omniauth-ldap 2.3.3 → 3.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8bcc01a9129d0db019b5530a9bf5f7b5241f9eacba974d5c5585b4620a8d140b
-  data.tar.gz: 5eb2878ad0b0d471d60dfb4596baddb077cde9c26499ad1d2c3f661a96f1b242
+  metadata.gz: db8f14110058b0d3298f67c22cb05dcea355d72943478bdd8d9b363f346541bc
+  data.tar.gz: dda80d2d043153246fe334d57eb73059e5f8586046b7631bae1ef81682778dc5
 SHA512:
-  metadata.gz: f3d489556fa774b9865a3138dcce9f9eef4d2afedbeff2d0bdb5ce239a3b18dd430bcdf2438b77135434e511750a50236fb0e6902ad00ce16e60d1021058fb41
-  data.tar.gz: 4d544ca2868b9c0eb8d283dbc996b305bd1ca3d8070c9b5d342dc3de6d8d98206f197926da1bfd9f9b57e03728f8d96932a824b540fce3f4c66efd7e8ae08630
+  metadata.gz: 75c450a755a8846071d7ebae48672f3a46bb0c6ebf36e6a37c82750b1a0fa35fe9b22484c0803bfbc029b3a00490447baa4f63a53d55d47d8afb8d62e028e80b
+  data.tar.gz: b24afe0b3fd3025482662d6f34f2a5dfbfea87e59647d1c76ebc32928273c8984cd4f3c98464bed712afd4fa04683980927e4c0effbbf55ef19191c6656df75d

data/CHANGELOG.md

@@ -32,6 +32,52 @@ Please file a bug if you notice a violation of semantic versioning.
 
 ### Security
 
+## [3.0.0] - 2026-05-21
+
+- TAG: [v3.0.0][3.0.0t]
+- COVERAGE: 97.52% -- 315/323 lines in 6 files
+- BRANCH COVERAGE: 79.41% -- 108/136 branches in 6 files
+- 94.59% documented
+
+### Added
+
+- Add `auth-sanitizer` runtime dependency to redact sensitive LDAP adaptor inspection output without defining top-level `Auth` or `AuthSanitizer`
+
+### Changed
+
+- Minimum supported Ruby version is now 2.2.0
+
+### Removed
+
+- Remove deprecated (since `v2.1.0-gl` in 2018) top-level `:ca_file` and `:ssl_version` LDAP configuration options; use `:tls_options` instead
+- Remove adaptor backward-compatibility that translated top-level `:ca_file` and `:ssl_version` into TLS options
+- Remove deprecated direct-option specs for top-level `:ca_file` and `:ssl_version`
+
+## [2.3.4] - 2026-05-18
+
+- TAG: [v2.3.4][2.3.4t]
+- COVERAGE: 97.44% -- 304/312 lines in 4 files
+- BRANCH COVERAGE: 79.58% -- 113/142 branches in 4 files
+- 94.44% documented
+
+### Added
+
+- Add `header_auth_source` to require explicit selection of trusted header identity source (`:env` or `:http_header`)
+- Add `header_auth_require_tls` to require TLS for trusted header SSO by default
+- Log a prominent security warning when `header_auth` is enabled
+
+### Changed
+
+- Trusted header SSO now defaults to trusting only server-set env variables and no longer checks Rack `HTTP_` header variants unless `header_auth_source: :http_header` is configured
+
+### Fixed
+
+- Fix OpenSSL 3/Ruby 4 compatibility in the TLS options adaptor spec
+
+### Security
+
+- Harden trusted header SSO against spoofing by removing automatic fallback from `REMOTE_USER` to `HTTP_REMOTE_USER`
+
 ## [2.3.3] - 2025-11-10
 
 - TAG: [v2.3.3][2.3.3t]
@@ -240,7 +286,11 @@ Please file a bug if you notice a violation of semantic versioning.
 [1.0.0]: https://github.com/omniauth/omniauth-ldap/compare/5656da80d4193e0d0584f44bac493a87695e580f...v1.0.0
 [1.0.0t]: https://github.com/omniauth/omniauth-ldap/releases/tag/v1.0.0
 
-[Unreleased]: https://github.com/omniauth/omniauth-ldap/compare/v2.3.3...HEAD
+[Unreleased]: https://github.com/omniauth/omniauth-ldap/compare/v3.0.0...HEAD
+[3.0.0]: https://github.com/omniauth/omniauth-ldap/compare/v2.3.4...v3.0.0
+[3.0.0t]: https://github.com/omniauth/omniauth-ldap/releases/tag/v3.0.0
+[2.3.4]: https://github.com/omniauth/omniauth-ldap/compare/v2.3.3...v2.3.4
+[2.3.4t]: https://github.com/omniauth/omniauth-ldap/releases/tag/v2.3.4
 [2.3.3]: https://github.com/omniauth/omniauth-ldap/compare/v2.3.2...v2.3.3
 [2.3.3t]: https://github.com/omniauth/omniauth-ldap/releases/tag/v2.3.3
 [2.3.2]: https://github.com/omniauth/omniauth-ldap/compare/v2.3.1...v2.3.2

data/LICENSE.txt

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2025 Peter H. Boling, and omniauth-ldap contributors
+Copyright (c) 2025 - 2026 Peter H. Boling, and omniauth-ldap contributors
 Copyright (c) 2014 David Benko
 Copyright (c) 2011 by Ping Yu and Intridea, Inc.
 

data/README.md

@@ -1,32 +1,3 @@
-| 📍 NOTE                                                                                                                                                           |
-|-------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| RubyGems (the [GitHub org][rubygems-org], not the website) [suffered][draper-security] a [hostile takeover][ellen-takeover] in September 2025.                    |
-| Ultimately [4 maintainers][simi-removed] were [hard removed][martin-removed] and a reason has been given for only 1 of those, while 2 others resigned in protest. |
-| It is a [complicated story][draper-takeover] which is difficult to [parse quickly][draper-lies].                                                                  |
-| I'm adding notes like this to gems because I [don't condone theft][draper-theft] of repositories or gems from their rightful owners.                              |
-| If a similar theft happened with my repos/gems, I'd hope some would stand up for me.                                                                              |
-| Disenfranchised former-maintainers have started [gem.coop][gem-coop].                                                                                             |
-| Once available I will publish there exclusively; unless RubyCentral makes amends with the community.                                                              |
-| The ["Technology for Humans: Joel Draper"][reinteractive-podcast] podcast episode by [reinteractive][reinteractive] is the most cogent summary I'm aware of.      |
-| See [here][gem-naming], [here][gem-coop] and [here][martin-ann] for more info on what comes next.                                                                 |
-| What I'm doing: A (WIP) proposal for [bundler/gem scopes][gem-scopes], and a (WIP) proposal for a federated [gem server][gem-server].                             |
-
-[rubygems-org]: https://github.com/rubygems/
-[draper-security]: https://joel.drapper.me/p/ruby-central-security-measures/
-[draper-takeover]: https://joel.drapper.me/p/ruby-central-takeover/
-[ellen-takeover]: https://pup-e.com/blog/goodbye-rubygems/
-[simi-removed]: https://www.reddit.com/r/ruby/s/gOk42POCaV
-[martin-removed]: https://bsky.app/profile/martinemde.com/post/3m3occezxxs2q
-[draper-lies]: https://joel.drapper.me/p/ruby-central-fact-check/
-[draper-theft]: https://joel.drapper.me/p/ruby-central/
-[reinteractive]: https://reinteractive.com/ruby-on-rails
-[gem-coop]: https://gem.coop
-[gem-naming]: https://github.com/gem-coop/gem.coop/issues/12
-[martin-ann]: https://martinemde.com/2025/10/05/announcing-gem-coop.html
-[gem-scopes]: https://github.com/galtzo-floss/bundle-namespace
-[gem-server]: https://github.com/galtzo-floss/gem-server
-[reinteractive-podcast]: https://youtu.be/_H4qbtC5qzU?si=BvuBU90R2wAqD2E6
-
 [![Galtzo FLOSS Logo by Aboling0, CC BY-SA 4.0][🖼️galtzo-i]][🖼️galtzo-discord] [![ruby-lang Logo, Yukihiro Matsumoto, Ruby Visual Identity Team, CC BY-SA 2.5][🖼️ruby-lang-i]][🖼️ruby-lang] [![omniauth Logo (presumed to be) by tomeara, (presumed to be) MIT License][🖼️omniauth-i]][🖼️omniauth]
 
 [🖼️galtzo-i]: https://logos.galtzo.com/assets/images/galtzo-floss/avatar-192px.svg
@@ -38,7 +9,7 @@
 
 # 📁 OmniAuth LDAP
 
-[![Version][👽versioni]][👽version] [![GitHub tag (latest SemVer)][⛳️tag-img]][⛳️tag] [![License: MIT][📄license-img]][📄license-ref] [![Downloads Rank][👽dl-ranki]][👽dl-rank] [![Open Source Helpers][👽oss-helpi]][👽oss-help] [![CodeCov Test Coverage][🏀codecovi]][🏀codecov] [![Coveralls Test Coverage][🏀coveralls-img]][🏀coveralls] [![CI Heads][🚎3-hd-wfi]][🚎3-hd-wf] [![CI Runtime Dependencies @ HEAD][🚎12-crh-wfi]][🚎12-crh-wf] [![CI Current][🚎11-c-wfi]][🚎11-c-wf] [![CI Truffle Ruby][🚎9-t-wfi]][🚎9-t-wf] [![CI JRuby][🚎10-j-wfi]][🚎10-j-wf] [![Deps Locked][🚎13-🔒️-wfi]][🚎13-🔒️-wf] [![Deps Unlocked][🚎14-🔓️-wfi]][🚎14-🔓️-wf] [![CI Supported][🚎6-s-wfi]][🚎6-s-wf] [![CI Legacy][🚎4-lg-wfi]][🚎4-lg-wf] [![CI Unsupported][🚎7-us-wfi]][🚎7-us-wf] [![CI Ancient][🚎1-an-wfi]][🚎1-an-wf] [![CI Test Coverage][🚎2-cov-wfi]][🚎2-cov-wf] [![CI Style][🚎5-st-wfi]][🚎5-st-wf] [![CodeQL][🖐codeQL-img]][🖐codeQL] [![Apache SkyWalking Eyes License Compatibility Check][🚎15-🪪-wfi]][🚎15-🪪-wf]
+[![Version][👽versioni]][👽version] [![GitHub tag (latest SemVer)][⛳️tag-img]][⛳️tag] [![License: MIT][📄license-img]][📄license-ref] [![Downloads Rank][👽dl-ranki]][👽dl-rank] [![CodeCov Test Coverage][🏀codecovi]][🏀codecov] [![Coveralls Test Coverage][🏀coveralls-img]][🏀coveralls] [![CI Heads][🚎3-hd-wfi]][🚎3-hd-wf] [![CI Runtime Dependencies @ HEAD][🚎12-crh-wfi]][🚎12-crh-wf] [![CI Current][🚎11-c-wfi]][🚎11-c-wf] [![CI Truffle Ruby][🚎9-t-wfi]][🚎9-t-wf] [![CI JRuby][🚎10-j-wfi]][🚎10-j-wf] [![Deps Locked][🚎13-🔒️-wfi]][🚎13-🔒️-wf] [![Deps Unlocked][🚎14-🔓️-wfi]][🚎14-🔓️-wf] [![CI Supported][🚎6-s-wfi]][🚎6-s-wf] [![CI Legacy][🚎4-lg-wfi]][🚎4-lg-wf] [![CI Unsupported][🚎7-us-wfi]][🚎7-us-wf] [![CI Ancient][🚎1-an-wfi]][🚎1-an-wf] [![CI Test Coverage][🚎2-cov-wfi]][🚎2-cov-wf] [![CI Style][🚎5-st-wfi]][🚎5-st-wf] [![CodeQL][🖐codeQL-img]][🖐codeQL] [![Apache SkyWalking Eyes License Compatibility Check][🚎15-🪪-wfi]][🚎15-🪪-wf]
 
 `if ci_badges.map(&:color).detect { it != "green"}` ☝️ [let me know][🖼️galtzo-discord], as I may have missed the [discord notification][🖼️galtzo-discord].
 
@@ -48,6 +19,13 @@
 
 [![Sponsor Me on Github][🖇sponsor-img]][🖇sponsor] [![Liberapay Goal Progress][⛳liberapay-img]][⛳liberapay] [![Donate on PayPal][🖇paypal-img]][🖇paypal] [![Buy me a coffee][🖇buyme-small-img]][🖇buyme] [![Donate on Polar][🖇polar-img]][🖇polar] [![Donate at ko-fi.com][🖇kofi-img]][🖇kofi]
 
+<details>
+    <summary>👣 How will this project approach the September 2025 hostile takeover of RubyGems? 🚑️</summary>
+
+I've summarized my thoughts in [this blog post](https://dev.to/galtzo/hostile-takeover-of-rubygems-my-thoughts-5hlo).
+
+</details>
+
 ## 🌻 Synopsis
 
 Use the LDAP strategy as a middleware in your application:
@@ -79,7 +57,9 @@ use OmniAuth::Strategies::LDAP,
 # use OmniAuth::Strategies::LDAP, filter: '(&(uid=%{username})(memberOf=cn=myapp-users,ou=groups,dc=example,dc=com))'
 ```
 
-All of the listed options are required, with the exception of `:title`, `:name_proc`, `:bind_dn`, and `:password`.
+At minimum you normally configure `:host`, `:base`, and either `:uid` or `:filter`. The other options shown above customize connection behavior, TLS, username normalization, timeouts, and returned auth info.
+
+For trusted header SSO, enable `header_auth: true` and explicitly choose the trusted identity source with `header_auth_source: :env` or `header_auth_source: :http_header`. See [Trusted header SSO](#trusted-header-sso-remote_user-and-friends) for the security requirements.
 
 ### TLS certificate verification
 
@@ -132,7 +112,7 @@ Note: Net::LDAP historically defaulted to no certificate validation when `tls_op
 | Works with JRuby        | ![JRuby 9.1 Compat][💎jruby-9.1i] ![JRuby 9.2 Compat][💎jruby-9.2i] ![JRuby 9.3 Compat][💎jruby-9.3i] <br/> [![JRuby 9.4 Compat][💎jruby-9.4i]][🚎10-j-wf] [![JRuby 10.0 Compat][💎jruby-c-i]][🚎11-c-wf] [![JRuby HEAD Compat][💎jruby-headi]][🚎3-hd-wf]                                                                                                          |
 | Works with Truffle Ruby | ![Truffle Ruby 22.3 Compat][💎truby-22.3i] ![Truffle Ruby 23.0 Compat][💎truby-23.0i] <br/> [![Truffle Ruby 23.1 Compat][💎truby-23.1i]][🚎9-t-wf] [![Truffle Ruby 24.1 Compat][💎truby-c-i]][🚎11-c-wf]                                                                                                                                                            |
 | Works with MRI Ruby 3   | [![Ruby 3.0 Compat][💎ruby-3.0i]][🚎4-lg-wf] [![Ruby 3.1 Compat][💎ruby-3.1i]][🚎6-s-wf] [![Ruby 3.2 Compat][💎ruby-3.2i]][🚎6-s-wf] [![Ruby 3.3 Compat][💎ruby-3.3i]][🚎6-s-wf] [![Ruby 3.4 Compat][💎ruby-c-i]][🚎11-c-wf] [![Ruby HEAD Compat][💎ruby-headi]][🚎3-hd-wf]                                                                                         |
-| Works with MRI Ruby 2   | ![Ruby 2.0 Compat][💎ruby-2.0i] ![Ruby 2.1 Compat][💎ruby-2.1i] ![Ruby 2.2 Compat][💎ruby-2.2i] <br/> [![Ruby 2.3 Compat][💎ruby-2.3i]][🚎1-an-wf] [![Ruby 2.4 Compat][💎ruby-2.4i]][🚎1-an-wf] [![Ruby 2.5 Compat][💎ruby-2.5i]][🚎1-an-wf] [![Ruby 2.6 Compat][💎ruby-2.6i]][🚎7-us-wf] [![Ruby 2.7 Compat][💎ruby-2.7i]][🚎7-us-wf]                              |
+| Works with MRI Ruby 2   | ![Ruby 2.2 Compat][💎ruby-2.2i] <br/> [![Ruby 2.3 Compat][💎ruby-2.3i]][🚎1-an-wf] [![Ruby 2.4 Compat][💎ruby-2.4i]][🚎1-an-wf] [![Ruby 2.5 Compat][💎ruby-2.5i]][🚎1-an-wf] [![Ruby 2.6 Compat][💎ruby-2.6i]][🚎7-us-wf] [![Ruby 2.7 Compat][💎ruby-2.7i]][🚎7-us-wf]                              |
 | Support & Community     | [![Join Me on Daily.dev's RubyFriends][✉️ruby-friends-img]][✉️ruby-friends] [![Live Chat on Discord][✉️discord-invite-img-ftb]][✉️discord-invite] [![Get help from me on Upwork][👨🏼‍🏫expsup-upwork-img]][👨🏼‍🏫expsup-upwork] [![Get help from me on Codementor][👨🏼‍🏫expsup-codementor-img]][👨🏼‍🏫expsup-codementor]                                       |
 | Source                  | [![Source on Github.com][📜src-gh-img]][📜src-gh] [![The best SHA: dQw4w9WgXcQ!][🧮kloc-img]][🧮kloc]                                                                                                                                                                                                                                                               |
 | Documentation           | [![Current release on RubyDoc.info][📜docs-cr-rd-img]][🚎yard-current] [![YARD on Galtzo.com][📜docs-head-rd-img]][🚎yard-head] [![Maintainer Blog][🚂maint-blog-img]][🚂maint-blog] [![GitHub Wiki][📜gh-wiki-img]][📜gh-wiki]                                                                                                                                     |
@@ -143,7 +123,7 @@ Note: Net::LDAP historically defaulted to no certificate validation when `tls_op
 
 ### Compatibility
 
-Compatible with MRI Ruby 2.0+, and concordant releases of JRuby, and TruffleRuby.
+Compatible with MRI Ruby 2.2.0+, and concordant releases of JRuby, and TruffleRuby.
 
 | 🚚 _Amazing_ test matrix was brought to you by | 🔎 appraisal2 🔎 and the color 💚 green 💚             |
 |------------------------------------------------|--------------------------------------------------------|
@@ -228,14 +208,14 @@ The following options are available for configuring the OmniAuth LDAP strategy:
 ### Required Options
 
 - `:host` - The hostname or IP address of the LDAP server.
-- `:port` - The port number of the LDAP server (default: 389).
-- `:method` - The connection method. Allowed values: `:plain`, `:ssl`, `:tls` (default: `:plain`).
 - `:base` - The base DN for the LDAP search.
 - `:uid` or `:filter` - Either `:uid` (the LDAP attribute for username, default: "sAMAccountName") or `:filter` (LDAP filter for searching user entries). If `:filter` is provided, `:uid` is not required. Note: This `:uid` option is the search attribute, not the top-level `auth.uid` in the OmniAuth result.
 
 ### Optional Options
 
 - `:title` - The title for the authentication form (default: "LDAP Authentication").
+- `:port` - The port number of the LDAP server (default: 389).
+- `:encryption` - The connection method. Allowed values: `:plain`, `:ssl`, `:tls` (default: `:plain`). `:method` is still accepted for compatibility, but is deprecated.
 - `:bind_dn` - The DN to bind with for searching users (required if anonymous access is not allowed).
 - `:password` - The password for the bind DN.
 - `:name_proc` - A proc to process the username before using it in the search (default: identity proc that returns the username unchanged).
@@ -249,6 +229,10 @@ The following options are available for configuring the OmniAuth LDAP strategy:
 - `:connect_timeout` - Maximum time in seconds to wait when establishing the TCP connection to the LDAP server. Forwarded to `Net::LDAP`.
 - `:read_timeout` - Maximum time in seconds to wait for reads during LDAP operations (search/bind). Forwarded to `Net::LDAP`.
 - `:mapping` - Customize how LDAP attributes map to the returned `auth.info` hash. A sensible default mapping is built into the strategy and will be merged with your overrides. See `lib/omniauth/strategies/ldap.rb` for the default keys and behavior; values can be a String (single attribute), an Array (first present attribute wins), or a Hash (string pattern with placeholders like `%0` combined from multiple attributes).
+- `:header_auth` - Enable trusted upstream identity SSO (default: false). When enabled, the strategy trusts the configured header/env key, performs an LDAP lookup, and skips the user password bind.
+- `:header_name` - Header/env key used for trusted header SSO (default: "REMOTE_USER").
+- `:header_auth_source` - Trusted identity source for header SSO (default: `:env`). Use `:env` to read only `env["REMOTE_USER"]`-style server variables. Use `:http_header` to read only Rack `HTTP_` header keys such as `env["HTTP_REMOTE_USER"]`; only configure this behind a proxy that strips client-supplied copies.
+- `:header_auth_require_tls` - Require TLS for trusted header SSO requests (default: true).
 
 Example enabling password policy:
 
@@ -284,7 +268,7 @@ Where to find the "username"-style value
 - You can also read the raw attribute from `auth.extra.raw_info` (a `Net::LDAP::Entry`):
 
 ```ruby
-get "/auth/ldap/callback" do
+post "/auth/ldap/callback" do
   auth = request.env["omniauth.auth"]
   dn = auth.uid                                # => "cn=alice,ou=users,dc=example,dc=com"
   username = auth.info.nickname                # => "alice" (from uid/sAMAccountName)
@@ -300,7 +284,7 @@ If you need top-level `auth.uid` to be something other than the DN (for example,
 ## 🔧 Basic Usage
 
 The strategy exposes a simple Rack middleware and can be used in plain Rack apps, Sinatra, or Rails.
-Direct users to `/auth/ldap` to start authentication and handle the callback at `/auth/ldap/callback`.
+With OmniAuth 2.x, initiate authentication with `POST /auth/ldap`; `GET /auth/ldap` returns 404 by default. Older OmniAuth 1.x deployments may still render the form on `GET /auth/ldap`. Handle the callback at `/auth/ldap/callback`.
 
 Below are several concrete examples to get you started.
 
@@ -316,7 +300,7 @@ use OmniAuth::Builder do
   provider :ldap,
     host: "ldap.example.com",
     port: 389,
-    method: :plain,
+    encryption: :plain,
     base: "dc=example,dc=com",
     uid: "uid",
     title: "Example LDAP"
@@ -325,7 +309,7 @@ end
 run lambda { |env| [404, {"Content-Type" => "text/plain"}, [env.key?("omniauth.auth").to_s]] }
 ```
 
-Visit `GET /auth/ldap` to initiate authentication (the middleware will render a login form unless you POST to `/auth/ldap`).
+Submit `POST /auth/ldap` to initiate authentication. With OmniAuth 2.x, the middleware renders the login form on POST when credentials are not already present; with OmniAuth 1.x, `GET /auth/ldap` can also render the form.
 
 ### Sinatra example
 
@@ -344,10 +328,10 @@ use OmniAuth::Builder do
 end
 
 get "/" do
-  '<a href="/auth/ldap">Sign in with LDAP</a>'
+  '<form action="/auth/ldap" method="post"><button type="submit">Sign in with LDAP</button></form>'
 end
 
-get "/auth/ldap/callback" do
+post "/auth/ldap/callback" do
   auth = request.env["omniauth.auth"]
   "Hello, #{auth.info["name"]}"
 end
@@ -371,7 +355,7 @@ Rails.application.config.middleware.use(OmniAuth::Builder) do
 end
 ```
 
-Then link users to `/auth/ldap` in your app (for example, in a Devise sign-in page).
+Then submit users to `/auth/ldap` with POST in your app (for example, from a Devise sign-in page).
 
 ### Use JSON Body
 
@@ -422,7 +406,7 @@ Examples
 
 Notes
 
-- You can still initiate authentication by visiting `GET /auth/ldap` to render the HTML form and then submitting it (form-encoded). JSON is an additional option, not a replacement.
+- You can still initiate authentication with a regular form POST and then submit credentials as form-encoded data. JSON is an additional option, not a replacement.
 - In the callback phase (`POST /auth/ldap/callback`), the strategy reads JSON credentials the same way; Rails exposes them via `action_dispatch.request.request_parameters` and non-Rails apps should use a JSON parser middleware.
 
 ### Using a custom filter
@@ -607,15 +591,19 @@ Note: You generally do not need this override. Prefer configuring your proxy to
 
 ### Trusted header SSO (REMOTE_USER and friends)
 
-Some deployments terminate SSO at a reverse proxy or portal and forward the already-authenticated user identity via an HTTP header such as `REMOTE_USER`.
+Some deployments terminate SSO at a reverse proxy or portal and forward the already-authenticated user identity via a server-set environment variable or HTTP header such as `REMOTE_USER`.
 When you enable this mode, the LDAP strategy will trust the upstream header, perform a directory lookup for that user, and complete OmniAuth without asking the user for a password.
 
-Important: Only enable this behind a trusted front-end that strips and sets the header itself. Never enable on a public endpoint without such a gateway, or an attacker could spoof the header.
+Important: Only enable this behind a trusted front-end that authenticates users before they can reach the OmniAuth endpoint. When `header_auth` is enabled the strategy logs a prominent security warning because it trusts the upstream identity completely.
 
 Configuration options:
 
 - `:header_auth` (Boolean, default: false) — Enable trusted header SSO.
-- `:header_name` (String, default: "REMOTE_USER") — The env/header key to read. The strategy checks both `env["REMOTE_USER"]` and the Rack variant `env["HTTP_REMOTE_USER"]`.
+- `:header_name` (String, default: "REMOTE_USER") — The env/header key to read.
+- `:header_auth_source` (`:env` or `:http_header`, default: `:env`) — Which Rack env key form to trust.
+  - `:env` reads only the exact server-set environment key, such as `env["REMOTE_USER"]`.
+  - `:http_header` reads only the Rack HTTP header key, such as `env["HTTP_REMOTE_USER"]`. Only use this behind a proxy that strips client-sent copies of the header before setting its trusted value.
+- `:header_auth_require_tls` (Boolean, default: true) — Raise an error if trusted header SSO is used on a non-TLS request.
 - `:name_proc` is applied to the header value before search (e.g., to strip a domain part).
 - Search is done using your configured `:uid` or `:filter` and the service bind (`:bind_dn`/`:password`) or anonymous bind if allowed.
 
@@ -629,8 +617,9 @@ use OmniAuth::Builder do
     uid: "uid",
     bind_dn: "cn=search,dc=example,dc=com",
     password: ENV["LDAP_SEARCH_PASSWORD"],
-    header_auth: true,                 # trust REMOTE_USER
-    header_name: "REMOTE_USER",       # default
+    header_auth: true,                  # trust the configured upstream identity
+    header_name: "REMOTE_USER",        # default
+    header_auth_source: :env,           # default; reads env["REMOTE_USER"]
     name_proc: proc { |n| n.split("@").first }
 end
 ```
@@ -648,6 +637,7 @@ Rails.application.config.middleware.use(OmniAuth::Builder) do
     password: ENV["LDAP_SEARCH_PASSWORD"],
     header_auth: true,
     header_name: "REMOTE_USER",
+    header_auth_source: :env,
     # Optionally restrict with a group filter while using the header value
     filter: "(&(sAMAccountName=%{username})(memberOf=cn=myapp-users,ou=groups,dc=acme,dc=corp))",
     name_proc: proc { |n| n.gsub(/@.*$/, "") }
@@ -662,8 +652,9 @@ Flow:
 
 Security checklist:
 
-- Ensure your reverse proxy strips user-controlled copies of the header and sets the canonical `REMOTE_USER` itself.
-- Prefer TLS-secured internal links between the proxy and your app.
+- Prefer `header_auth_source: :env` for server-set variables such as `REMOTE_USER`.
+- Use `header_auth_source: :http_header` only when your reverse proxy strips user-controlled copies of the header and sets the canonical value itself.
+- Keep `header_auth_require_tls` enabled unless a separate trusted channel protects traffic between the proxy and your app.
 - Consider also restricting with a group-based `:filter` so only authorized users can sign in.
 
 ## 🦷 FLOSS Funding
@@ -795,7 +786,7 @@ See [LICENSE.txt][📄license] for the official [Copyright Notice][📄copyright
 
 <ul>
     <li>
-        Copyright (c) 2025 Peter H. Boling, of
+        Copyright (c) 2025 - 2026 Peter H. Boling, of
         <a href="https://discord.gg/3qme4XHNKN">
             Galtzo.com
             <picture>
@@ -905,8 +896,6 @@ Thanks for RTFM. ☺️
 [📜gh-wiki-img]: https://img.shields.io/badge/wiki-examples-943CD2.svg?style=for-the-badge&logo=github&logoColor=white
 [👽dl-rank]: https://bestgems.org/gems/omniauth-ldap
 [👽dl-ranki]: https://img.shields.io/gem/rd/omniauth-ldap.svg
-[👽oss-help]: https://www.codetriage.com/omniauth/omniauth-ldap
-[👽oss-helpi]: https://www.codetriage.com/omniauth/omniauth-ldap/badges/users.svg
 [👽version]: https://bestgems.org/gems/omniauth-ldap
 [👽versioni]: https://img.shields.io/gem/v/omniauth-ldap.svg
 [🏀codecov]: https://codecov.io/gh/omniauth/omniauth-ldap
@@ -990,7 +979,7 @@ Thanks for RTFM. ☺️
 [📌gitmoji]: https://gitmoji.dev
 [📌gitmoji-img]: https://img.shields.io/badge/gitmoji_commits-%20%F0%9F%98%9C%20%F0%9F%98%8D-34495e.svg?style=flat-square
 [🧮kloc]: https://www.youtube.com/watch?v=dQw4w9WgXcQ
-[🧮kloc-img]: https://img.shields.io/badge/KLOC-0.293-FFDD67.svg?style=for-the-badge&logo=YouTube&logoColor=blue
+[🧮kloc-img]: https://img.shields.io/badge/KLOC-0.323-FFDD67.svg?style=for-the-badge&logo=YouTube&logoColor=blue
 [🔐security]: SECURITY.md
 [🔐security-img]: https://img.shields.io/badge/security-policy-259D6C.svg?style=flat
 [📄copyright-notice-explainer]: https://opensource.stackexchange.com/questions/5778/why-do-licenses-such-as-the-mit-license-specify-a-single-year

data/lib/{omniauth-ldap → omniauth/ldap}/adaptor.rb

@@ -21,6 +21,10 @@ module OmniAuth
     #
     # @note Public API: {validate}, {initialize}, {bind_as}, and attr readers such as {connection}, {uid}
     class Adaptor
+      include OmniAuth::LDAP::AUTH_SANITIZER::FilteredAttributes
+
+      filtered_attributes :@auth, :@configuration, :@connection, :@password, :@tls_options
+
       # Generic adaptor error super-class
       # @see Error classes that inherit from this class
       class LdapError < StandardError; end
@@ -59,11 +63,7 @@ module OmniAuth
         # Timeouts
         :connect_timeout,
         :read_timeout,
-
-        # Deprecated
         :method,
-        :ca_file,
-        :ssl_version,
       ]
 
       # Required configuration keys. This may include alternatives as sub-lists
@@ -131,16 +131,18 @@ module OmniAuth
       # @param configuration [Hash] configuration hash passed to the adaptor
       # @raise [ArgumentError] when required keys are missing
       # @return [void]
-      def self.validate(configuration = {})
-        message = []
-        MUST_HAVE_KEYS.each do |names|
-          names = [names].flatten
-          missing_keys = names.select { |name| configuration[name].nil? }
-          if missing_keys == names
-            message << names.join(" or ")
+      class << self
+        def validate(configuration = {})
+          message = []
+          MUST_HAVE_KEYS.each do |names|
+            names = [names].flatten
+            missing_keys = names.select { |name| configuration[name].nil? }
+            if missing_keys == names
+              message << names.join(" or ")
+            end
           end
+          raise ArgumentError.new(message.join(",") + " MUST be provided") unless message.empty?
         end
-        raise ArgumentError.new(message.join(",") + " MUST be provided") unless message.empty?
       end
 
       # Create a new adaptor instance backed by a Net::LDAP connection.
@@ -295,7 +297,7 @@ module OmniAuth
         ENCRYPTION_METHOD[normalized_method]
       end
 
-      # Build TLS options including backward-compatibility for deprecated keys.
+      # Build TLS options from explicit :tls_options configuration.
       #
       # @param translated_method [Symbol] the normalized encryption method
       # @return [Hash] a hash suitable for passing as :tls_options
@@ -312,10 +314,6 @@ module OmniAuth
           options.merge!(configured_options)
         end
 
-        # Retain backward compatibility until deprecated configs are removed.
-        options[:ca_file] = @ca_file if @ca_file
-        options[:ssl_version] = @ssl_version if @ssl_version
-
         options
       end
 

data/lib/omniauth/ldap/auth_sanitizer.rb

@@ -0,0 +1,38 @@
+module OmniAuth
+  module LDAP
+    # See: Zero Top-Level Namespace Additions
+    #      https://github.com/ruby-oauth/auth-sanitizer/blob/main/README.md#zero-top-level-namespace-additions
+    AUTH_SANITIZER = begin
+      auth_sanitizer_requirement = Gem::Requirement.new("~> 0.1", ">= 0.1.4")
+      auth_sanitizer_spec = Gem.loaded_specs["auth-sanitizer"]
+      unless auth_sanitizer_spec && auth_sanitizer_requirement.satisfied_by?(auth_sanitizer_spec.version)
+        # :nocov:
+        auth_sanitizer_spec = Gem::Specification.find_by_name("auth-sanitizer", auth_sanitizer_requirement)
+        # :nocov:
+      end
+
+      auth_sanitizer_loader_path = File.join(
+        auth_sanitizer_spec.full_gem_path,
+        "lib/auth_sanitizer/loader.rb",
+      )
+      unless File.file?(auth_sanitizer_loader_path)
+        # :nocov:
+        raise LoadError, "omniauth-ldap requires auth-sanitizer #{auth_sanitizer_requirement}; " \
+          "loader not found at #{auth_sanitizer_loader_path}"
+        # :nocov:
+      end
+
+      auth_sanitizer_loader_namespace = Module.new
+      auth_sanitizer_loader_namespace.module_eval(
+        File.read(auth_sanitizer_loader_path),
+        auth_sanitizer_loader_path,
+        1,
+      )
+
+      auth_sanitizer_loader_namespace
+        .const_get(:AuthSanitizer)
+        .const_get(:Loader)
+        .load_isolated
+    end
+  end
+end

data/lib/{omniauth-ldap → omniauth/ldap}/version.rb

@@ -8,7 +8,7 @@ module OmniAuth
     module Version
       # Public semantic version for the gem
       # @return [String]
-      VERSION = "2.3.3"
+      VERSION = "3.0.0"
     end
     # Convenience constant for consumers that expect OmniAuth::LDAP::VERSION
     # @return [String]

data/lib/omniauth/ldap.rb

@@ -0,0 +1,18 @@
+# Integrate the VersionGem helper into the OmniAuth::LDAP::Version module
+# to expose common version-related helper methods. This file is the public
+# entry point required by consumers of the gem.
+#
+# @example
+#   require 'omniauth-ldap'
+#   OmniAuth::LDAP::VERSION # => "2.3.2"
+
+require "version_gem"
+
+require_relative "ldap/version"
+require_relative "ldap/auth_sanitizer"
+require_relative "ldap/adaptor"
+require_relative "strategies/ldap"
+
+OmniAuth::LDAP::Version.class_eval do
+  extend VersionGem::Basic
+end

data/lib/omniauth/strategies/ldap.rb

@@ -91,18 +91,22 @@ module OmniAuth
       option :port, 389
       option :method, :plain
       option :disable_verify_certificates, false
-      option :ca_file, nil
-      option :ssl_version, nil # use OpenSSL default if nil
       option :uid, "sAMAccountName"
       option :name_proc, lambda { |n| n }
 
       # Trusted header SSO support (disabled by default)
-      # :header_auth - when true and the header is present, the strategy trusts the upstream gateway
-      #                 and searches the directory for the user without requiring a user password.
-      # :header_name - which header/env key to read (default: "REMOTE_USER"). We will also check the
-      #                 standard Rack "HTTP_" variant automatically.
+      # :header_auth - when true and the configured header/env key is present, the strategy trusts
+      #                 the upstream gateway and searches the directory for the user without
+      #                 requiring a user password.
+      # :header_name - which header/env key to read (default: "REMOTE_USER").
+      # :header_auth_source - :env trusts only server-set env variables. :http_header trusts only
+      #                       Rack HTTP header keys, and should only be used behind a proxy that
+      #                       strips client-supplied copies of the header.
+      # :header_auth_require_tls - require a TLS request for header auth.
       option :header_auth, false
       option :header_name, "REMOTE_USER"
+      option :header_auth_source, :env
+      option :header_auth_require_tls, true
 
       # Optional timeouts (forwarded to Net::LDAP when supported)
       option :connect_timeout, nil
@@ -124,6 +128,8 @@ module OmniAuth
           return Rack::Response.new("", 404, {"Content-Type" => "text/plain"}).finish
         end
 
+        validate_header_auth_configuration!
+
         # Fast-path: if a trusted identity header is present, skip the login form
         # and jump to the callback where we will complete using directory lookup.
         if header_username
@@ -163,6 +169,8 @@ module OmniAuth
 
         return fail!(:invalid_request_method) unless valid_request_method?
 
+        validate_header_auth_configuration!
+
         # Header-based SSO (REMOTE_USER-style) path
         if (hu = header_username)
           begin
@@ -311,24 +319,62 @@ module OmniAuth
         @env["action_dispatch.request.request_parameters"] || request.params
       end
 
-      # Extract a normalized username from a trusted header when enabled.
+      # Extract a normalized username from a trusted header/env key when enabled.
       # Returns nil when not configured or not present.
       #
-      # The method will attempt the raw env key (e.g. "REMOTE_USER") and the Rack
-      # HTTP_ variant (e.g. "HTTP_REMOTE_USER" or "HTTP_X_REMOTE_USER").
+      # The source is intentionally explicit: :env reads the raw env key
+      # (e.g. "REMOTE_USER"), while :http_header reads the Rack HTTP_ variant
+      # (e.g. "HTTP_REMOTE_USER" or "HTTP_X_REMOTE_USER").
       #
       # @return [String, nil] normalized username or nil if not present
       def header_username
         return unless options[:header_auth]
 
-        name = options[:header_name] || "REMOTE_USER"
-        # Try both the raw env var (e.g., REMOTE_USER) and the Rack HTTP_ variant (e.g., HTTP_REMOTE_USER or HTTP_X_REMOTE_USER)
-        raw = request.env[name] || request.env["HTTP_#{name.upcase.tr("-", "_")}"]
+        raw = request.env[header_auth_env_key]
         return if raw.nil? || raw.to_s.strip.empty?
 
         options[:name_proc].call(raw.to_s)
       end
 
+      # Validate trusted header auth before reading the configured identity key.
+      #
+      # @raise [ArgumentError] when the header auth options are unsafe or invalid
+      # @return [void]
+      def validate_header_auth_configuration!
+        return unless options[:header_auth]
+
+        log_header_auth_warning
+
+        source = (options[:header_auth_source] || :env).to_sym
+        unless [:env, :http_header].include?(source)
+          raise ArgumentError, "header_auth_source must be :env or :http_header"
+        end
+
+        if options[:header_auth_require_tls] && !request.ssl?
+          raise ArgumentError, "header_auth requires TLS unless header_auth_require_tls is disabled"
+        end
+      end
+
+      # Rack env key selected by the explicit header auth source option.
+      #
+      # @return [String]
+      def header_auth_env_key
+        name = options[:header_name] || "REMOTE_USER"
+        return name if (options[:header_auth_source] || :env).to_sym == :env
+
+        "HTTP_#{name.upcase.tr("-", "_")}"
+      end
+
+      # Warn operators that trusted header auth delegates authentication to the upstream gateway.
+      #
+      # @return [void]
+      def log_header_auth_warning
+        logger = OmniAuth.config.respond_to?(:logger) ? OmniAuth.config.logger : nil
+        return unless logger && logger.respond_to?(:warn)
+
+        logger.warn("[omniauth-ldap] SECURITY WARNING: header_auth is enabled. This trusts upstream authentication completely; only enable it behind a trusted proxy that strips client-supplied identity headers.")
+      end
+
       # Perform a directory lookup for the given username using the strategy configuration
       # (bind_dn/password or anonymous). Does not attempt to bind as the user.
       #

data/lib/omniauth-ldap.rb

@@ -1,17 +1,2 @@
-# Integrate the VersionGem helper into the OmniAuth::LDAP::Version module
-# to expose common version-related helper methods. This file is the public
-# entry point required by consumers of the gem.
-#
-# @example
-#   require 'omniauth-ldap'
-#   OmniAuth::LDAP::VERSION # => "2.3.2"
-
-require "version_gem"
-
-require "omniauth-ldap/version"
-require "omniauth-ldap/adaptor"
-require "omniauth/strategies/ldap"
-
-OmniAuth::LDAP::Version.class_eval do
-  extend VersionGem::Basic
-end
+# Compatibility shim
+require "omniauth/ldap"

data/sig/omniauth/strategies/ldap.rbs

@@ -22,6 +22,12 @@ module OmniAuth
       # Extract username from a trusted header when enabled
       def header_username: () -> (String | nil)
 
+      def validate_header_auth_configuration!: () -> void
+
+      def header_auth_env_key: () -> String
+
+      def log_header_auth_warning: () -> void
+
       # Perform a directory lookup for a given username; returns an Entry or nil
       def directory_lookup: (OmniAuth::LDAP::Adaptor, String) -> untyped
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-ldap
 version: !ruby/object:Gem::Version
-  version: 2.3.3
+  version: 3.0.0
 platform: ruby
 authors:
 - Peter Boling
@@ -39,6 +39,26 @@ cert_chain:
   -----END CERTIFICATE-----
 date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: auth-sanitizer
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.1.4
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.1.4
 - !ruby/object:Gem::Dependency
   name: net-ldap
   requirement: !ruby/object:Gem::Requirement
@@ -350,7 +370,6 @@ extra_rdoc_files:
 - FUNDING.md
 - LICENSE.txt
 - README.md
-- REEK
 - RUBOCOP.md
 - SECURITY.md
 files:
@@ -361,12 +380,13 @@ files:
 - FUNDING.md
 - LICENSE.txt
 - README.md
-- REEK
 - RUBOCOP.md
 - SECURITY.md
 - lib/omniauth-ldap.rb
-- lib/omniauth-ldap/adaptor.rb
-- lib/omniauth-ldap/version.rb
+- lib/omniauth/ldap.rb
+- lib/omniauth/ldap/adaptor.rb
+- lib/omniauth/ldap/auth_sanitizer.rb
+- lib/omniauth/ldap/version.rb
 - lib/omniauth/strategies/ldap.rb
 - sig/omniauth-ldap.rbs
 - sig/omniauth/ldap/adaptor.rbs
@@ -380,10 +400,10 @@ licenses:
 - MIT
 metadata:
   homepage_uri: https://omniauth-ldap.galtzo.com/
-  source_code_uri: https://github.com/omniauth/omniauth-ldap/tree/v2.3.3
-  changelog_uri: https://github.com/omniauth/omniauth-ldap/blob/v2.3.3/CHANGELOG.md
+  source_code_uri: https://github.com/omniauth/omniauth-ldap/tree/v3.0.0
+  changelog_uri: https://github.com/omniauth/omniauth-ldap/blob/v3.0.0/CHANGELOG.md
   bug_tracker_uri: https://github.com/omniauth/omniauth-ldap/issues
-  documentation_uri: https://www.rubydoc.info/gems/omniauth-ldap/2.3.3
+  documentation_uri: https://www.rubydoc.info/gems/omniauth-ldap/3.0.0
   funding_uri: https://github.com/sponsors/pboling
   wiki_uri: https://github.com/omniauth/omniauth-ldap/wiki
   news_uri: https://www.railsbling.com/tags/omniauth-ldap
@@ -405,14 +425,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.0'
+      version: 2.2.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.7.2
+rubygems_version: 4.0.11
 specification_version: 4
 summary: "\U0001F4C1 LDAP strategy for OmniAuth."
 test_files: []