omniauth-ldap 2.3.1 → 2.3.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6521def9ea4ad73235bbf1c8147822ab3b59e211fdc5f4959dfa2178a82a5bd4
-  data.tar.gz: 4f6f08af41228c4e0a20f6a957d9927165f1d8109835a4c239abdcc3c6f79f4f
+  metadata.gz: 64fced98d7ab577e6c9abc446ace5678b829670e9d241f0a759c61efc47ecf5e
+  data.tar.gz: 7fda93687c96509833b9d72f277995f53eb2368ebe44740180ceadd3afac6ebe
 SHA512:
-  metadata.gz: 51fca6cf72c8331c82ecb35b89d4cca511bd6de423da5c24c659b2de9a0f7c29dd74eca283edeb45672ca0a745a1a970478d42b972f518d68fc9a9dd155fef80
-  data.tar.gz: f08359c99200c2192abc312a80859d7cd9671061318605b680ef6bf03c14ea667b9b7d288dd4754939e062da7f5de1b7c887d33fa56846b10e6f826172bfbe76
+  metadata.gz: 8750eeed19ed13d89d041b14123b68cc459e7f5595d04d6d0fe67227c06c312f7952264f6fdd19a8f57957ce98c9ea3620d125fd01c445446c8848400a668e12
+  data.tar.gz: ed9dc416b2eba5c6e9d9cc5e889f50bd70347ff4a6ce9261cb8703e77d010c7834a5a566ef8ed7f93f5fbaf4baba0afa9965191decebdf84ed8ffd8b79590a8d

data/CHANGELOG.md

@@ -32,6 +32,33 @@ Please file a bug if you notice a violation of semantic versioning.
 
 ### Security
 
+## [2.3.2] - 2025-11-06
+
+- TAG: [v2.3.2][2.3.2t]
+- COVERAGE: 97.64% -- 290/297 lines in 4 files
+- BRANCH COVERAGE: 79.69% -- 102/128 branches in 4 files
+- 44.12% documented
+
+### Added
+
+- Support for SCRIPT_NAME for proper URL generation
+  - behind certain proxies/load balancers, or
+  - under a subdirectory
+- Password Policy for LDAP Directories
+  - password_policy: true|false (default: false)
+  - on authentication failure, if the server returns password policy controls, the info will be included in the failure message
+  - https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-11
+- Support for JSON bodies
+- Support custom LDAP attributes mapping
+- Raise a distinct error when LDAP server is unreachable
+  - Previously raised an invalid credentials authentication failure error, which is technically incorrect
+- Documentation of TLS verification options
+
+### Changed
+
+- Make support for OmniAuth v1.2+ explicit
+  - Versions < 1.2 do not support SCRIPT_NAME properly, and may cause other issues
+
 ## [2.3.1] - 2025-11-05
 
 - TAG: [v2.3.1][2.3.1t]
@@ -197,6 +224,8 @@ Please file a bug if you notice a violation of semantic versioning.
 [1.0.0]: https://github.com/omniauth/omniauth-ldap/compare/5656da80d4193e0d0584f44bac493a87695e580f...v1.0.0
 [1.0.0t]: https://github.com/omniauth/omniauth-ldap/releases/tag/v1.0.0
 
-[Unreleased]: https://github.com/omniauth/omniauth-ldap/compare/v2.3.1...HEAD
+[Unreleased]: https://github.com/omniauth/omniauth-ldap/compare/v2.3.2...HEAD
+[2.3.2]: https://github.com/omniauth/omniauth-ldap/compare/v2.3.1...v2.3.2
+[2.3.2t]: https://github.com/omniauth/omniauth-ldap/releases/tag/v2.3.2
 [2.3.1]: https://github.com/omniauth/omniauth-ldap/compare/v2.0.0...v2.3.1
 [2.3.1t]: https://github.com/omniauth/omniauth-ldap/releases/tag/v2.3.1

data/LICENSE.txt

@@ -1,6 +1,7 @@
 MIT License
 
 Copyright (c) 2025 Peter H. Boling, and omniauth-ldap contributors
+Copyright (c) 2014 David Benko
 Copyright (c) 2011 by Ping Yu and Intridea, Inc.
 
 Permission is hereby granted, free of charge, to any person obtaining

data/README.md

@@ -38,7 +38,7 @@
 
 # 📁 OmniAuth LDAP
 
-[![Version][👽versioni]][👽version] [![GitHub tag (latest SemVer)][⛳️tag-img]][⛳️tag] [![License: MIT][📄license-img]][📄license-ref] [![Downloads Rank][👽dl-ranki]][👽dl-rank] [![Open Source Helpers][👽oss-helpi]][👽oss-help] [![CodeCov Test Coverage][🏀codecovi]][🏀codecov] [![Coveralls Test Coverage][🏀coveralls-img]][🏀coveralls] [![QLTY Test Coverage][🏀qlty-covi]][🏀qlty-cov] [![QLTY Maintainability][🏀qlty-mnti]][🏀qlty-mnt] [![CI Heads][🚎3-hd-wfi]][🚎3-hd-wf] [![CI Runtime Dependencies @ HEAD][🚎12-crh-wfi]][🚎12-crh-wf] [![CI Current][🚎11-c-wfi]][🚎11-c-wf] [![CI Truffle Ruby][🚎9-t-wfi]][🚎9-t-wf] [![CI JRuby][🚎10-j-wfi]][🚎10-j-wf] [![Deps Locked][🚎13-🔒️-wfi]][🚎13-🔒️-wf] [![Deps Unlocked][🚎14-🔓️-wfi]][🚎14-🔓️-wf] [![CI Supported][🚎6-s-wfi]][🚎6-s-wf] [![CI Legacy][🚎4-lg-wfi]][🚎4-lg-wf] [![CI Unsupported][🚎7-us-wfi]][🚎7-us-wf] [![CI Ancient][🚎1-an-wfi]][🚎1-an-wf] [![CI Test Coverage][🚎2-cov-wfi]][🚎2-cov-wf] [![CI Style][🚎5-st-wfi]][🚎5-st-wf] [![CodeQL][🖐codeQL-img]][🖐codeQL] [![Apache SkyWalking Eyes License Compatibility Check][🚎15-🪪-wfi]][🚎15-🪪-wf]
+[![Version][👽versioni]][👽version] [![GitHub tag (latest SemVer)][⛳️tag-img]][⛳️tag] [![License: MIT][📄license-img]][📄license-ref] [![Downloads Rank][👽dl-ranki]][👽dl-rank] [![Open Source Helpers][👽oss-helpi]][👽oss-help] [![CodeCov Test Coverage][🏀codecovi]][🏀codecov] [![Coveralls Test Coverage][🏀coveralls-img]][🏀coveralls] [![CI Heads][🚎3-hd-wfi]][🚎3-hd-wf] [![CI Runtime Dependencies @ HEAD][🚎12-crh-wfi]][🚎12-crh-wf] [![CI Current][🚎11-c-wfi]][🚎11-c-wf] [![CI Truffle Ruby][🚎9-t-wfi]][🚎9-t-wf] [![CI JRuby][🚎10-j-wfi]][🚎10-j-wf] [![Deps Locked][🚎13-🔒️-wfi]][🚎13-🔒️-wf] [![Deps Unlocked][🚎14-🔓️-wfi]][🚎14-🔓️-wf] [![CI Supported][🚎6-s-wfi]][🚎6-s-wf] [![CI Legacy][🚎4-lg-wfi]][🚎4-lg-wf] [![CI Unsupported][🚎7-us-wfi]][🚎7-us-wf] [![CI Ancient][🚎1-an-wfi]][🚎1-an-wf] [![CI Test Coverage][🚎2-cov-wfi]][🚎2-cov-wf] [![CI Style][🚎5-st-wfi]][🚎5-st-wf] [![CodeQL][🖐codeQL-img]][🖐codeQL] [![Apache SkyWalking Eyes License Compatibility Check][🚎15-🪪-wfi]][🚎15-🪪-wf]
 
 `if ci_badges.map(&:color).detect { it != "green"}` ☝️ [let me know][🖼️galtzo-discord], as I may have missed the [discord notification][🖼️galtzo-discord].
 
@@ -63,9 +63,17 @@ use OmniAuth::Strategies::LDAP,
   name_proc: proc { |name| name.gsub(/@.*$/, "") },
   bind_dn: "default_bind_dn",
   password: "password",
+  # Optional timeouts (seconds)
+  connect_timeout: 3,
+  read_timeout: 7,
   tls_options: {
     ssl_version: "TLSv1_2",
     ciphers: ["AES-128-CBC", "AES-128-CBC-HMAC-SHA1", "AES-128-CBC-HMAC-SHA256"],
+  },
+  mapping: {
+    "name" => "cn;lang-en",
+    "email" => ["preferredEmail", "mail"],
+    "nickname" => ["uid", "userid", "sAMAccountName"],
   }
 # Or, alternatively:
 # use OmniAuth::Strategies::LDAP, filter: '(&(uid=%{username})(memberOf=cn=myapp-users,ou=groups,dc=example,dc=com))'
@@ -73,6 +81,50 @@ use OmniAuth::Strategies::LDAP,
 
 All of the listed options are required, with the exception of `:title`, `:name_proc`, `:bind_dn`, and `:password`.
 
+## TLS certificate verification
+
+This gem enables TLS certificate verification by default when you use `encryption: "ssl"` (LDAPS / simple TLS) or `encryption: "tls"` (STARTTLS). We always pass `tls_options` to Net::LDAP based on `OpenSSL::SSL::SSLContext::DEFAULT_PARAMS`, which includes `verify_mode: OpenSSL::SSL::VERIFY_PEER` and sane defaults.
+
+- Secure by default: you do not need to set anything extra to verify the LDAP server certificate.
+- To customize trust or ciphers, supply your own `tls_options`, which are merged over the safe defaults.
+- If you truly need to skip verification (not recommended), set `disable_verify_certificates: true`.
+
+Examples:
+
+```ruby
+# Verify server certs (default behavior)
+use OmniAuth::Strategies::LDAP,
+  host: ENV["LDAP_HOST"],
+  port: 636,
+  encryption: "ssl",  # or "tls"
+  base: "dc=example,dc=com",
+  uid:  "uid"
+
+# Use a private CA bundle and restrict protocol/ciphers
+use OmniAuth::Strategies::LDAP,
+  host: ENV["LDAP_HOST"],
+  port: 636,
+  encryption: "ssl",
+  base: "dc=example,dc=com",
+  uid:  "uid",
+  tls_options: {
+    ca_file: "/etc/ssl/private/my_org_ca.pem",
+    ssl_version: "TLSv1_2",
+    ciphers: ["TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256"],
+  }
+
+# Opt out of verification (NOT recommended – use only in trusted test/dev scenarios)
+use OmniAuth::Strategies::LDAP,
+  host: ENV["LDAP_HOST"],
+  port: 636,
+  encryption: "ssl",
+  base: "dc=example,dc=com",
+  uid:  "uid",
+  disable_verify_certificates: true
+```
+
+Note: Net::LDAP historically defaulted to no certificate validation when `tls_options` were not provided. This library mitigates that by always providing secure `tls_options` unless you explicitly disable verification.
+
 ## 💡 Info you can shake a stick at
 
 | Tokens to Remember      | [![Gem name][⛳️name-img]][⛳️gem-name] [![Gem namespace][⛳️namespace-img]][⛳️gem-namespace]                                                                                                                                                                                                                                                                          |
@@ -191,6 +243,28 @@ The following options are available for configuring the OmniAuth LDAP strategy:
 - `:sasl_mechanisms` - Array of SASL mechanisms to use (e.g., ["DIGEST-MD5", "GSS-SPNEGO"]).
 - `:allow_anonymous` - Whether to allow anonymous binding (default: false).
 - `:logger` - A logger instance for debugging (optional, for internal use).
+- `:password_policy` - When true, the strategy will request the LDAP Password Policy response control (OID `1.3.6.1.4.1.42.2.27.8.5.1`) during the user bind. If the server supports it, the adaptor exposes:
+  - `adaptor.last_operation_result` — the last Net::LDAP operation result object.
+  - `adaptor.last_password_policy_response` — the matching password policy response control (implementation-specific object). This can indicate conditions such as password expired, account locked, reset required, or grace logins remaining (per the draft RFC).
+- `:connect_timeout` - Maximum time in seconds to wait when establishing the TCP connection to the LDAP server. Forwarded to `Net::LDAP`.
+- `:read_timeout` - Maximum time in seconds to wait for reads during LDAP operations (search/bind). Forwarded to `Net::LDAP`.
+- `:mapping` - Customize how LDAP attributes map to the returned `auth.info` hash. A sensible default mapping is built into the strategy and will be merged with your overrides. See `lib/omniauth/strategies/ldap.rb` for the default keys and behavior; values can be a String (single attribute), an Array (first present attribute wins), or a Hash (string pattern with placeholders like `%0` combined from multiple attributes).
+
+Example enabling password policy:
+
+```ruby
+use OmniAuth::Builder do
+  provider :ldap,
+    host: "ldap.example.com",
+    base: "dc=example,dc=com",
+    uid: "uid",
+    bind_dn: "cn=search,dc=example,dc=com",
+    password: ENV["LDAP_SEARCH_PASSWORD"],
+    password_policy: true
+end
+```
+
+Note: This is best-effort and compatible with a range of net-ldap versions. If your server supports the control, you can inspect the response via the `adaptor` instance during/after authentication (for example in a failure handler) to tailor error messages.
 
 ### Auth Hash UID vs LDAP :uid (search attribute)
 
@@ -299,6 +373,58 @@ end
 
 Then link users to `/auth/ldap` in your app (for example, in a Devise sign-in page).
 
+### Use JSON Body
+
+This gem is compatible with JSON-encoded POST bodies as well as traditional form-encoded.
+
+- Set header `Content-Type` to `application/json`.
+- Send a JSON object containing `username` and `password`.
+- Rails automatically exposes parsed JSON params via `env["action_dispatch.request.request_parameters"]`, which this strategy reads first. In non-Rails Rack apps, ensure you use a JSON parser middleware if you post raw JSON.
+
+Examples
+
+- curl (JSON):
+
+  ```bash
+  curl -i \
+    -X POST \
+    -H 'Content-Type: application/json' \
+    -d '{"username":"alice","password":"secret"}' \
+    http://localhost:3000/auth/ldap
+  ```
+
+  The request phase will redirect to `/auth/ldap/callback` when both fields are present.
+
+- curl (form-encoded, still supported):
+
+  ```bash
+  curl -i \
+    -X POST \
+    -H 'Content-Type: application/x-www-form-urlencoded' \
+    --data-urlencode 'username=alice' \
+    --data-urlencode 'password=secret' \
+    http://localhost:3000/auth/ldap
+  ```
+
+- Browser (JavaScript fetch):
+
+  ```js
+  fetch('/auth/ldap', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ username: 'alice', password: 'secret' })
+  }).then(res => {
+    if (res.redirected) {
+      window.location = res.url; // typically /auth/ldap/callback
+    }
+  });
+  ```
+
+Notes
+
+- You can still initiate authentication by visiting `GET /auth/ldap` to render the HTML form and then submitting it (form-encoded). JSON is an additional option, not a replacement.
+- In the callback phase (`POST /auth/ldap/callback`), the strategy reads JSON credentials the same way; Rails exposes them via `action_dispatch.request.request_parameters` and non-Rails apps should use a JSON parser middleware.
+
 ### Using a custom filter
 
 If you need to restrict authentication to a group or use a more complex lookup, pass `:filter`. Use `%{username}` — it will be replaced with the processed username (after `:name_proc`).
@@ -401,6 +527,84 @@ provider :ldap,
 
 This trims `alice@example.com` to `alice` before searching.
 
+### Mounted under a subdirectory (SCRIPT_NAME)
+
+If your app is served from a path prefix (for example, behind a reverse proxy at `/myapp`, or mounted via Rack::URLMap, or Rails `relative_url_root`), the OmniAuth callback must include that subdirectory. This strategy uses `callback_url` for the form action and redirects, so it automatically includes any `SCRIPT_NAME` set by Rack/Rails. In other words, you typically do not need any special configuration beyond ensuring `SCRIPT_NAME` is correct in the request environment.
+
+- Works out-of-the-box when:
+  - You mount the app at a path using Rack’s `map`/`URLMap`.
+  - You set Rails’ `config.relative_url_root` (or `RAILS_RELATIVE_URL_ROOT`) or deploy under a prefix with a reverse proxy that sets `SCRIPT_NAME`.
+
+Rack example (mounted at /myapp):
+
+```ruby
+# config.ru
+require "rack"
+require "omniauth-ldap"
+
+app = Rack::Builder.new do
+  use(Rack::Session::Cookie, secret: "change_me")
+  use(OmniAuth::Builder) do
+    provider(
+      :ldap,
+      host: "ldap.example.com",
+      base: "dc=example,dc=com",
+      uid: "uid",
+      title: "Example LDAP",
+    )
+  end
+
+  run(->(env) { [404, {"Content-Type" => "text/plain"}, [env.key?("omniauth.auth").to_s]] })
+end
+
+run Rack::URLMap.new(
+  "/myapp" => app,
+)
+```
+
+- Visiting `POST /myapp/auth/ldap` renders the login form with `action='http://host/myapp/auth/ldap/callback'`.
+- Any redirects (including header-based SSO fast path) will also point to `http://host/myapp/auth/ldap/callback`.
+
+Rails example (relative_url_root):
+
+```ruby
+# config/environments/production.rb (or an initializer)
+Rails.application.configure do
+  config.relative_url_root = "/myapp"  # or set ENV["RAILS_RELATIVE_URL_ROOT"]
+end
+
+# config/initializers/omniauth.rb
+Rails.application.config.middleware.use(OmniAuth::Builder) do
+  provider :ldap,
+    title: "Acme LDAP",
+    host: "ldap.acme.internal",
+    base: "dc=acme,dc=corp",
+    uid: "uid",
+    bind_dn: "cn=search,dc=acme,dc=corp",
+    password: ENV["LDAP_SEARCH_PASSWORD"],
+    name_proc: proc { |n| n.split("@").first }
+end
+```
+
+- With `relative_url_root` set, Rails/Rack provide `SCRIPT_NAME=/myapp`, and this strategy will issue a form with `action='.../myapp/auth/ldap/callback'` and redirect accordingly.
+
+Behind proxies with unusual host/proto handling (optional):
+
+OmniAuth usually derives the correct scheme/host/prefix from Rack (and standard `X-Forwarded-*` headers). If your environment produces incorrect absolute URLs, you can override the computed host and prefix by setting `OmniAuth.config.full_host`:
+
+```ruby
+OmniAuth.config.full_host = lambda do |env|
+  scheme = (env["HTTP_X_FORWARDED_PROTO"] || env["rack.url_scheme"]).to_s.split(",").first
+  host = env["HTTP_X_FORWARDED_HOST"] || env["HTTP_HOST"] || [env["SERVER_NAME"], env["SERVER_PORT"]].compact.join(":")
+  script = env["SCRIPT_NAME"].to_s
+  "#{scheme}://#{host}#{script}"
+end
+```
+
+Note: You generally do not need this override. Prefer configuring your proxy to pass standard `X-Forwarded-Proto` and `X-Forwarded-Host` headers and let Rack/OmniAuth compute the full URL.
+
+- Header-based SSO (`header_auth: true`) also respects `SCRIPT_NAME`; when a trusted header is present on `POST /myapp/auth/ldap`, the strategy redirects to `http://host/myapp/auth/ldap/callback`.
+
 ### Trusted header SSO (REMOTE_USER and friends)
 
 Some deployments terminate SSO at a reverse proxy or portal and forward the already-authenticated user identity via an HTTP header such as `REMOTE_USER`.
@@ -520,8 +724,6 @@ See [CONTRIBUTING.md][🤝contributing].
 
 [![Coveralls Test Coverage][🏀coveralls-img]][🏀coveralls]
 
-[![QLTY Test Coverage][🏀qlty-covi]][🏀qlty-cov]
-
 ### 🪇 Code of Conduct
 
 Everyone interacting with this project's codebases, issue trackers,
@@ -602,6 +804,9 @@ See [LICENSE.txt][📄license] for the official [Copyright Notice][📄copyright
             </picture>
         </a>, and omniauth-ldap contributors.
     </li>
+    <li>
+        Copyright (c) 2014 David Benko
+    </li>
     <li>
         Copyright (c) 2011 by Ping Yu and Intridea, Inc.
     </li>
@@ -622,7 +827,7 @@ To join the community or get help 👇️ Join the Discord.
 
 To say "thanks!" ☝️ Join the Discord or 👇️ send money.
 
-[![Sponsor me on GitHub Sponsors][🖇sponsor-bottom-img]][🖇sponsor] 💌 [![Sponsor me on Liberapay][⛳liberapay-bottom-img]][⛳liberapay-img] 💌 [![Donate on PayPal][🖇paypal-bottom-img]][🖇paypal-img]
+[![Sponsor me on GitHub Sponsors][🖇sponsor-bottom-img]][🖇sponsor] 💌 [![Sponsor me on Liberapay][⛳liberapay-bottom-img]][⛳liberapay] 💌 [![Donate on PayPal][🖇paypal-bottom-img]][🖇paypal]
 
 ### Please give the project a star ⭐ ♥.
 
@@ -705,10 +910,6 @@ Thanks for RTFM. ☺️
 [👽oss-helpi]: https://www.codetriage.com/omniauth/omniauth-ldap/badges/users.svg
 [👽version]: https://bestgems.org/gems/omniauth-ldap
 [👽versioni]: https://img.shields.io/gem/v/omniauth-ldap.svg
-[🏀qlty-mnt]: https://qlty.sh/gh/omniauth/projects/omniauth-ldap
-[🏀qlty-mnti]: https://qlty.sh/gh/omniauth/projects/omniauth-ldap/maintainability.svg
-[🏀qlty-cov]: https://qlty.sh/gh/omniauth/projects/omniauth-ldap/metrics/code?sort=coverageRating
-[🏀qlty-covi]: https://qlty.sh/gh/omniauth/projects/omniauth-ldap/coverage.svg
 [🏀codecov]: https://codecov.io/gh/omniauth/omniauth-ldap
 [🏀codecovi]: https://codecov.io/gh/omniauth/omniauth-ldap/graph/badge.svg
 [🏀coveralls]: https://coveralls.io/github/omniauth/omniauth-ldap?branch=main
@@ -790,7 +991,7 @@ Thanks for RTFM. ☺️
 [📌gitmoji]: https://gitmoji.dev
 [📌gitmoji-img]: https://img.shields.io/badge/gitmoji_commits-%20%F0%9F%98%9C%20%F0%9F%98%8D-34495e.svg?style=flat-square
 [🧮kloc]: https://www.youtube.com/watch?v=dQw4w9WgXcQ
-[🧮kloc-img]: https://img.shields.io/badge/KLOC-0.233-FFDD67.svg?style=for-the-badge&logo=YouTube&logoColor=blue
+[🧮kloc-img]: https://img.shields.io/badge/KLOC-0.297-FFDD67.svg?style=for-the-badge&logo=YouTube&logoColor=blue
 [🔐security]: SECURITY.md
 [🔐security-img]: https://img.shields.io/badge/security-policy-259D6C.svg?style=flat
 [📄copyright-notice-explainer]: https://opensource.stackexchange.com/questions/5778/why-do-licenses-such-as-the-mit-license-specify-a-single-year

data/lib/omniauth/strategies/ldap.rb

@@ -9,7 +9,7 @@ module OmniAuth
 
       InvalidCredentialsError = Class.new(StandardError)
 
-      CONFIG = {
+      option :mapping, {
         "name" => "cn",
         "first_name" => "givenName",
         "last_name" => "sn",
@@ -23,7 +23,7 @@ module OmniAuth
         "url" => ["wwwhomepage"],
         "image" => "jpegPhoto",
         "description" => "description",
-      }.freeze
+      }
       option :title, "LDAP Authentication" # default title for authentication form
       # For OmniAuth >= 2.0 the default allowed request method is POST only.
       # Ensure the strategy follows that default so GET /auth/:provider returns 404 as expected in tests.
@@ -46,6 +46,9 @@ module OmniAuth
       #                 standard Rack "HTTP_" variant automatically.
       option :header_auth, false
       option :header_name, "REMOTE_USER"
+      # Optional timeouts (forwarded to Net::LDAP when supported)
+      option :connect_timeout, nil
+      option :read_timeout, nil
 
       def request_phase
         # OmniAuth >= 2.0 expects the request phase to be POST-only for /auth/:provider.
@@ -57,18 +60,18 @@ module OmniAuth
         # Fast-path: if a trusted identity header is present, skip the login form
         # and jump to the callback where we will complete using directory lookup.
         if header_username
-          return Rack::Response.new([], 302, "Location" => callback_path).finish
+          return Rack::Response.new([], 302, "Location" => callback_url).finish
         end
 
         # If credentials were POSTed directly to /auth/:provider, redirect to the callback path.
         # This mirrors the behavior of many OmniAuth providers and allows test helpers (like
         # OmniAuth::Test::PhonySession) to populate `env['omniauth.auth']` on the callback request.
-        if request.post? && request.params["username"].to_s != "" && request.params["password"].to_s != ""
-          return Rack::Response.new([], 302, "Location" => callback_path).finish
+        if request.post? && request_data["username"].to_s != "" && request_data["password"].to_s != ""
+          return Rack::Response.new([], 302, "Location" => callback_url).finish
         end
 
         OmniAuth::LDAP::Adaptor.validate(@options)
-        f = OmniAuth::Form.new(title: options[:title] || "LDAP Authentication", url: callback_path)
+        f = OmniAuth::Form.new(title: options[:title] || "LDAP Authentication", url: callback_url)
         f.text_field("Login", "username")
         f.password_field("Password", "password")
         f.button("Sign In")
@@ -88,7 +91,7 @@ module OmniAuth
               return fail!(:invalid_credentials, InvalidCredentialsError.new("User not found for header #{hu}"))
             end
             @ldap_user_info = entry
-            @user_info = self.class.map_user(CONFIG, @ldap_user_info)
+            @user_info = self.class.map_user(@options[:mapping], @ldap_user_info)
             return super
           rescue => e
             return fail!(:ldap_error, e)
@@ -97,13 +100,18 @@ module OmniAuth
 
         return fail!(:missing_credentials) if missing_credentials?
         begin
-          @ldap_user_info = @adaptor.bind_as(filter: filter(@adaptor), size: 1, password: request.params["password"])
+          @ldap_user_info = @adaptor.bind_as(filter: filter(@adaptor), size: 1, password: request_data["password"])
 
           unless @ldap_user_info
-            return fail!(:invalid_credentials, InvalidCredentialsError.new("Invalid credentials for #{request.params["username"]}"))
+            # Attach password policy info to env if available (best-effort)
+            attach_password_policy_env(@adaptor)
+            return fail!(:invalid_credentials, InvalidCredentialsError.new("Invalid credentials for #{request_data["username"]}"))
           end
 
-          @user_info = self.class.map_user(CONFIG, @ldap_user_info)
+          # Optionally attach policy info even on success (e.g., timeBeforeExpiration)
+          attach_password_policy_env(@adaptor)
+
+          @user_info = self.class.map_user(@options[:mapping], @ldap_user_info)
           super
         rescue => e
           fail!(:ldap_error, e)
@@ -111,11 +119,12 @@ module OmniAuth
       end
 
       def filter(adaptor, username_override = nil)
-        if adaptor.filter && !adaptor.filter.empty?
-          username = Net::LDAP::Filter.escape(@options[:name_proc].call(username_override || request.params["username"]))
-          Net::LDAP::Filter.construct(adaptor.filter % {username: username})
+        flt = adaptor.filter
+        if flt && !flt.to_s.empty?
+          username = Net::LDAP::Filter.escape(@options[:name_proc].call(username_override || request_data["username"]))
+          Net::LDAP::Filter.construct(flt % {username: username})
         else
-          Net::LDAP::Filter.equals(adaptor.uid, @options[:name_proc].call(username_override || request.params["username"]))
+          Net::LDAP::Filter.equals(adaptor.uid, @options[:name_proc].call(username_override || request_data["username"]))
         end
       end
 
@@ -173,8 +182,12 @@ module OmniAuth
       end
 
       def missing_credentials?
-        request.params["username"].nil? || request.params["username"].empty? || request.params["password"].nil? || request.params["password"].empty?
-      end # missing_credentials?
+        request_data["username"].nil? || request_data["username"].empty? || request_data["password"].nil? || request_data["password"].empty?
+      end
+
+      def request_data
+        @env["action_dispatch.request.request_parameters"] || request.params
+      end
 
       # Extract a normalized username from a trusted header when enabled.
       # Returns nil when not configured or not present.
@@ -193,13 +206,54 @@ module OmniAuth
       # (bind_dn/password or anonymous). Does not attempt to bind as the user.
       def directory_lookup(adaptor, username)
         entry = nil
-        filter = filter(adaptor, username)
+        search_filter = filter(adaptor, username)
         adaptor.connection.open do |conn|
-          rs = conn.search(filter: filter, size: 1)
-          entry = rs.first if rs && rs.first
+          rs = conn.search(filter: search_filter, size: 1)
+          entry = rs && rs.first
         end
         entry
       end
+
+      # If the adaptor captured a Password Policy response control, expose a minimal, stable hash
+      # in the Rack env for applications to inspect.
+      def attach_password_policy_env(adaptor)
+        return unless adaptor.respond_to?(:password_policy) && adaptor.password_policy
+        ctrl = adaptor.respond_to?(:last_password_policy_response) ? adaptor.last_password_policy_response : nil
+        op = adaptor.respond_to?(:last_operation_result) ? adaptor.last_operation_result : nil
+        return unless ctrl || op
+
+        request.env["omniauth.ldap.password_policy"] = extract_password_policy(ctrl, op)
+      end
+
+      # Best-effort extraction across net-ldap versions; if fields are not available, returns a raw payload.
+      def extract_password_policy(control, operation)
+        data = {raw: control}
+        if control
+          # Prefer named readers if present
+          if control.respond_to?(:error)
+            data[:error] = control.public_send(:error)
+          elsif control.respond_to?(:ppolicy_error)
+            data[:error] = control.public_send(:ppolicy_error)
+          end
+          if control.respond_to?(:time_before_expiration)
+            data[:time_before_expiration] = control.public_send(:time_before_expiration)
+          end
+          if control.respond_to?(:grace_authns_remaining)
+            data[:grace_authns_remaining] = control.public_send(:grace_authns_remaining)
+          elsif control.respond_to?(:grace_logins_remaining)
+            data[:grace_authns_remaining] = control.public_send(:grace_logins_remaining)
+          end
+          if control.respond_to?(:oid)
+            data[:oid] = control.public_send(:oid)
+          end
+        end
+        if operation
+          code = operation.respond_to?(:code) ? operation.code : nil
+          message = operation.respond_to?(:message) ? operation.message : nil
+          data[:operation] = {code: code, message: message}
+        end
+        data
+      end
     end
   end
 end

data/lib/omniauth-ldap/adaptor.rb

@@ -31,6 +31,10 @@ module OmniAuth
         :allow_anonymous,
         :filter,
         :tls_options,
+        :password_policy,
+        # Timeouts
+        :connect_timeout,
+        :read_timeout,
 
         # Deprecated
         :method,
@@ -59,7 +63,7 @@ module OmniAuth
       }
 
       attr_accessor :bind_dn, :password
-      attr_reader :connection, :uid, :base, :auth, :filter
+      attr_reader :connection, :uid, :base, :auth, :filter, :password_policy, :last_operation_result, :last_password_policy_response
 
       def self.validate(configuration = {})
         message = []
@@ -88,6 +92,8 @@ module OmniAuth
           port: @port,
           encryption: encryption_options,
         }
+        # Remove passing timeouts here to avoid issues on older net-ldap versions.
+        # We'll set them after initialization if the connection responds to writers.
         @bind_method = if @try_sasl
           :sasl
         else
@@ -102,6 +108,21 @@ module OmniAuth
         }
         config[:auth] = @auth
         @connection = Net::LDAP.new(config)
+        # Apply optional timeout settings if supported by the installed net-ldap version
+        if !@connect_timeout.nil?
+          if @connection.respond_to?(:connect_timeout=)
+            @connection.connect_timeout = @connect_timeout
+          else
+            @connection.instance_variable_set(:@connect_timeout, @connect_timeout)
+          end
+        end
+        if !@read_timeout.nil?
+          if @connection.respond_to?(:read_timeout=)
+            @connection.read_timeout = @read_timeout
+          else
+            @connection.instance_variable_set(:@read_timeout, @read_timeout)
+          end
+        end
       end
 
       #:base => "dc=yourcompany, dc=com",
@@ -109,20 +130,47 @@ module OmniAuth
       # :password => psw
       def bind_as(args = {})
         result = false
+        @last_operation_result = nil
+        @last_password_policy_response = nil
         @connection.open do |me|
           rs = me.search(args)
-          if rs and rs.first and dn = rs.first.dn
-            password = args[:password]
-            method = args[:method] || @method
-            password = password.call if password.respond_to?(:call)
-            if method == "sasl"
-              result = rs.first if me.bind(sasl_auths({username: dn, password: password}).first)
-            elsif me.bind(
-              method: :simple,
-              username: dn,
-              password: password,
-            )
-              result = rs.first
+          raise ConnectionError.new("LDAP search operation failed") unless rs
+
+          if rs && rs.first
+            dn = rs.first.dn
+            if dn
+              password = args[:password]
+              password = password.call if password.respond_to?(:call)
+
+              bind_args = if @bind_method == :sasl
+                sasl_auths({username: dn, password: password}).first
+              else
+                {
+                  method: :simple,
+                  username: dn,
+                  password: password,
+                }
+              end
+
+              # Optionally request LDAP Password Policy control (RFC Draft - de facto standard)
+              if @password_policy
+                # Always request by OID using a simple hash; avoids depending on gem-specific control classes
+                control = {oid: "1.3.6.1.4.1.42.2.27.8.5.1", criticality: true, value: nil}
+                if bind_args.is_a?(Hash)
+                  bind_args = bind_args.merge({controls: [control]})
+                else
+                  # Some Net::LDAP versions allow passing a block for SASL only; ensure we still can add controls if hash
+                  # When not a Hash, we can't merge; rely on server default behavior.
+                end
+              end
+
+              begin
+                success = bind_args ? me.bind(bind_args) : me.bind
+              ensure
+                capture_password_policy(me)
+              end
+
+              result = rs.first if success
             end
           end
         end
@@ -250,6 +298,32 @@ module OmniAuth
           result[key.to_sym] = value
         end
       end
+
+      # Capture the operation result and extract any Password Policy response control if present.
+      def capture_password_policy(conn)
+        return unless @password_policy
+        return unless conn.respond_to?(:get_operation_result)
+
+        begin
+          @last_operation_result = conn.get_operation_result
+          controls = if @last_operation_result && @last_operation_result.respond_to?(:controls)
+            @last_operation_result.controls || []
+          else
+            []
+          end
+          if controls.any?
+            # Find Password Policy response control by OID
+            ppolicy_oid = "1.3.6.1.4.1.42.2.27.8.5.1"
+            ctrl = controls.find do |c|
+              (c.respond_to?(:oid) && c.oid == ppolicy_oid) || (c.is_a?(Hash) && c[:oid] == ppolicy_oid)
+            end
+            @last_password_policy_response = ctrl if ctrl
+          end
+        rescue StandardError
+          # Swallow errors to keep authentication flow unaffected when server or gem doesn't support controls
+          @last_password_policy_response = nil
+        end
+      end
     end
   end
 end

data/lib/omniauth-ldap/version.rb

@@ -1,7 +1,7 @@
 module OmniAuth
   module LDAP
     module Version
-      VERSION = "2.3.1"
+      VERSION = "2.3.2"
     end
     VERSION = Version::VERSION # Make VERSION available in traditional way
   end

data/sig/omniauth/ldap/adaptor.rbs

@@ -15,7 +15,7 @@ module OmniAuth
 
       VALID_ADAPTER_CONFIGURATION_KEYS: Array[Symbol]
       MUST_HAVE_KEYS: Array[untyped]
-      METHOD: Hash[Symbol, Symbol?]
+      ENCRYPTION_METHOD: Hash[Symbol, Symbol?]
 
       attr_accessor bind_dn: String?
       attr_accessor password: String?
@@ -28,6 +28,10 @@ module OmniAuth
       attr_reader auth: Hash[Symbol, untyped]
       # filter is an LDAP filter string when configured
       attr_reader filter: String?
+      # optional: request password policy control and capture response
+      attr_reader password_policy: bool?
+      attr_reader last_operation_result: untyped
+      attr_reader last_password_policy_response: untyped
 
       # Validate that required keys exist in the configuration
       def self.validate: (?Hash[Symbol, untyped]) -> void
@@ -38,17 +42,31 @@ module OmniAuth
 
       private
 
-      # Returns a Net::LDAP encryption symbol (e.g. :simple_tls, :start_tls) or nil
-      def ensure_method: (untyped) -> Symbol?
+      # Returns encryption settings hash or nil
+      def encryption_options: () -> Hash[Symbol, untyped]?
+      # Translate configured method/encryption into Net::LDAP symbol
+      def translate_method: () -> Symbol?
+      # Returns a Net::LDAP encryption default options hash
+      def default_options: () -> Hash[Symbol, untyped]
+      # Sanitize provided TLS options
+      def sanitize_hash_values: (Hash[untyped, untyped]) -> Hash[untyped, untyped]
+      # Symbolize option keys
+      def symbolize_hash_keys: (Hash[untyped, untyped]) -> Hash[Symbol, untyped]
+      # Capture password policy control from last operation
+      def capture_password_policy: (Net::LDAP) -> void
 
       # Returns an array of SASL auth hashes
       def sasl_auths: (?Hash[Symbol, untyped]) -> Array[Hash[Symbol, untyped]]
 
-      # Returns initial credential (string) and a proc that accepts a challenge and returns the response
-      # Use Array[untyped] here to avoid tuple syntax issues in some linters; the runtime value
-      # is commonly a two-element array [initial_credential, proc].
+      # Returns initial credential and a proc that accepts a challenge and returns the response
       def sasl_bind_setup_digest_md5: (?Hash[Symbol, untyped]) -> Array[untyped]
       def sasl_bind_setup_gss_spnego: (?Hash[Symbol, untyped]) -> Array[untyped]
+
+      @try_sasl: bool?
+      @allow_anonymous: bool?
+      @tls_options: Hash[untyped, untyped]?
+      @sasl_mechanisms: Array[String]?
+      @disable_verify_certificates: bool?
     end
   end
 end

data/sig/omniauth/strategies/ldap.rbs

@@ -3,9 +3,6 @@ module OmniAuth
     class LDAP
       OMNIAUTH_GTE_V2: bool
 
-      # CONFIG is a read-only mapping of string keys to mapping definitions
-      CONFIG: Hash[String, untyped]
-
       # The request_phase either returns a Rack-compatible response or the form response.
       def request_phase: () -> (Rack::Response | Array[untyped] | String)
 
@@ -27,6 +24,12 @@ module OmniAuth
 
       # Perform a directory lookup for a given username; returns an Entry or nil
       def directory_lookup: (OmniAuth::LDAP::Adaptor, String) -> untyped
+
+      def uid: () { () -> String } -> void
+
+      def info: () { () -> Hash[untyped, untyped] } -> void
+
+      def extra: () { () -> Hash[Symbol, untyped] } -> void
     end
   end
 end

data/sig/omniauth-ldap.rbs

@@ -3,3 +3,8 @@
 # - sig/omniauth/ldap/adaptor.rbs
 # - sig/omniauth/strategies/ldap.rbs
 # This file is intentionally minimal to avoid duplicating declarations.
+
+module OmniAuth
+  module LDAP
+  end
+end

data/sig/rbs/net-ldap.rbs

@@ -5,6 +5,7 @@ module Net
     def open: () { (self) -> untyped } -> untyped
     def search: (?Hash[Symbol, untyped]) -> Array[Net::LDAP::Entry]
     def bind: (?Hash[Symbol, untyped]) -> bool
+    def get_operation_result: () -> Net::LDAP::PDU
   end
 
   class LDAP::Entry
@@ -15,5 +16,20 @@ module Net
     def self.construct: (String) -> Net::LDAP::Filter
     def self.eq: (String, String) -> Net::LDAP::Filter
   end
-end
 
+  class LDAP::Control
+    def initialize: (String, bool, untyped) -> void
+    def oid: () -> String
+  end
+
+  module LDAP::Controls
+    class PasswordPolicy
+      def initialize: () -> void
+      def oid: () -> String
+    end
+  end
+
+  class LDAP::PDU
+    def controls: () -> Array[untyped]
+  end
+end

data/sig/rbs/net-ntlm.rbs

@@ -4,6 +4,8 @@ module Net
     class Message
       def self.parse: (untyped) -> Net::NTLM::Message
       def response: (?Hash[Symbol, untyped], ?Hash[Symbol, untyped]) -> Net::NTLM::Message
+      # writer used by adaptor to set target name when a domain is present
+      def target_name=: (String) -> String
     end
 
     class Message::Type1
@@ -13,4 +15,3 @@ module Net
     def self.encode_utf16le: (String) -> String
   end
 end
-

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-ldap
 version: !ruby/object:Gem::Version
-  version: 2.3.1
+  version: 2.3.2
 platform: ruby
 authors:
 - Peter Boling
@@ -65,7 +65,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '1'
+        version: '1.2'
     - - "<"
       - !ruby/object:Gem::Version
         version: '3'
@@ -75,7 +75,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '1'
+        version: '1.2'
     - - "<"
       - !ruby/object:Gem::Version
         version: '3'
@@ -408,10 +408,10 @@ licenses:
 - MIT
 metadata:
   homepage_uri: https://omniauth-ldap.galtzo.com/
-  source_code_uri: https://github.com/omniauth/omniauth-ldap/tree/v2.3.1
-  changelog_uri: https://github.com/omniauth/omniauth-ldap/blob/v2.3.1/CHANGELOG.md
+  source_code_uri: https://github.com/omniauth/omniauth-ldap/tree/v2.3.2
+  changelog_uri: https://github.com/omniauth/omniauth-ldap/blob/v2.3.2/CHANGELOG.md
   bug_tracker_uri: https://github.com/omniauth/omniauth-ldap/issues
-  documentation_uri: https://www.rubydoc.info/gems/omniauth-ldap/2.3.1
+  documentation_uri: https://www.rubydoc.info/gems/omniauth-ldap/2.3.2
   funding_uri: https://github.com/sponsors/pboling
   wiki_uri: https://github.com/omniauth/omniauth-ldap/wiki
   news_uri: https://www.railsbling.com/tags/omniauth-ldap