Description
Using net/ldap with ldap.google.com:636:
require 'net/ldap'
ldap = Net::LDAP.new :host => 'ldap.google.com',
:port => 636,
:encryption => :simple_tls,
:auth => {
:method => :simple,
:username => 'test',
:password => 'test',
}
will result in this error:
`open_connection': hostname "ldap.google.com" does not match the server certificate (Net::LDAP::Error)
This is because of Google Secure LDAP's behavior: https://support.google.com/a/answer/9190869?hl=en
The Secure LDAP service requires a TLS client that supports and initiates a TLS session using SNI (Server Name Indication). If the TLS client does not support SNI, then the TLS server (ldap.google.com) returns a self-signed certificate that will not pass CA validation checks, to indicate that SNI is required.
To use SNI we have to add a call to conn.hostname in this part of the code (before calling conn.connect): https://github.com/ruby-ldap/ruby-net-ldap/blob/master/lib/net/ldap/connection.rb#L98
I tested this by hard coding conn.hostname to ldap.google.com:
@@ -95,6 +95,7 @@
ctx.set_params(tls_options) unless tls_options.empty?
conn = OpenSSL::SSL::SSLSocket.new(io, ctx)
+ conn.hostname = "ldap.google.com"
begin
if timeout
This fixed the error with regards to the certificate.
I'm planning on submitting a PR for this, but I figured I might open an issue first to see if I didn't miss anything.