net-ldap 0.15.0 → 0.19.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 26f8c374bc1cc4a9c355ae968cf1ca29d1efc335
-  data.tar.gz: 2bd1fc2b1ef9bd5939200a06ba9ce4bf24ae85de
+SHA256:
+  metadata.gz: 1fdcc1a3fefe3fb2bf1dbb91ec9e00734252fdda634ae0e2344b9dd6e6b86cd2
+  data.tar.gz: 8526bd506b632e74193c80119280fd4b333731b1e3d75791427a12e62cab775a
 SHA512:
-  metadata.gz: 8d7caa7c7800648300d1cfb52dc09d54dd7df4eb39f2ed88e9f8fcdf8cb8119a4e6582541dfe4ebcca69739cd7166366621a2f76dd974fd7f370796a7c4fe14c
-  data.tar.gz: 71856da21d5c8387cc25f9364d27c43cc48300bd7dd7213b6b35f5a3de42509479d9682f51bc8d894ddd36c21ff5cc0c04e034b051f376b4ab9f17518a249581
+  metadata.gz: e2f9e53240eeedd964463c6bc719cc86e57e5a66c5a769371e16d97005f9b63933797f33384e0192b6e128cc4fec1de46e3cca2886fce963439d86b4b3c0665f
+  data.tar.gz: e4af635dce612600ba48a110ebae1d3c30c00f9c5adcfeba1b6eca1d4d760646674d399cac256f96490bcad6d884146cb891ac14d57f8734556ed7e331baac90

data/History.rdoc

@@ -1,3 +1,79 @@
+=== Net::LDAP 0.19.0
+* Net::LDAP::DN - Retain trailing spaces in RDN values in DNs #412
+* Add in ability for users to specify LDAP controls when conducting searches #411
+* Document connect_timeout in Constructor Details #415
+* Fix openssl error when using multiple hosts #417
+
+=== Net::LDAP 0.18.0
+* Fix escaping of # and space in attrs #408
+* Add support to use SNI #406
+* Drop Ruby 2.5 and JRuby 9.2 from CI tests
+* Bump rubocop to 1.48.1
+* Update CI for TruffleRuby 22
+
+=== Net::LDAP 0.17.1
+* Fixed shebang of bash #385
+* Omit some tests for now until we update our CA cert #386
+* Add Ruby 3.0 support #388
+* Add TruffleRuby 21.0.0 to CI #389
+* Correct a typo in an error message #391
+* Enable bundler caching for travis #390
+* Fix circular require while loading lib/net/ldap/entry.rb and lib/net/ldap/dataset.rb #392
+* Handle nil value in GetbyteForSSLSocket::getbyte #306
+
+=== Net::LDAP 0.17.0
+* Added private recursive_delete as alternative to DELETE_TREE #268
+* Test suite updates #373 #376 #377
+* Use Base64.strict_encode64 and SSHA256 #303
+* Remove deprecated ConnectionRefusedError #366
+* Added method to get a duplicate of the internal Hash #286
+* remove a circular require #380
+* fix LdapServerAsnSyntax compile #379
+* Implement '==' operator for entries #381
+* fix for undefined method for write exception #383
+
+=== Net::LDAP 0.16.3
+
+* Add Net::LDAP::InvalidDNError #371
+* Use require_relative instead of require #360
+* Address some warnings and fix JRuby test omissions #365
+* Bump rake dev dependency to 12.3 #359
+* Enable rubocop in ci #251
+* Enhance rubocop configuration and test syntax #344
+* CI: Drop rbx-2, uninstallable #364
+* Fix RuboCop warnings #312
+* Fix wrong error class #305
+* CONTRIBUTING.md: Repair link to Issues #309
+* Make the generate() method more idiomatic... #326
+* Make encode_sort_controls() more idiomatic... #327
+* Make the instrument() method more idiomatic... #328
+* Fix uninitialised Net::LDAP::LdapPduError #338
+* README.rdoc: Use SVG build badge #310
+* Update TravisCI config to inclue Ruby 2.7 #346
+* add explicit ** to silence Ruby 2.7 warning #342
+* Support parsing filters with attribute tags #345
+* Bump rubocop development dependency version #336
+* Add link to generated and hosted documentation on rubydoc #319
+* Fix 'uninitialized constant Net::LDAP::PDU::LdapPduError' error #317
+* simplify encoding logic: no more chomping required #362
+
+=== Net::LDAP 0.16.2
+
+* Net::LDAP#open does not cache bind result {#334}[https://github.com/ruby-ldap/ruby-net-ldap/pull/334]
+* Fix CI build {#333}[https://github.com/ruby-ldap/ruby-net-ldap/pull/333]
+* Fix to "undefined method 'result_code'" {#308}[https://github.com/ruby-ldap/ruby-net-ldap/pull/308]
+* Fixed Exception: incompatible character encodings: ASCII-8BIT and UTF-8 in filter.rb {#285}[https://github.com/ruby-ldap/ruby-net-ldap/pull/285]
+
+=== Net::LDAP 0.16.1
+
+* Send DN and newPassword with password_modify request {#271}[https://github.com/ruby-ldap/ruby-net-ldap/pull/271]
+
+=== Net::LDAP 0.16.0
+
+* Sasl fix {#281}[https://github.com/ruby-ldap/ruby-net-ldap/pull/281]
+* enable TLS hostname validation {#279}[https://github.com/ruby-ldap/ruby-net-ldap/pull/279]
+* update rubocop to 0.42.0 {#278}[https://github.com/ruby-ldap/ruby-net-ldap/pull/278]
+
 === Net::LDAP 0.15.0
 
 * Respect connect_timeout when establishing SSL connections {#273}[https://github.com/ruby-ldap/ruby-net-ldap/pull/273]

data/README.rdoc

@@ -1,4 +1,6 @@
-= Net::LDAP for Ruby {<img src="https://travis-ci.org/ruby-ldap/ruby-net-ldap.png" />}[https://travis-ci.org/ruby-ldap/ruby-net-ldap]
+= Net::LDAP for Ruby 
+{<img src="https://badge.fury.io/rb/net-ldap.svg" alt="Gem Version" />}[https://badge.fury.io/rb/net-ldap]
+{<img src="https://travis-ci.org/ruby-ldap/ruby-net-ldap.svg" />}[https://travis-ci.org/ruby-ldap/ruby-net-ldap]
 
 == Description
 
@@ -21,7 +23,7 @@ the most recent LDAP RFCs (4510–4519, plus portions of 4520–4532).
 
 == Synopsis
 
-See Net::LDAP for documentation and usage samples.
+See {Net::LDAP on rubydoc.info}[https://www.rubydoc.info/github/ruby-ldap/ruby-net-ldap] for documentation and usage samples.
 
 == Requirements
 
@@ -52,19 +54,27 @@ This task will run the test suite and the
 
   rake rubotest
 
-To run the integration tests against an LDAP server:
+CI takes too long? If your local box supports
+{Docker}[https://www.docker.com/], you can also run integration tests locally.
+Simply run:
 
-  cd test/support/vm/openldap
-  vagrant up
-  cd ../../../..
-  INTEGRATION=openldap bundle exec rake rubotest
+  script/ldap-docker
+  INTEGRATION=openldap rake test
+  
+Or, use {Docker Compose}[https://docs.docker.com/compose/]. See docker-compose.yml for available Ruby versions.
+
+    docker-compose run ci-2.7
+
+CAVEAT: you need to add the following line to /etc/hosts
+    127.0.0.1 ldap.example.org
+    127.0.0.1 cert.mismatch.example.org
 
 == Release
 
 This section is for gem maintainers to cut a new version of the gem.
 
 * Check out a new branch `release-VERSION`
-* Update lib/net/ldap/version.rb to next version number X.X.X following {semver}(http://semver.org/).
+* Update lib/net/ldap/version.rb to next version number X.X.X following {semver}[http://semver.org/].
 * Update `History.rdoc`. Get latest changes with `script/changelog`
 * Open a pull request with these changes for review
 * After merging, on the master branch, run `script/release`

data/lib/net/ber/ber_parser.rb

@@ -172,10 +172,10 @@ module Net::BER::BERParser
     yield id, content_length if block_given?
 
     if -1 == content_length
-      raise Net::BER::BerError, "Indeterminite BER content length not implemented."
-    else
-      data = read(content_length)
+      raise Net::BER::BerError,
+            "Indeterminite BER content length not implemented."
     end
+    data = read(content_length)
 
     parse_ber_object(syntax, id, data)
   end

data/lib/net/ber/core_ext.rb

@@ -1,5 +1,5 @@
 # -*- ruby encoding: utf-8 -*-
-require 'net/ber/ber_parser'
+require_relative 'ber_parser'
 # :stopdoc:
 class IO
   include Net::BER::BERParser
@@ -19,35 +19,35 @@ end
 module Net::BER::Extensions # :nodoc:
 end
 
-require 'net/ber/core_ext/string'
+require_relative 'core_ext/string'
 # :stopdoc:
 class String
   include Net::BER::BERParser
   include Net::BER::Extensions::String
 end
 
-require 'net/ber/core_ext/array'
+require_relative 'core_ext/array'
 # :stopdoc:
 class Array
   include Net::BER::Extensions::Array
 end
 # :startdoc:
 
-require 'net/ber/core_ext/integer'
+require_relative 'core_ext/integer'
 # :stopdoc:
 class Integer
   include Net::BER::Extensions::Integer
 end
 # :startdoc:
 
-require 'net/ber/core_ext/true_class'
+require_relative 'core_ext/true_class'
 # :stopdoc:
 class TrueClass
   include Net::BER::Extensions::TrueClass
 end
 # :startdoc:
 
-require 'net/ber/core_ext/false_class'
+require_relative 'core_ext/false_class'
 # :stopdoc:
 class FalseClass
   include Net::BER::Extensions::FalseClass

data/lib/net/ber.rb

@@ -1,5 +1,5 @@
 # -*- ruby encoding: utf-8 -*-
-require 'net/ldap/version'
+require_relative 'ldap/version'
 
 module Net # :nodoc:
   ##
@@ -327,11 +327,10 @@ class Net::BER::BerIdentifiedString < String
     # Check the encoding of the newly created String and set the encoding
     # to 'UTF-8' (NOTE: we do NOT change the bytes, but only set the
     # encoding to 'UTF-8').
+    return unless encoding == Encoding::BINARY
     current_encoding = encoding
-    if current_encoding == Encoding::BINARY
-      force_encoding('UTF-8')
-      force_encoding(current_encoding) unless valid_encoding?
-    end
+    force_encoding('UTF-8')
+    force_encoding(current_encoding) unless valid_encoding?
   end
 end
 
@@ -350,4 +349,4 @@ module Net::BER
   Null = Net::BER::BerIdentifiedNull.new
 end
 
-require 'net/ber/core_ext'
+require_relative 'ber/core_ext'

data/lib/net/ldap/auth_adapter/gss_spnego.rb

@@ -1,5 +1,5 @@
-require 'net/ldap/auth_adapter'
-require 'net/ldap/auth_adapter/sasl'
+require_relative '../auth_adapter'
+require_relative 'sasl'
 
 module Net
   class LDAP

data/lib/net/ldap/auth_adapter/sasl.rb

@@ -1,9 +1,11 @@
-require 'net/ldap/auth_adapter'
+require_relative '../auth_adapter'
 
 module Net
   class LDAP
     class AuthAdapter
       class Sasl < Net::LDAP::AuthAdapter
+        MAX_SASL_CHALLENGES = 10
+
         #--
         # Required parameters: :mechanism, :initial_credential and
         # :challenge_response
@@ -47,7 +49,7 @@ module Net
             end
 
             return pdu unless pdu.result_code == Net::LDAP::ResultCodeSaslBindInProgress
-            raise Net::LDAP::SASLChallengeOverflowError, "sasl-challenge overflow" if ((n += 1) > MaxSaslChallenges)
+            raise Net::LDAP::SASLChallengeOverflowError, "sasl-challenge overflow" if ((n += 1) > MAX_SASL_CHALLENGES)
 
             cred = chall.call(pdu.result_server_sasl_creds)
           end

data/lib/net/ldap/auth_adapter/simple.rb

@@ -1,4 +1,4 @@
-require 'net/ldap/auth_adapter'
+require_relative '../auth_adapter'
 
 module Net
   class LDAP

data/lib/net/ldap/connection.rb

@@ -7,7 +7,6 @@ class Net::LDAP::Connection #:nodoc:
   DefaultConnectTimeout = 5
 
   LdapVersion = 3
-  MaxSaslChallenges = 10
 
   # Initialize a connection to an LDAP server
   #
@@ -31,12 +30,12 @@ class Net::LDAP::Connection #:nodoc:
     @socket_class = socket_class
   end
 
-  def prepare_socket(server, timeout=nil)
+  def prepare_socket(server, timeout=nil, hostname='127.0.0.1')
     socket = server[:socket]
     encryption = server[:encryption]
 
     @conn = socket
-    setup_encryption(encryption, timeout) if encryption
+    setup_encryption(encryption, timeout, hostname) if encryption
   end
 
   def open_connection(server)
@@ -51,7 +50,16 @@ class Net::LDAP::Connection #:nodoc:
     errors = []
     hosts.each do |host, port|
       begin
-        prepare_socket(server.merge(socket: @socket_class.new(host, port, socket_opts)), timeout)
+        prepare_socket(server.merge(socket: @socket_class.new(host, port, socket_opts)), timeout, host)
+        if encryption
+          if encryption[:tls_options] &&
+             encryption[:tls_options][:verify_mode] &&
+             encryption[:tls_options][:verify_mode] == OpenSSL::SSL::VERIFY_NONE
+            warn "not verifying SSL hostname of LDAPS server '#{host}:#{port}'"
+          else
+            @conn.post_connection_check(host)
+          end
+        end
         return
       rescue Net::LDAP::Error, SocketError, SystemCallError,
              OpenSSL::SSL::SSLError => e
@@ -66,7 +74,8 @@ class Net::LDAP::Connection #:nodoc:
 
   module GetbyteForSSLSocket
     def getbyte
-      getc.ord
+      c = getc
+      c && c.ord
     end
   end
 
@@ -77,7 +86,7 @@ class Net::LDAP::Connection #:nodoc:
     end
   end
 
-  def self.wrap_with_ssl(io, tls_options = {}, timeout=nil)
+  def self.wrap_with_ssl(io, tls_options = {}, timeout=nil, hostname=nil)
     raise Net::LDAP::NoOpenSSLError, "OpenSSL is unavailable" unless Net::LDAP::HasOpenSSL
 
     ctx = OpenSSL::SSL::SSLContext.new
@@ -87,6 +96,7 @@ class Net::LDAP::Connection #:nodoc:
     ctx.set_params(tls_options) unless tls_options.empty?
 
     conn = OpenSSL::SSL::SSLSocket.new(io, ctx)
+    conn.hostname = hostname
 
     begin
       if timeout
@@ -95,17 +105,13 @@ class Net::LDAP::Connection #:nodoc:
         conn.connect
       end
     rescue IO::WaitReadable
-      if IO.select([conn], nil, nil, timeout)
-        retry
-      else
-        raise Errno::ETIMEDOUT, "OpenSSL connection read timeout"
-      end
+      raise Errno::ETIMEDOUT, "OpenSSL connection read timeout" unless
+        IO.select([conn], nil, nil, timeout)
+      retry
     rescue IO::WaitWritable
-      if IO.select(nil, [conn], nil, timeout)
-        retry
-      else
-        raise Errno::ETIMEDOUT, "OpenSSL connection write timeout"
-      end
+      raise Errno::ETIMEDOUT, "OpenSSL connection write timeout" unless
+        IO.select(nil, [conn], nil, timeout)
+      retry
     end
 
     # Doesn't work:
@@ -143,11 +149,11 @@ class Net::LDAP::Connection #:nodoc:
   # communications, as with simple_tls. Thanks for Kouhei Sutou for
   # generously contributing the :start_tls path.
   #++
-  def setup_encryption(args, timeout=nil)
+  def setup_encryption(args, timeout=nil, hostname=nil)
     args[:tls_options] ||= {}
     case args[:method]
     when :simple_tls
-      @conn = self.class.wrap_with_ssl(@conn, args[:tls_options], timeout)
+      @conn = self.class.wrap_with_ssl(@conn, args[:tls_options], timeout, hostname)
       # additional branches requiring server validation and peer certs, etc.
       # go here.
     when :start_tls
@@ -163,11 +169,9 @@ class Net::LDAP::Connection #:nodoc:
         raise Net::LDAP::NoStartTLSResultError, "no start_tls result"
       end
 
-      if pdu.result_code.zero?
-        @conn = self.class.wrap_with_ssl(@conn, args[:tls_options], timeout)
-      else
-        raise Net::LDAP::StartTLSError, "start_tls failed: #{pdu.result_code}"
-      end
+      raise Net::LDAP::StartTLSError,
+            "start_tls failed: #{pdu.result_code}" unless pdu.result_code.zero?
+      @conn = self.class.wrap_with_ssl(@conn, args[:tls_options], timeout, hostname)
     else
       raise Net::LDAP::EncMethodUnsupportedError, "unsupported encryption method #{args[:method]}"
     end
@@ -179,7 +183,7 @@ class Net::LDAP::Connection #:nodoc:
   # have to call it, but perhaps it will come in handy someday.
   #++
   def close
-    return if @conn.nil?
+    return if !defined?(@conn) || @conn.nil?
     @conn.close
     @conn = nil
   end
@@ -197,12 +201,10 @@ class Net::LDAP::Connection #:nodoc:
 
     # read messages until we have a match for the given message_id
     while pdu = read
-      if pdu.message_id == message_id
-        return pdu
-      else
-        message_queue[pdu.message_id].push pdu
-        next
-      end
+      return pdu if pdu.message_id == message_id
+
+      message_queue[pdu.message_id].push pdu
+      next
     end
 
     pdu
@@ -300,7 +302,7 @@ class Net::LDAP::Connection #:nodoc:
       control[2] = (control[2] == true).to_ber
       control.to_ber_sequence
     end
-    sort_control = [
+    [
       Net::LDAP::LDAPControls::SORT_REQUEST.to_ber,
       false.to_ber,
       sort_control_values.to_ber_sequence.to_s.to_ber,
@@ -400,12 +402,11 @@ class Net::LDAP::Connection #:nodoc:
         # should collect this into a private helper to clarify the structure
         query_limit = 0
         if size > 0
-          if paged
-            query_limit = (((size - n_results) < 126) ? (size -
-                                                              n_results) : 0)
-          else
-            query_limit = size
-          end
+          query_limit = if paged
+                          (((size - n_results) < 126) ? (size - n_results) : 0)
+                        else
+                          size
+                        end
         end
 
         request = [
@@ -423,6 +424,7 @@ class Net::LDAP::Connection #:nodoc:
         # this breaks when calling to_ber. (Can't force binary data to UTF-8)
         # we have to disable paging (even though server supports it) to get around this...
 
+        user_controls = args.fetch(:controls, [])
         controls = []
         controls <<
           [
@@ -432,7 +434,12 @@ class Net::LDAP::Connection #:nodoc:
             rfc2696_cookie.map(&:to_ber).to_ber_sequence.to_s.to_ber,
           ].to_ber_sequence if paged
         controls << ber_sort if ber_sort
-        controls = controls.empty? ? nil : controls.to_ber_contextspecific(0)
+        if controls.empty? && user_controls.empty?
+          controls = nil
+        else
+          controls += user_controls
+          controls = controls.to_ber_contextspecific(0)
+        end
 
         write(request, controls, message_id)
 
@@ -468,6 +475,10 @@ class Net::LDAP::Connection #:nodoc:
           end
         end
 
+        if result_pdu.nil?
+          raise Net::LDAP::ResponseMissingOrInvalidError, "response missing"
+        end
+
         # count number of pages of results
         payload[:page_count] ||= 0
         payload[:page_count]  += 1
@@ -593,11 +604,11 @@ class Net::LDAP::Connection #:nodoc:
 
     ext_seq = [Net::LDAP::PasswdModifyOid.to_ber_contextspecific(0)]
 
-    unless args[:old_password].nil?
-      pwd_seq = [args[:old_password].to_ber(0x81)]
-      pwd_seq << args[:new_password].to_ber(0x82) unless args[:new_password].nil?
-      ext_seq << pwd_seq.to_ber_sequence.to_ber(0x81)
-    end
+    pwd_seq = []
+    pwd_seq << dn.to_ber(0x80)
+    pwd_seq << args[:old_password].to_ber(0x81) unless args[:old_password].nil?
+    pwd_seq << args[:new_password].to_ber(0x82) unless args[:new_password].nil?
+    ext_seq << pwd_seq.to_ber_sequence.to_ber(0x81)
 
     request = ext_seq.to_ber_appsequence(Net::LDAP::PDU::ExtendedRequest)
 
@@ -607,7 +618,7 @@ class Net::LDAP::Connection #:nodoc:
     pdu = queued_read(message_id)
 
     if !pdu || pdu.app_tag != Net::LDAP::PDU::ExtendedResponse
-      raise Net::LDAP::ResponseMissingError, "response missing or invalid"
+      raise Net::LDAP::ResponseMissingOrInvalidError, "response missing or invalid"
     end
 
     pdu
@@ -687,7 +698,7 @@ class Net::LDAP::Connection #:nodoc:
   #
   # Typically a TCPSocket, but can be a OpenSSL::SSL::SSLSocket
   def socket
-    return @conn if defined? @conn
+    return @conn if defined?(@conn) && !@conn.nil?
 
     # First refactoring uses the existing methods open_connection and
     # prepare_socket to set @conn. Next cleanup would centralize connection
@@ -707,7 +718,7 @@ class Net::LDAP::Connection #:nodoc:
   # Wrap around Socket.tcp to normalize with other Socket initializers
   class DefaultSocket
     def self.new(host, port, socket_opts = {})
-      Socket.tcp(host, port, socket_opts)
+      Socket.tcp(host, port, **socket_opts)
     end
   end
 end # class Connection

data/lib/net/ldap/dataset.rb

@@ -103,7 +103,7 @@ class Net::LDAP::Dataset < Hash
     # with the conversion of
     def from_entry(entry)
       dataset = Net::LDAP::Dataset.new
-      hash = { }
+      hash = {}
       entry.each_attribute do |attribute, value|
         next if attribute == :dn
         hash[attribute] = value
@@ -164,5 +164,3 @@ class Net::LDAP::Dataset < Hash
     end
   end
 end
-
-require 'net/ldap/entry' unless defined? Net::LDAP::Entry

data/lib/net/ldap/dn.rb

@@ -57,19 +57,19 @@ class Net::LDAP::DN
           state = :key_oid
           key << char
         when ' ' then state = :key
-        else raise "DN badly formed"
+        else raise Net::LDAP::InvalidDNError, "DN badly formed"
         end
       when :key_normal then
         case char
         when '=' then state = :value
         when 'a'..'z', 'A'..'Z', '0'..'9', '-', ' ' then key << char
-        else raise "DN badly formed"
+        else raise Net::LDAP::InvalidDNError, "DN badly formed"
         end
       when :key_oid then
         case char
         when '=' then state = :value
         when '0'..'9', '.', ' ' then key << char
-        else raise "DN badly formed"
+        else raise Net::LDAP::InvalidDNError, "DN badly formed"
         end
       when :value then
         case char
@@ -81,7 +81,7 @@ class Net::LDAP::DN
           value << char
         when ',' then
           state = :key
-          yield key.string.strip, value.string.rstrip
+          yield key.string.strip, value.string
           key = StringIO.new
           value = StringIO.new;
         else
@@ -93,7 +93,7 @@ class Net::LDAP::DN
         when '\\' then state = :value_normal_escape
         when ',' then
           state = :key
-          yield key.string.strip, value.string.rstrip
+          yield key.string.strip, value.string
           key = StringIO.new
           value = StringIO.new;
         else value << char
@@ -110,7 +110,7 @@ class Net::LDAP::DN
         when '0'..'9', 'a'..'f', 'A'..'F' then
           state = :value_normal
           value << "#{hex_buffer}#{char}".to_i(16).chr
-        else raise "DN badly formed"
+        else raise Net::LDAP::InvalidDNError, "DN badly formed"
         end
       when :value_quoted then
         case char
@@ -132,7 +132,7 @@ class Net::LDAP::DN
         when '0'..'9', 'a'..'f', 'A'..'F' then
           state = :value_quoted
           value << "#{hex_buffer}#{char}".to_i(16).chr
-        else raise "DN badly formed"
+        else raise Net::LDAP::InvalidDNError, "DN badly formed"
         end
       when :value_hexstring then
         case char
@@ -142,38 +142,37 @@ class Net::LDAP::DN
         when ' ' then state = :value_end
         when ',' then
           state = :key
-          yield key.string.strip, value.string.rstrip
+          yield key.string.strip, value.string
           key = StringIO.new
           value = StringIO.new;
-        else raise "DN badly formed"
+        else raise Net::LDAP::InvalidDNError, "DN badly formed"
         end
       when :value_hexstring_hex then
         case char
         when '0'..'9', 'a'..'f', 'A'..'F' then
           state = :value_hexstring
           value << char
-        else raise "DN badly formed"
+        else raise Net::LDAP::InvalidDNError, "DN badly formed"
         end
       when :value_end then
         case char
         when ' ' then state = :value_end
         when ',' then
           state = :key
-          yield key.string.strip, value.string.rstrip
+          yield key.string.strip, value.string
           key = StringIO.new
           value = StringIO.new;
-        else raise "DN badly formed"
+        else raise Net::LDAP::InvalidDNError, "DN badly formed"
         end
-      else raise "Fell out of state machine"
+      else raise Net::LDAP::InvalidDNError, "Fell out of state machine"
       end
     end
 
     # Last pair
-    if [:value, :value_normal, :value_hexstring, :value_end].include? state
-      yield key.string.strip, value.string.rstrip
-    else
-      raise "DN badly formed"
-    end
+    raise Net::LDAP::InvalidDNError, "DN badly formed" unless
+      [:value, :value_normal, :value_hexstring, :value_end].include? state
+
+    yield key.string.strip, value.string
   end
 
   ##
@@ -193,27 +192,19 @@ class Net::LDAP::DN
   # http://tools.ietf.org/html/rfc2253 section 2.4 lists these exceptions
   # for dn values. All of the following must be escaped in any normal string
   # using a single backslash ('\') as escape.
-  ESCAPES = {
-    ','  => ',',
-    '+'  => '+',
-    '"'  => '"',
-    '\\' => '\\',
-    '<' => '<',
-    '>' => '>',
-    ';' => ';',
-  }
+  ESCAPES = %w[, + " \\ < > ;]
 
-  # Compiled character class regexp using the keys from the above hash, and
+  # Compiled character class regexp using the values from the above list, and
   # checking for a space or # at the start, or space at the end, of the
   # string.
   ESCAPE_RE = Regexp.new("(^ |^#| $|[" +
-                         ESCAPES.keys.map { |e| Regexp.escape(e) }.join +
+                         ESCAPES.map { |e| Regexp.escape(e) }.join +
                          "])")
 
   ##
   # Escape a string for use in a DN value
   def self.escape(string)
-    string.gsub(ESCAPE_RE) { |char| "\\" + ESCAPES[char] }
+    string.gsub(ESCAPE_RE) { |char| "\\" + char }
   end
 
   ##