I'm using https://github.com/ruby-ldap/ruby-net-ldap gem to connect/bind to LDAP
treebase = "ou=xxxxxx,dc=xxxxx,dc=xx"
credentials = {
:username => "myusername,ou=xxxxxx,dc=xxxxx,dc=xx",
:password => "password"
}
encryption = {
:method => :simple_tls,
:tls_options => { :ca_path => "folder/Chain/pem_folder"}
}
# pem_folder = folder that contains multiple pem files
ldap = Net::LDAP.new :host => "hostname.example.com",
:port => 636,
:encryption => encryption,
:base => treebase,
:auth => credentials
ldap.bind
The above code results in
ruby-2.2.2/gems/net-ldap-0.12.1/lib/net/ldap/connection.rb:47:in open_connection': SSL_connect returned=1 errno=0 state=error: certificate verify failed (Net::LDAP::Error)
I have a feeling it has something to do with the multiple certs but not sure.
What worked for me was
Make sure you are connected to VPN if needed to be on the network
follow the instruction here specially the part about rehashing with c_rehash
my username was also missing uid= before which was causing failed binding
Stackoverflow also helped but I used Figaro Gem instead
Related
I am running a sinatra based web application using Webrick. I was able to setup TLS using my self-signed server certificates and webrick starts in TLS mode, but I am not able to make a connection to server using client certificate (cert based authentication).
Server logs says "ERROR OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=error: certificate verify failed"
But the same certificates (both server and client) are working with apache server.
def self.run!
server_options = {
:Host => '0.0.0.0',
:Port => 33443,
:SSLEnable => true,
:SSLVerifyClient => OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT | OpenSSL::SSL::VERIFY_PEER,
:SSLVerifyDepth => 3,
:SSLCertificate => OpenSSL::X509::Certificate.new(File.open('/Users/cert.pem').read),
:SSLPrivateKey => OpenSSL::PKey::RSA.new(File.open('/Users/key.pem').read),
:SSLClientCA => OpenSSL::X509::Certificate.new(File.open('/Users/cai.cer').read)
}
Rack::Handler::WEBrick.run self, server_options do |server|
[:INT, :TERM].each { |sig| trap(sig) { server.stop } }
server.threaded = settings.threaded if server.respond_to? :threaded=
set :running, true
end
end
This issue was fixed by providing the cacert file as :SSLCACertificateFile in server options instead of :SSLClientCA.
server_options = {
:Host => '0.0.0.0',
:Port => 443,
:SSLEnable => true,
:SSLVerifyClient => OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT | OpenSSL::SSL::VERIFY_PEER,
:SSLVerifyDepth => 4,
:SSLCertificate => OpenSSL::X509::Certificate.new(File.open('/Users/cert.pem').read),
:SSLPrivateKey => OpenSSL::PKey::RSA.new(File.open('/Users/key.pem').read),
:SSLCACertificateFile => '/Users/cai.cer'
}
I am attempting to pull information from an ldap database. When I do I get the following error.
/.rbenv/versions/2.3.3/lib/ruby/gems/2.3.0/gems/net-ldap-0.15.0/lib/net/ldap/connection.rb:64:in `open_connection': SSL_connect returned=1 errno=0 state=error: dh key too small (Net::LDAP::Error)
from /home/jphamlett/.rbenv/versions/2.3.3/lib/ruby/gems/2.3.0/gems/net-ldap-0.15.0/lib/net/ldap/connection.rb:699:in `socket'
from /home/jphamlett/.rbenv/versions/2.3.3/lib/ruby/gems/2.3.0/gems/net-ldap-0.15.0/lib/net/ldap.rb:1311:in `new_connection'
from /home/jphamlett/.rbenv/versions/2.3.3/lib/ruby/gems/2.3.0/gems/net-ldap-0.15.0/lib/net/ldap.rb:1288:in `use_connection'
from /home/jphamlett/.rbenv/versions/2.3.3/lib/ruby/gems/2.3.0/gems/net-ldap-0.15.0/lib/net/ldap.rb:771:in `block in search'
from /home/jphamlett/.rbenv/versions/2.3.3/lib/ruby/gems/2.3.0/gems/net-ldap-0.15.0/lib/net/ldap/instrumentation.rb:19:in `instrument'
from /home/jphamlett/.rbenv/versions/2.3.3/lib/ruby/gems/2.3.0/gems/net-ldap-0.15.0/lib/net/ldap.rb:770:in `search'
from /home/jphamlett/.rbenv/versions/2.3.3/lib/ruby/gems/2.3.0/gems/net-ldap-0.15.0/lib/net/ldap.rb:1195:in `search_root_dse'
from /home/jphamlett/.rbenv/versions/2.3.3/lib/ruby/gems/2.3.0/gems/net-ldap-0.15.0/lib/net/ldap.rb:1261:in `paged_searches_supported?'
from /home/jphamlett/.rbenv/versions/2.3.3/lib/ruby/gems/2.3.0/gems/net-ldap-0.15.0/lib/net/ldap.rb:763:in `search'
from ldap.rb:15:in `<main>'
Here is my code
require 'net/ldap'
ldap = Net::LDAP.new :host => "ldap.umn.edu", # your LDAP host name or IP goes here,
:port => "636", # your LDAP host port goes here,
:encryption => :simple_tls,
tls_options: { verify_mode: OpenSSL::SSL::VERIFY_NONE },
:base => "o=University of Minnesota,c=US", # the base of your AD tree goes here,
:auth => {
:method => :simple,
:username => "", # a user w/sufficient privileges to read from AD goes here,
:password => "" # the user's password goes here
}
search_filter = Net::LDAP::Filter.eq("uid", "hamle010")
ldap.search(:filter => search_filter, :return_result => false) { |item|
puts item
}
I have tried changing the auth from simple to anonymous, because this ldap supports it supposedly. I have also tried using start_tls instead of simple_tls.
I had this working one time. I have not changed the code at all and a minute later it stated failing again. I am very sure the ldap server is running.
How do I resolve this issue?
I am trying hit an internal testing API server using RestClient and Ruby v. 2.2.1.
This is essentially the code:
url = "https://10.10.0.10/thing/i/want/to/get"
header = {
:content_type => "application/json",
:"x-auth-token" => "testingtoken"
}
response = RestClient.get url, header
This is the failure message I get:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (RestClient::SSLCertificateNotVerified)
If I'm reading this right, it looks like Ruby couldn't accept the SSL security certificate. This call works in the Chrome app Postman, but in order for it to work, I have to hit the URL in Chrome itself and accept that the connection is not secure (but proceed anyway), and THEN it will work in postman.
Is there a way to ignore the certificate failures and proceed anyway in Ruby?
Try using #execute(&block) with verify_ssl set to false.
:verify_ssl enable ssl verification, possible values are constants
from OpenSSL::SSL::VERIFY_*, defaults to OpenSSL::SSL::VERIFY_PEER
url = "https://10.10.0.10/thing/i/want/to/get"
headers = {
:content_type => "application/json",
:"x-auth-token" => "testingtoken"
}
RestClient::Request.execute(
:url => url,
:method => :get,
:headers => headers,
:verify_ssl => false
)
see: http://www.rubydoc.info/github/rest-client/rest-client/RestClient/Request#execute-instance_method
RVM
Additional solution for RVM users from: https://toadle.me/2015/04/16/fixing-failing-ssl-verification-with-rvm.html
This discussion on Github finally gave the solution: Somehow RVM comes
with a precompiled version of ruby that is statically linked against
an openssl that looks into /etc/openssl for it's certificates.
What you wanna do is NOT TO USE any of the precompiled rubies and
rather have ruby compiled on your local machine, like so:
rvm install 2.2.0 --disable-binary
rest-client verify certificates using the system's CA store on all platforms by default. But is possible set to false the option :verify_ssl or specify :ssl_ca_file or :ssl_ca_path or :ssl_cert_store to customize the certificate authorities accepted.
See documentation
So you could simply set :verify_ssl to false:
url = "https://10.10.0.10/thing/i/want/to/get"
header = {
:content_type => "application/json",
:"x-auth-token" => "testingtoken"
}
resource = RestClient::Resource.new(
url,
headers: header,
verify_ssl: false
)
response = resource.get
You could try immediately with a host which use a self-signed certificated provided by https://badssl.com/. Simply copy the snippet below in your irb console.
response = RestClient::Resource.new(
'https://self-signed.badssl.com/',
:verify_ssl => false
).get
I'm attempting to use the SoundCloud SDK for user authentication. My first route after a user clicks "sign in":
get "/login" do
client = Soundcloud.new(:client_id => 'MY_ID',
:client_secret => 'MY_SECRET',
:redirect_uri => 'http://localhost:9393/signed_in')
redirect client.authorize_url()
end
I then have the next route where they are redirected:
get "/signed_in" do
client = Soundcloud.new(:client_id => '16d6ada1a0cfc5009f7d59d203a13b2f',
:client_secret => '845df7d44dc4e359fedc8ed5944d29a5',
:redirect_uri => 'http://localhost:9393/signed_in')
code = params[:code]
access_token = client.exchange_token(:code => code)
end
I can succesfully hit the redirect url and a code is passed back, but I receieve the following error from Sinatra:
OpenSSL::SSL::SSLError at /signed_in
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
I've read these popular articles:
http://railsapps.github.io/openssl-certificate-verify-failed.html
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
amongst many others
When I type:
rvm osx-ssl-certs status all
my result is
Certificates for /usr/local/etc/openssl/cert.pem: Up to date.
I'm currently using ruby 2.1.1 on Mac 10.6.8. I've gone thru about 20 stack overflow questions on this topic and I'm unable to move past this issue.
Download http://curl.haxx.se/ca/ca-bundle.crt
Copy certificate into /usr/local/etc/openssl/certs/
Make omniauth.rb look like this:
options = {
scope: "email",
:prompt => "select_account",
access_type: 'offline',
:client_options => {
:ssl => {
:ca_file => "/usr/local/etc/openssl/certs/ca-bundle.crt",
:ca_path => "/usr/local/etc/openssl/certs"
}
}
}
Rails.application.config.middleware.use OmniAuth::Builder do
provider :google_oauth2, Rails.application.secrets.client_id, Rails.application.secrets.client_secret, options
end
There is a gem to fix this issue, try adding gem 'certified', '~> 1.0'to your Gemfile.
I am reading documents regarding NET::LDAP with TLS. But I could not find any mentioning regarding enforcing certificate validation with start_tls. The sample code is attached below.
ldap = Net::LDAP.new :host => params["host"],
:base => params["base_dn"],
:encryption => :start_tls,
:port => params["port"],
:auth => { :username => params["bind_dn"],
:password => params["bind_pw"],
:method => :simple
}
The document here "http://net-ldap.rubyforge.org/Net/LDAP.html#method-i-encryption" mentions there is no SSL certificate validation for simple_tls. But there is no information regarding start_tls.
no, I checked the latest 0.6.1 version, this functionality is still missing.
simple_tls is actually LDAPS which usually on port 636.