ruby-ldap 0.9.11 → 0.9.12

data/ChangeLog

@@ -1,3 +1,21 @@
+Tue Dec 27 15:17:03 UTC 2011 Alexey Chebotar <alexey.chebotar@gmail.com>
+  * Version 0.9.12
+
+  * Enable client certificate authentication for mozilla ldap 6.0 only.
+    Thank to Yuri Arabadji.
+  * New patch for LDAP::Mod data corruption. Thanks to Aprotim Sanyal.
+  * Modify mod_type dangling pointer corruption. Thank you, anon!
+  * Fixed bug in ldap/ldif.rb (GH-6). Thanks to bbense.
+  * Added functions:
+      LDAP::Conn.open_uri(uri);
+      LDAP::explode_dn(dn, notypes);
+      LDAP::explode_rdn(rdn, notypes)
+    Thanks to Marek Veber and Antonio Terceiro.
+  * Fixed many memory leaks. Thanks to Marek Veber and Antonio Terceiro.
+  * Fixed compile with ruby 1.9.2. Thanks to Hiroki Najima.
+  * On windows, the default ldap library became wldap32.
+    Thanks to Hiroki Najima.
+
 Mon Mar 15 19:15:49 UTC 2010 Alexey Chebotar <alexey.chebotar@gmail.com>
   * Version 0.9.11
   * Allow passing SASL interaction options.

data/FAQ

@@ -1,6 +1,3 @@
-$Id: FAQ,v 1.6 2006/04/25 08:43:12 ianmacd Exp $
-
-
 FAQ
 ---
 
@@ -10,21 +7,19 @@ A. Create a LDAP::Mod object with the flag LDAP::LDAP_MOD_BVALUES as follows:
 
    entry = [
      LDAP::mod(LDAP::LDAP_MOD_ADD|LDAP_MOD_BVALUES, 'jpegPhoto', [jpeg_img]),
-     LDAP::mod(LDAP::LDAP_MOD_ADD, 'cn', ['Takaaki Tateishi']),
-     ...
+     LDAP::mod(LDAP::LDAP_MOD_ADD, 'cn', ['Takaaki Tateishi']) #, ...
    ]
    conn.add("dc=localhost, dc=localdomain", entry)
 
 
 
-Q. Is there shortcut method for adding/modifying entries.
+Q. Is there shortcut method for adding/modifying entries?
 
 A. Yes, there is. You can directly give LDAP::Conn#add/modify hash data as
    follows:
 
    entry = {
-     'objectclass' => [ 'top', 'person' ],
-     ...
+     'objectclass' => [ 'top', 'person' ] #, ...
    }
    conn.add( "cn=foobar, dc=localhost, dc=localdomain", entry )
 
@@ -49,7 +44,7 @@ A. Yes, as of version 0.9.4, you can. Set the size limit using
      conn.set_option( LDAP::LDAP_OPT_SIZELIMIT, 10 )
 
      conn.search2( 'dc=localhost,dc=localdomain',
-         	  LDAP::LDAP_SCOPE_SUBTREE, '(objectClass=*)' )
+                    LDAP::LDAP_SCOPE_SUBTREE, '(objectClass=*)' )
 
      if conn.err == LDAP::LDAP_SIZELIMIT_EXCEEDED
        # Results set was truncated by server.
@@ -60,3 +55,4 @@ A. Yes, as of version 0.9.4, you can. Set the size limit using
    will likely have its own maximum configured, so it can be important to
    check for this condition on all of your calls to LDAP::Conn#search and
    LDAP::Conn#search2.
+

data/NOTES

@@ -1,3 +1,32 @@
+0.9.12
+-----
+
+* On windows, the default ldap library became wldap32;
+* Fixed compile with ruby 1.9.2.
+
+Thank to Hiroki Najima!
+
+* Fixed many memory leaks;
+* Added functions:
+    LDAP::Conn.open_uri(uri);
+    LDAP::explode_dn(dn, notypes);
+    LDAP::explode_rdn(rdn, notypes).
+
+Thanks to Marek Veber and Antonio Terceiro!
+
+* Fixed bug in ldap/ldif.rb (GH-6).
+
+Thanks to bbense.
+
+* Fixed LDAP::Mod data corruption.
+
+Thanks to Aprotim Sanyal!
+
+* Enable client certificate authentication for mozilla ldap 6.0 only.
+
+Thanks to Yuri Arabadji!
+
+
 0.9.11
 -----
 

data/README

@@ -7,22 +7,20 @@ Copyright (C) 2009 Alexey Chebotar <alexey.chebotar@gmail.com>
 
 DESCRIPTION
 
-'Ruby/LDAP' is a Ruby extension library that provides an interface to the LDAP
+Ruby/LDAP is a Ruby extension library that provides an interface to the LDAP
 API as described in RFC1823.
 -------------------------------------------------------------------------------
 
 REQUIREMENT
 
-  * Ruby 1.8.x / 1.9.x (at least 1.8.2 if you want to use ldap/control)
+  * Ruby 1.8.x or 1.9.x
   * OpenLDAP, Netscape SDK, Windows 2003 or Windows XP
-
 -------------------------------------------------------------------------------
 
 PORTS
 
   * FreeBSD ("Akinori -Aki- MUSHA" <knu@idaemons.org>)
   * Debian (Akira Yamada <akira@ruby-lang.org>)
-
 -------------------------------------------------------------------------------
 
 BUILDING
@@ -41,7 +39,6 @@ install with:
 
 If you're building the software on Windows, you may need to use nmake instead
 of make.
-
 -------------------------------------------------------------------------------
 
 LICENSE
@@ -240,27 +237,34 @@ Here are some URLs that contain useful information about LDAP:
     http://ldap.hklc.com/
   * Object Identifiers Registry
     http://www.alvestrand.no/harald/objectid/
+-------------------------------------------------------------------------------
 
 THANKS
 
 This list maybe not correct. If you notice mistakes of this list, please point out.
 
-* atsu@@metallic.co.jp
+* Adam Doligalski
 * Akinori MUSHA
 * Akira Yamada
+* Anthony M. Martinez
+* Antonio Terceiro
+* Aprotim Sanyal
+* Chris Scharf
+* Hadmut Danisch
+* Hiroki Najima
+* Jan Mikkelsen
+* Kouhei Sutou
+* Marek Veber
+* Mark Kittisopikul
+* Michael Granger
+* Milos Jakubicek
 * Pirmin Kalberer
 * Radek Hnilica
-* Hadmut Danisch
-* Yuuzou Gotou
+* S. Potter
 * Tilo Sloboda
 * Usa Nakamura
-* Mark Kittisopikul
-* Jan Mikkelsen
-* Adam Doligalski
-* Chris Scharf
-* bidon: Patch.
-* Milos Jakubicek: Patch.
-* S. Potter [mbbx6spp]: Gem Packaging Support
-* Kouhei Sutou
-* Michael Granger: Patch.
-* Anthony M. Martinez: Patch.
+* Yuri Arabadji
+* Yuuzou Gotou
+* atsu@@metallic.co.jp
+* bbense
+* bidon

data/TODO

@@ -3,6 +3,16 @@
 To-do list
 ----------
 
+- Setup a vagrant boxes for tests:
+* 32/64 Ubuntu Lucid                ( ruby-ldap http://packages.ubuntu.com/lucid/libldap-ruby1.8 )
+* 32/64 Debian 6.0.3                ( ruby-ldap http://packages.debian.org/sid/ruby/libldap-ruby1.8 )
+* 32/64 Arch 2011.08.19             ( ruby-ldap https://aur.archlinux.org/packages.php?ID=13471 )
+* 32/64 FreeBSD 8.2 (9.0-RC1, 7.4)  ( ruby-ldap http://www.freebsd.org/cgi/cvsweb.cgi/ports/net/ruby-ldap/ )
+
+
+Ian's Td-do list
+----------
+
 - Support for more LDAPv3 controls and extensions.
 
 - DSML support.

data/clientauth.c

@@ -0,0 +1,605 @@
+/*
+ * clientauth.c
+ * Composed by Yuri Arabadji @ Fused Network
+ *
+ * bugs only: yuri[.@.]deepunix.net
+ */
+
+#include "ruby.h"
+#include "rbldap.h"
+#ifdef HAVE_SYS_TIME_H
+#include <sys/time.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+#include <stdarg.h>
+#include <errno.h>
+
+#ifdef USE_SSL_CLIENTAUTH
+#warning ########################################################
+#warning
+#warning "        Enabling highly experimental code.            "
+#warning "Expect breakage, ice melting, floods and world terror."
+#warning
+#warning ########################################################
+
+#include <nspr/nspr.h>
+#include <ldap_ssl.h>
+#include <ldappr.h>
+#include <signal.h>
+
+// helpful macros
+#define LDAPTOOL_RESULT_IS_AN_ERROR( rc ) \
+                ( (rc) != LDAP_SUCCESS && (rc) != LDAP_COMPARE_TRUE \
+                && (rc) != LDAP_COMPARE_FALSE )
+
+/* copied from ldaprot.h - required to parse the pwpolicy ctrl */
+#define LDAP_TAG_PWP_WARNING	0xA0L   /* context specific + constructed */
+#define LDAP_TAG_PWP_SECSLEFT	0x80L   /* context specific + primitive */
+#define LDAP_TAG_PWP_GRCLOGINS	0x81L   /* context specific + primitive + 1 */
+#define LDAP_TAG_PWP_ERROR	0x81L   /* context specific + primitive + 1 */
+
+
+// checks for *SSL* error
+#define Check_LDAP_Error_MSG(retval, errmsg) { \
+  if( (long)(retval) == LDAP_OPT_ERROR ){ \
+    rb_raise(rb_eLDAP_ResultError, "%s. Lower layer reported: %s.", errmsg, ldapssl_err2string(PORT_GetError())); \
+  } \
+}
+
+////////////////////////////////////////////////////////////////////////////////
+
+VALUE rb_cLDAP_SSLAuthConn;
+
+// forward declare 'em
+VALUE rb_ldap_sslauthconn_initialize(int, VALUE[], VALUE);
+void ldaptool_print_referrals(char**);
+void print_to_stdout(char*, ...);
+void handle_sigint(int, siginfo_t*, void*);
+
+////////////////////////////////////////////////////////////////////////////////
+//
+//  Thank you, ldaptool / common.c!
+//
+////////////////////////////////////////////////////////////////////////////////
+
+/*
+ * Wait for a result, check for and display errors and referrals.
+ * Also recognize and display "Unsolicited notification" messages.
+ * Returns an LDAP error code.
+ */
+int
+wait4result(LDAP *ld, int msgid, struct berval **servercredp, char *msg) {
+    LDAPMessage *res;
+    int rc, received_only_unsolicited = 1;
+
+    while (received_only_unsolicited) {
+        res = NULL;
+        if ((rc = ldap_result(ld, msgid, 1, (struct timeval *) NULL, &res))
+                == LDAP_OPT_ERROR) {
+            return ldaptool_print_lderror(ld, msg);
+        }
+
+        /*
+         * Special handling for unsolicited notifications:
+         *    1. Parse and display contents.
+         *    2. go back and wait for another (real) result.
+         */
+        if (rc == LDAP_RES_EXTENDED
+                && ldap_msgid(res) == LDAP_RES_UNSOLICITED) {
+            rc = ldaptool_print_extended_response(ld, res,
+                    "Unsolicited response");
+        } else {
+            rc = parse_result(ld, res, servercredp, msg, 1);
+            received_only_unsolicited = 0; /* we're done */
+        }
+    }
+
+    return ( rc);
+}
+
+/*
+ * print contents of an extended response to stderr
+ * this is mainly to support unsolicited notifications
+ * Returns an LDAP error code (from the extended result).
+ */
+int
+ldaptool_print_extended_response( LDAP *ld, LDAPMessage *res, char *msg )
+{
+    char		*oid;
+    struct berval	*data;
+
+    if ( ldap_parse_extended_result( ld, res, &oid, &data, 0 )
+	    != LDAP_SUCCESS ) {
+        ldaptool_print_lderror( ld, msg);
+    } else {
+	if ( oid != NULL ) {
+	    if ( strcmp ( oid, LDAP_NOTICE_OF_DISCONNECTION ) == 0 ) {
+                print_to_stdout("%s: Notice of Disconnection\n", msg);
+	    } else {
+                print_to_stdout("%s: OID %s\n", msg, oid);
+	    }
+	    ldap_memfree( oid );
+	} else {
+            print_to_stdout("%s: missing OID\n", msg);
+	}
+
+	if ( data != NULL ) {
+            print_to_stdout("%s: Data (length %d):\n", msg, data->bv_len );
+#if 0
+/* XXXmcs: maybe we should display the actual data? */
+	    lber_bprint( data->bv_val, data->bv_len );
+#endif
+	    ber_bvfree( data );
+	}
+    }
+
+    return parse_result( ld, res, NULL, msg, 1 );
+}
+
+
+int
+parse_result(LDAP *ld, LDAPMessage *res, struct berval **servercredp,
+        char *msg, int freeit) {
+    int rc, lderr, errno;
+    char **refs = NULL;
+    LDAPControl **ctrls;
+
+    if ((rc = ldap_parse_result(ld, res, &lderr, NULL, NULL, &refs,
+            &ctrls, 0)) != LDAP_SUCCESS) {
+        (void) ldaptool_print_lderror(ld, msg);
+        ldap_msgfree(res);
+        return ( rc);
+    }
+
+    if ((rc = check_response_controls(ld, msg, ctrls, 1)) != LDAP_SUCCESS) {
+        ldap_msgfree(res);
+        return ( rc);
+    }
+
+    if (servercredp != NULL && (rc = ldap_parse_sasl_bind_result(ld, res,
+            servercredp, 0)) != LDAP_SUCCESS) {
+        (void) ldaptool_print_lderror(ld, msg);
+        ldap_msgfree(res);
+        return ( rc);
+    }
+
+    if (freeit) {
+        ldap_msgfree(res);
+    }
+
+    if (LDAPTOOL_RESULT_IS_AN_ERROR(lderr)) {
+        (void) ldaptool_print_lderror(ld, msg);
+    }
+
+    if (refs != NULL) {
+        ldaptool_print_referrals(refs);
+        ldap_value_free(refs);
+    }
+
+    return ( lderr);
+}
+
+/*
+ * check for response controls. authentication response control
+ * and PW POLICY control are the ones we care about right now.
+ */
+int
+check_response_controls(LDAP *ld, char *msg, LDAPControl **ctrls, int freeit) {
+    int i;
+    int errno;
+    int pw_days = 0, pw_hrs = 0, pw_mins = 0, pw_secs = 0; /* for pwpolicy */
+    char *s = NULL;
+    BerElement *ber = NULL;
+    static const char *pwpolicy_err2str[] = {
+        "Password has expired.",
+        "Account is locked.",
+        "Password has been reset by an administrator; you must change it.",
+        "Password change not allowed.",
+        "Must supply old password.",
+        "Invalid password syntax.",
+        "Password too short.",
+        "Password too young.",
+        "Password in history."
+    };
+
+    if (NULL != ctrls) {
+        for (i = 0; NULL != ctrls[i]; ++i) {
+
+            if (0 == strcmp(ctrls[i]->ldctl_oid,
+                    LDAP_CONTROL_AUTH_RESPONSE)) {
+                s = ctrls[i]->ldctl_value.bv_val;
+                if (NULL == s) {
+                    s = "Null";
+                } else if (*s == '\0') {
+                    s = "Anonymous";
+                }
+                print_to_stdout("%s: bound as %s\n", msg, s);
+            } /* end of LDAP_CONTROL_AUTH_RESPONSE */
+
+            if (0 == strcmp(ctrls[i]->ldctl_oid,
+                    LDAP_CONTROL_PWEXPIRING)) {
+
+                /* Warn the user his passwd is to expire */
+                errno = 0;
+                pw_secs = atoi(ctrls[i]->ldctl_value.bv_val);
+                if (pw_secs > 0 && errno != ERANGE) {
+                    if (pw_secs > 86400) {
+                        pw_days = (pw_secs / 86400);
+                        pw_secs = (pw_secs % 86400);
+                    }
+                    if (pw_secs > 3600) {
+                        pw_hrs = (pw_secs / 3600);
+                        pw_secs = (pw_secs % 3600);
+                    }
+                    if (pw_secs > 60) {
+                        pw_mins = (pw_secs / 60);
+                        pw_secs = (pw_secs % 60);
+                    }
+
+                    printf("%s: Warning ! Your password will expire after ", msg);
+                    if (pw_days) {
+                        printf("%d days, ", pw_days);
+                    }
+                    if (pw_hrs) {
+                        printf("%d hrs, ", pw_hrs);
+                    }
+                    if (pw_mins) {
+                        printf("%d mins, ", pw_mins);
+                    }
+                    printf("%d seconds.\n", pw_secs);
+                }
+            } /* end of LDAP_CONTROL_PWEXPIRING */
+
+            if (0 == strcmp(ctrls[i]->ldctl_oid,
+                    LDAP_X_CONTROL_PWPOLICY_RESPONSE)) {
+                ber_tag_t tag1 = 0, tag2 = 0, tag3 = 0;
+                ber_int_t warnvalue = 0;
+                int grclogins = -1, secsleft = -1;
+                ber_int_t errvalue = -1;
+                static int err2str_size = sizeof (pwpolicy_err2str) / sizeof (pwpolicy_err2str[0]);
+
+                if ((ber = ber_init(&(ctrls[i]->ldctl_value))) == NULL) {
+                    fprintf(stderr, "%s: not enough memory\n", msg);
+                    return ( LDAP_NO_MEMORY);
+                }
+                if (ber_scanf(ber, "{t", &tag1) == LBER_ERROR) {
+                    /* error */
+                    ber_free(ber, 1);
+                    return (ldaptool_print_lderror(ld, msg));
+                }
+                switch (tag1) {
+                    case LDAP_TAG_PWP_WARNING:
+                        if (ber_scanf(ber, "{ti}", &tag2, &warnvalue)
+                                == LBER_ERROR) {
+                            /* error */
+                            ber_free(ber, 1);
+                            return (ldaptool_print_lderror(ld, msg));
+                        }
+                        switch (tag2) {
+                            case LDAP_TAG_PWP_SECSLEFT:
+                                secsleft = (int) warnvalue;
+                                break;
+                            case LDAP_TAG_PWP_GRCLOGINS:
+                                grclogins = (int) warnvalue;
+                                break;
+                            default:
+                                /* error */
+                                ber_free(ber, 1);
+                                return (ldaptool_print_lderror(ld, msg));
+                        }
+                        /* Now check for the error value if it's present */
+                        if (ber_scanf(ber, "te", &tag3, &errvalue) != LBER_ERROR) {
+                            if (tag3 != LDAP_TAG_PWP_ERROR) {
+                                errvalue = -1;
+                            }
+                        }
+                        break;
+                    case LDAP_TAG_PWP_ERROR:
+                        if (ber_scanf(ber, "e}", &errvalue)
+                                == LBER_ERROR) {
+                            /* error */
+                            ber_free(ber, 1);
+                            return (ldaptool_print_lderror(ld, msg));
+                        }
+                        break;
+                    default: /* error */
+                        ber_free(ber, 1);
+                        return (ldaptool_print_lderror(ld, msg));
+                }
+
+                /* Now we have all the values */
+                if (secsleft >= 0) {
+                    fprintf(stderr, "%s: Password will expire in %d seconds\n",
+                            msg, secsleft);
+                }
+                if (grclogins >= 0) {
+                    fprintf(stderr, "%s: %d grace login(s) remain\n",
+                            msg, grclogins);
+                }
+                if (errvalue >= 0 && errvalue < err2str_size) {
+                    fprintf(stderr, "%s: %s\n",
+                            msg, pwpolicy_err2str[errvalue]);
+                } else if (errvalue != -1) {
+                    fprintf(stderr, "%s: %s\n",
+                            msg,
+                            "Invalid error value in password policy response control");
+                }
+            } /* end of LDAP_X_CONTROL_PWPOLICY_RESPONSE */
+
+        }
+
+        if (freeit) {
+            ldap_controls_free(ctrls);
+            ber_free(ber, 1);
+        }
+    }
+    return LDAP_SUCCESS;
+}
+
+
+/*
+ * Like ldap_sasl_bind_s() but calls wait4result() to display
+ * any referrals returned and report errors in a consistent way.
+ */
+int
+ldaptool_sasl_bind_s(LDAP *ld, const char *dn, const char *mechanism,
+        const struct berval *cred, LDAPControl **serverctrls,
+        LDAPControl **clientctrls, struct berval **servercredp, char *msg) {
+    int rc, msgid;
+
+    if (servercredp != NULL) {
+        *servercredp = NULL;
+    }
+
+    if ((rc = ldap_sasl_bind(ld, dn, mechanism, cred, serverctrls,
+            clientctrls, &msgid)) == LDAP_SUCCESS) {
+        rc = wait4result(ld, msgid, servercredp, msg);
+    }
+
+    return ( rc);
+}
+
+// Rebind in case we were unbound
+VALUE
+rb_ldap_sslauthconn_rebind(VALUE self)
+{
+  VALUE ary = rb_iv_get (self, "@args");
+
+  return rb_ldap_sslauthconn_initialize(RARRAY_LEN(ary), RARRAY_PTR(ary), self);
+}
+
+////////////////////////////////////////////////////////////////////////////////
+//
+//  .bind
+//
+////////////////////////////////////////////////////////////////////////////////
+
+/*
+ * call-seq:
+ * conn.bind(serverctrls = nil) {|conn| # optional block }
+ *   => self
+ *
+ * Bind a LDAP connection with SASL EXTERNAL method,
+ * with optional +serverctls+.
+ * If a block is given, +self+ is yielded to the block.
+ */
+VALUE
+rb_ldap_sslauthconn_s_bind(int argc, VALUE argv[], VALUE self) {
+    RB_LDAP_DATA *ldapdata;
+
+    VALUE arg1;
+
+    LDAPControl **bindctrls = NULL;
+
+    Data_Get_Struct(self, RB_LDAP_DATA, ldapdata);
+
+    if (ldapdata->bind == 0) {
+        if (rb_iv_get(self, "@args") != Qnil) {
+            rb_ldap_sslauthconn_rebind(self);
+            GET_LDAP_DATA(self, ldapdata);
+        } else {
+            rb_raise(rb_eLDAP_InvalidDataError,
+                    "The LDAP handler has already unbound.");
+        }
+    } else {
+        rb_raise(rb_eLDAP_Error, "already bound.");
+    };
+
+    switch (rb_scan_args(argc, argv, "01", &arg1)) {
+        case 1:
+            bindctrls = rb_ldap_get_controls(arg1);
+        case 0:
+            break;
+        default:
+            rb_bug("rb_ldap_sslauthconn_bind_s");
+    }
+
+    ldapdata->err = ldaptool_sasl_bind_s(ldapdata->ldap, NULL, LDAP_SASL_EXTERNAL, NULL,
+            bindctrls, NULL, NULL, "clientauth_ldap_sasl_bind");
+
+    Check_LDAP_Result(ldapdata->err);
+    ldapdata->bind = 1;
+
+    if (rb_block_given_p()) {
+        rb_ensure(rb_yield, self, rb_ldap_conn_unbind, self);
+        return Qnil;
+    } else {
+        return self;
+    };
+};
+
+////////////////////////////////////////////////////////////////////////////////
+//
+//  .new
+//
+////////////////////////////////////////////////////////////////////////////////
+VALUE
+rb_ldap_sslauthconn_initialize(int argc, VALUE argv[], VALUE self)
+{
+    RB_LDAP_DATA *ldapdata;
+    LDAP *cldap;
+    char *chost = NULL;
+    char *certpath = NULL;
+    char *certname = NULL;
+    char *keypass = NULL;
+    int cport = LDAP_PORT;
+    int ctls = 0;
+
+    VALUE host, port, tls, cp, cn, key_pw, sctrls, cctrls;
+
+    Data_Get_Struct(self, RB_LDAP_DATA, ldapdata);
+    if (ldapdata->ldap)
+        return Qnil;
+
+    int anum = rb_scan_args(argc, argv, "62", &host, &port, &tls, &cp, &cn, &key_pw, &sctrls, &cctrls);
+
+    if (anum < 6) {
+        rb_bug("rb_ldap_auth_conn_new");
+    } else if (anum >= 6) {
+        chost = StringValueCStr(host);
+        cport = NUM2INT(port);
+        ctls = (tls == Qtrue) ? 1 : 0;
+        certpath = (cp == Qnil) ? NULL : StringValueCStr(cp);
+        certname = (cn == Qnil) ? NULL : StringValueCStr(cn);
+        keypass = (key_pw == Qnil) ? NULL : StringValueCStr(key_pw);
+    }
+
+    // Here we go
+    Check_LDAP_Error_MSG(ldapssl_clientauth_init(certpath, NULL, (keypass == NULL) ? 0 : 1, NULL, NULL),
+            "SSLAuthConn: Failed to initialize NSS certificate storeage. -- ldapssl_clientauth_init");
+
+    // Make sure we can SIGINT
+    struct sigaction act = {
+        .sa_sigaction = handle_sigint,
+        .sa_flags = SA_RESTART | SA_SIGINFO
+    };
+
+    if (sigaction(SIGINT, &act, NULL) < 0) {
+        print_to_stdout("error setting sigint");
+    };
+
+    cldap = tls ? (LDAP*)prldap_init(chost, cport, 0) : ldapssl_init(chost, cport, 1);
+
+    Check_LDAP_Error_MSG((long) cldap,
+            "SSLAuthConn: Init failure");
+
+    Check_LDAP_Error_MSG(ldapssl_enable_clientauth(cldap, "", keypass, certname),
+            "SSLAuthConn: Couldn't enable client auth");
+
+    if (tls) {
+        Check_LDAP_Error_MSG(ldap_start_tls_s(cldap, NULL, NULL),
+            "SSLAuthConn: TLS failure");
+    }
+
+    // protect key
+    char* ptr_orig = StringValuePtr(key_pw);
+    char* iptr = ptr_orig;
+    while ((iptr - ptr_orig <= 16) && ((char)*iptr != '\0')) {
+        *iptr++ = 'X';
+    }
+
+    // set ruby stuff
+    ldapdata->ldap = cldap;
+    rb_iv_set(self, "@args", rb_ary_new4(argc, argv));
+
+    return Qnil;
+}
+
+////////////////////////////////////////////////////////////////////////////////
+//
+//  Fancy printing stuff goes here
+//
+////////////////////////////////////////////////////////////////////////////////
+
+/*
+ *  Print referrals to stdout
+ */
+void
+ldaptool_print_referrals(char **refs) 
+{
+    int i;
+
+    if (refs != NULL) {
+        for (i = 0; refs[ i ] != NULL; ++i) {
+            print_to_stdout("Referral: %s\n", refs[i]);
+        }
+    }
+}
+
+/*
+ * Retrieve and print an LDAP error message.  Returns the LDAP error code.
+ */
+int
+ldaptool_print_lderror( LDAP *ld, char *msg)
+{
+    int lderr = ldap_get_lderrno( ld, NULL, NULL );
+
+    ldap_perror(ld, msg);
+
+    int sslerr = PORT_GetError();
+
+    rb_warn("%s SSL sublayer reported error: ", msg, ldapssl_err2string(sslerr));
+
+    return(lderr);
+}
+
+void
+print_to_stdout(char* format, ...) {
+    static char buf[512] = "";
+    va_list ap;
+    
+    va_start(ap, format);
+    vsnprintf(buf, sizeof(buf) - 1, format, ap);
+    rb_io_write(rb_stdout, rb_str_new2(buf));
+    va_end(ap);
+}
+
+void handle_sigint(int sig, siginfo_t *siginfo, void *context) {
+    print_to_stdout("Requested to terminate [%d].\n", sig);
+    exit(0);
+}
+
+VALUE
+rb_ldap_sslauthconn_s_open(int argc, VALUE argv[], VALUE klass)
+{
+    rb_notimplement();
+}
+
+/*
+ * call-seq:
+ * LDAP::SSLAuthConn.new(host='localhost', port=LDAP_PORT,
+ *                   start_tls=false, cert_path, cert_nickname,
+ *                   key_password, sctrls=nil, cctrls=nil)
+ *
+ *   => LDAP::SSLAuthConn
+ *
+ * Return a new LDAP::SSLConn connection to the server, +host+, on port +port+.
+ * If +start_tls+ is *true*, START_TLS will be used to establish the
+ * connection, automatically setting the LDAP protocol version to v3 if it is
+ * not already set.
+ *
+ * +sctrls+ is an array of server controls, whilst +cctrls+ is an array of
+ * client controls.
+ *
+ * Method accepts at least 6 parameters and an optional block.
+ *
+ */
+void
+Init_ldap_clientauth()
+{
+    rb_cLDAP_SSLAuthConn =
+            rb_define_class_under(rb_mLDAP, "SSLAuthConn", rb_cLDAP_SSLConn);
+    rb_define_singleton_method(rb_cLDAP_SSLAuthConn, "open",
+            rb_ldap_sslauthconn_s_open, -1);
+    rb_define_method(rb_cLDAP_SSLAuthConn, "initialize",
+            rb_ldap_sslauthconn_initialize, -1);
+
+    rb_define_method(rb_cLDAP_SSLAuthConn, "bind",
+            rb_ldap_sslauthconn_s_bind, -1);
+
+}
+
+#endif