ruby-ldap + SSL

If you have trouble with ruby-ldap to connect to an SSL-only LDAP server, there can be lots of reasons. From what I've seen today, the next time I've problems like this I'd check these things first:

  • does ldapsearch -x -H ldaps://your.ldap.hostname work?
    • if not, fix this. usually you need to set TLS_CACERT in /etc/ldap/ldap.conf
  • check the underlying ldap library. ruby's ldap library can be linked against the OpenLDAP libldap or against the Netscape LDAP SDK. Make sure the binaries supplied with the correct library can connect to your ldap server.

  • check that the minimum amount of code works, an example would be:

    require 'ldap'

    conn = LDAP::SSLConn.new( 'your.ldap.hostname', 636 )
    conn.set_option( LDAP::LDAP_OPT_PROTOCOL_VERSION, 3 )
    conn.bind('cn=loginuser,o=foo','FOOPASSWORD') {
      conn.perror("bind")
    }

In my case, I was missing the TLS_CACERT config option in /etc/ldap/ldap.conf and was only getting a useless "Connect error" from ruby.