implicit level of trust in the
-  #   authenticity of the LDAP server. No validation of the LDAP server's SSL
-  #   certificate is performed. This means that :simple_tls will not produce
-  #   errors if the LDAP server's encryption certificate is not signed by a
-  #   well-known Certification Authority. If you get communications or
-  #   protocol errors when using this option, check with your LDAP server
-  #   administrator. Pay particular attention to the TCP port you are
-  #   connecting to. It's impossible for an LDAP server to support plaintext
-  #   LDAP communications and <i>simple TLS</i> connections on the same port.
-  #   The standard TCP port for unencrypted LDAP connections is 389, but the
-  #   standard port for simple-TLS encrypted connections is 636. Be sure you
-  #   are using the correct port.
-  #
+  #   If you get communications or protocol errors when using this option,
+  #   check with your LDAP server administrator. Pay particular attention
+  #   to the TCP port you are connecting to. It's impossible for an LDAP
+  #   server to support plaintext LDAP communications and <i>simple TLS</i>
+  #   connections on the same port. The standard TCP port for unencrypted
+  #   LDAP connections is 389, but the standard port for simple-TLS
+  #   encrypted connections is 636. Be sure you are using the correct port.
   #   The :start_tls like the :simple_tls encryption method also encrypts all
   #   communcations with the LDAP server. With the exception that it operates
   #   over the standard TCP port.
   #
-  #   In order to verify certificates and enable other TLS options, the
-  #   :tls_options hash can be passed alongside :simple_tls or :start_tls.
-  #   This hash contains any options that can be passed to
-  #   OpenSSL::SSL::SSLContext#set_params(). The most common options passed
-  #   should be OpenSSL::SSL::SSLContext::DEFAULT_PARAMS, or the :ca_file option,
-  #   which contains a path to a Certificate Authority file (PEM-encoded).
-  #
-  #   Example for a default setup without custom settings:
-  #     {
-  #       :method => :simple_tls,
-  #       :tls_options => OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
-  #     }
-  #
-  #   Example for specifying a CA-File and only allowing TLSv1.1 connections:
+  #   To validate the LDAP server's certificate (a security must if you're
+  #   talking over the public internet), you need to set :tls_options
+  #   something like this...
   #
-  #     {
-  #       :method => :start_tls,
-  #       :tls_options => { :ca_file => "/etc/cafile.pem", :ssl_version => "TLSv1_1" }
+  #   Net::LDAP.new(
+  #     # ... set host, bind dn, etc ...
+  #     encryption: {
+  #       method: :simple_tls,
+  #       tls_options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS,
   #     }
-  # * :force_no_page => Set to true to prevent paged results even if your
-  #   server says it supports them. This is a fix for MS Active Directory
-  # * :instrumentation_service => An object responsible for instrumenting
-  #   operations, compatible with ActiveSupport::Notifications' public API.
+  #   )
+  #
+  #   The above will use the operating system-provided store of CA
+  #   certificates to validate your LDAP server's cert.
+  #   If cert validation fails, it'll happen during the #bind
+  #   whenever you first try to open a connection to the server.
+  #   Those methods will throw Net::LDAP::ConnectionError with
+  #   a message about certificate verify failing. If your
+  #   LDAP server's certificate is signed by DigiCert, Comodo, etc.,
+  #   you're probably good. If you've got a self-signed cert but it's
+  #   been added to the host's OS-maintained CA store (e.g. on Debian
+  #   add foobar.crt to /usr/local/share/ca-certificates/ and run
+  #   `update-ca-certificates`), then the cert should pass validation.
+  #   To ignore the OS's CA store, put your CA in a PEM-encoded file and...
+  #
+  #   encryption: {
+  #     method:      :simple_tls,
+  #     tls_options: { ca_file:     '/path/to/my-little-ca.pem',
+  #                    ssl_version: 'TLSv1_1' },
+  #   }
+  #
+  #   As you might guess, the above example also fails the connection
+  #   if the client can't negotiate TLS v1.1.
+  #   tls_options is ultimately passed to OpenSSL::SSL::SSLContext#set_params
+  #   For more details, see
+  #    http://ruby-doc.org/stdlib-2.0.0/libdoc/openssl/rdoc/OpenSSL/SSL/SSLContext.html
   #
   # Instantiating a Net::LDAP object does <i>not</i> result in network
   # traffic to the LDAP server. It simply stores the connection and binding
-  # parameters in the object.
+  # parameters in the object. That's why Net::LDAP.new doesn't throw
+  # cert validation errors itself; #bind does instead.
   def initialize(args = {})
     @host = args[:host] || DefaultHost
     @port = args[:port] || DefaultPort
@@ -700,7 +712,7 @@ class Net::LDAP
       begin
         @open_connection = new_connection
         payload[:connection] = @open_connection
-        payload[:bind]       = @open_connection.bind(@auth)
+        payload[:bind]       = @result = @open_connection.bind(@auth)
         yield self
       ensure
         @open_connection.close if @open_connection
@@ -1286,11 +1298,9 @@ class Net::LDAP
     else
       begin
         conn = new_connection
-        if (result = conn.bind(args[:auth] || @auth)).result_code == Net::LDAP::ResultCodeSuccess
-          yield conn
-        else
-          return result
-        end
+        result = conn.bind(args[:auth] || @auth)
+        return result unless result.result_code == Net::LDAP::ResultCodeSuccess
+        yield conn
       ensure
         conn.close if conn
       end

data/lib/net/ldap/auth_adapter/gss_spnego.rb

@@ -1,5 +1,5 @@
-require 'net/ldap/auth_adapter'
-require 'net/ldap/auth_adapter/sasl'
+require_relative '../auth_adapter'
+require_relative 'sasl'
 
 module Net
   class LDAP

data/lib/net/ldap/auth_adapter/sasl.rb

@@ -1,9 +1,11 @@
-require 'net/ldap/auth_adapter'
+require_relative '../auth_adapter'
 
 module Net
   class LDAP
     class AuthAdapter
       class Sasl < Net::LDAP::AuthAdapter
+        MAX_SASL_CHALLENGES = 10
+
         #--
         # Required parameters: :mechanism, :initial_credential and
         # :challenge_response
@@ -47,7 +49,7 @@ module Net
             end
 
             return pdu unless pdu.result_code == Net::LDAP::ResultCodeSaslBindInProgress
-            raise Net::LDAP::SASLChallengeOverflowError, "sasl-challenge overflow" if ((n += 1) > MaxSaslChallenges)
+            raise Net::LDAP::SASLChallengeOverflowError, "sasl-challenge overflow" if ((n += 1) > MAX_SASL_CHALLENGES)
 
             cred = chall.call(pdu.result_server_sasl_creds)
           end

data/lib/net/ldap/auth_adapter/simple.rb

@@ -1,4 +1,4 @@
-require 'net/ldap/auth_adapter'
+require_relative '../auth_adapter'
 
 module Net
   class LDAP

data/lib/net/ldap/connection.rb

@@ -7,7 +7,6 @@ class Net::LDAP::Connection #:nodoc:
   DefaultConnectTimeout = 5
 
   LdapVersion = 3
-  MaxSaslChallenges = 10
 
   # Initialize a connection to an LDAP server
   #
@@ -31,26 +30,36 @@ class Net::LDAP::Connection #:nodoc:
     @socket_class = socket_class
   end
 
-  def prepare_socket(server)
+  def prepare_socket(server, timeout=nil)
     socket = server[:socket]
     encryption = server[:encryption]
 
     @conn = socket
-    setup_encryption encryption if encryption
+    setup_encryption(encryption, timeout) if encryption
   end
 
   def open_connection(server)
     hosts = server[:hosts]
     encryption = server[:encryption]
 
+    timeout = server[:connect_timeout] || DefaultConnectTimeout
     socket_opts = {
-      connect_timeout: server[:connect_timeout] || DefaultConnectTimeout,
+      connect_timeout: timeout,
     }
 
     errors = []
     hosts.each do |host, port|
       begin
-        prepare_socket(server.merge(socket: @socket_class.new(host, port, socket_opts)))
+        prepare_socket(server.merge(socket: @socket_class.new(host, port, socket_opts)), timeout)
+        if encryption
+          if encryption[:tls_options] &&
+             encryption[:tls_options][:verify_mode] &&
+             encryption[:tls_options][:verify_mode] == OpenSSL::SSL::VERIFY_NONE
+            warn "not verifying SSL hostname of LDAPS server '#{host}:#{port}'"
+          else
+            @conn.post_connection_check(host)
+          end
+        end
         return
       rescue Net::LDAP::Error, SocketError, SystemCallError,
              OpenSSL::SSL::SSLError => e
@@ -76,7 +85,7 @@ class Net::LDAP::Connection #:nodoc:
     end
   end
 
-  def self.wrap_with_ssl(io, tls_options = {})
+  def self.wrap_with_ssl(io, tls_options = {}, timeout=nil)
     raise Net::LDAP::NoOpenSSLError, "OpenSSL is unavailable" unless Net::LDAP::HasOpenSSL
 
     ctx = OpenSSL::SSL::SSLContext.new
@@ -86,7 +95,22 @@ class Net::LDAP::Connection #:nodoc:
     ctx.set_params(tls_options) unless tls_options.empty?
 
     conn = OpenSSL::SSL::SSLSocket.new(io, ctx)
-    conn.connect
+
+    begin
+      if timeout
+        conn.connect_nonblock
+      else
+        conn.connect
+      end
+    rescue IO::WaitReadable
+      raise Errno::ETIMEDOUT, "OpenSSL connection read timeout" unless
+        IO.select([conn], nil, nil, timeout)
+      retry
+    rescue IO::WaitWritable
+      raise Errno::ETIMEDOUT, "OpenSSL connection write timeout" unless
+        IO.select(nil, [conn], nil, timeout)
+      retry
+    end
 
     # Doesn't work:
     # conn.sync_close = true
@@ -123,11 +147,11 @@ class Net::LDAP::Connection #:nodoc:
   # communications, as with simple_tls. Thanks for Kouhei Sutou for
   # generously contributing the :start_tls path.
   #++
-  def setup_encryption(args)
+  def setup_encryption(args, timeout=nil)
     args[:tls_options] ||= {}
     case args[:method]
     when :simple_tls
-      @conn = self.class.wrap_with_ssl(@conn, args[:tls_options])
+      @conn = self.class.wrap_with_ssl(@conn, args[:tls_options], timeout)
       # additional branches requiring server validation and peer certs, etc.
       # go here.
     when :start_tls
@@ -143,11 +167,9 @@ class Net::LDAP::Connection #:nodoc:
         raise Net::LDAP::NoStartTLSResultError, "no start_tls result"
       end
 
-      if pdu.result_code.zero?
-        @conn = self.class.wrap_with_ssl(@conn, args[:tls_options])
-      else
-        raise Net::LDAP::StartTLSError, "start_tls failed: #{pdu.result_code}"
-      end
+      raise Net::LDAP::StartTLSError,
+            "start_tls failed: #{pdu.result_code}" unless pdu.result_code.zero?
+      @conn = self.class.wrap_with_ssl(@conn, args[:tls_options], timeout)
     else
       raise Net::LDAP::EncMethodUnsupportedError, "unsupported encryption method #{args[:method]}"
     end
@@ -159,7 +181,7 @@ class Net::LDAP::Connection #:nodoc:
   # have to call it, but perhaps it will come in handy someday.
   #++
   def close
-    return if @conn.nil?
+    return if !defined?(@conn) || @conn.nil?
     @conn.close
     @conn = nil
   end
@@ -177,12 +199,10 @@ class Net::LDAP::Connection #:nodoc:
 
     # read messages until we have a match for the given message_id
     while pdu = read
-      if pdu.message_id == message_id
-        return pdu
-      else
-        message_queue[pdu.message_id].push pdu
-        next
-      end
+      return pdu if pdu.message_id == message_id
+
+      message_queue[pdu.message_id].push pdu
+      next
     end
 
     pdu
@@ -280,7 +300,7 @@ class Net::LDAP::Connection #:nodoc:
       control[2] = (control[2] == true).to_ber
       control.to_ber_sequence
     end
-    sort_control = [
+    [
       Net::LDAP::LDAPControls::SORT_REQUEST.to_ber,
       false.to_ber,
       sort_control_values.to_ber_sequence.to_s.to_ber,
@@ -380,12 +400,11 @@ class Net::LDAP::Connection #:nodoc:
         # should collect this into a private helper to clarify the structure
         query_limit = 0
         if size > 0
-          if paged
-            query_limit = (((size - n_results) < 126) ? (size -
-                                                              n_results) : 0)
-          else
-            query_limit = size
-          end
+          query_limit = if paged
+                          (((size - n_results) < 126) ? (size - n_results) : 0)
+                        else
+                          size
+                        end
         end
 
         request = [
@@ -448,6 +467,10 @@ class Net::LDAP::Connection #:nodoc:
           end
         end
 
+        if result_pdu.nil?
+          raise Net::LDAP::ResponseMissingOrInvalidError, "response missing"
+        end
+
         # count number of pages of results
         payload[:page_count] ||= 0
         payload[:page_count]  += 1
@@ -573,11 +596,11 @@ class Net::LDAP::Connection #:nodoc:
 
     ext_seq = [Net::LDAP::PasswdModifyOid.to_ber_contextspecific(0)]
 
-    unless args[:old_password].nil?
-      pwd_seq = [args[:old_password].to_ber(0x81)]
-      pwd_seq << args[:new_password].to_ber(0x82) unless args[:new_password].nil?
-      ext_seq << pwd_seq.to_ber_sequence.to_ber(0x81)
-    end
+    pwd_seq = []
+    pwd_seq << dn.to_ber(0x80)
+    pwd_seq << args[:old_password].to_ber(0x81) unless args[:old_password].nil?
+    pwd_seq << args[:new_password].to_ber(0x82) unless args[:new_password].nil?
+    ext_seq << pwd_seq.to_ber_sequence.to_ber(0x81)
 
     request = ext_seq.to_ber_appsequence(Net::LDAP::PDU::ExtendedRequest)
 
@@ -587,7 +610,7 @@ class Net::LDAP::Connection #:nodoc:
     pdu = queued_read(message_id)
 
     if !pdu || pdu.app_tag != Net::LDAP::PDU::ExtendedResponse
-      raise Net::LDAP::ResponseMissingError, "response missing or invalid"
+      raise Net::LDAP::ResponseMissingOrInvalidError, "response missing or invalid"
     end
 
     pdu
@@ -687,7 +710,7 @@ class Net::LDAP::Connection #:nodoc:
   # Wrap around Socket.tcp to normalize with other Socket initializers
   class DefaultSocket
     def self.new(host, port, socket_opts = {})
-      Socket.tcp(host, port, socket_opts)
+      Socket.tcp(host, port, **socket_opts)
     end
   end
 end # class Connection