Merge pull request #110 from omniauth/feat/docs-tls-verification

Author: pboling

CHANGELOG.md

@@ -33,6 +33,7 @@ Please file a bug if you notice a violation of semantic versioning.
 - Support custom LDAP attributes mapping
 - Raise a distinct error when LDAP server is unreachable
   - Previously raised an invalid credentials authentication failure error, which is technically incorrect
+- Documentation of TLS verification options
 
 ### Changed
 

README.md

@@ -81,6 +81,50 @@ use OmniAuth::Strategies::LDAP,
 
 All of the listed options are required, with the exception of `:title`, `:name_proc`, `:bind_dn`, and `:password`.
 
+## TLS certificate verification
+
+This gem enables TLS certificate verification by default when you use `encryption: "ssl"` (LDAPS / simple TLS) or `encryption: "tls"` (STARTTLS). We always pass `tls_options` to Net::LDAP based on `OpenSSL::SSL::SSLContext::DEFAULT_PARAMS`, which includes `verify_mode: OpenSSL::SSL::VERIFY_PEER` and sane defaults.
+
+- Secure by default: you do not need to set anything extra to verify the LDAP server certificate.
+- To customize trust or ciphers, supply your own `tls_options`, which are merged over the safe defaults.
+- If you truly need to skip verification (not recommended), set `disable_verify_certificates: true`.
+
+Examples:
+
+```ruby
+# Verify server certs (default behavior)
+use OmniAuth::Strategies::LDAP,
+  host: ENV["LDAP_HOST"],
+  port: 636,
+  encryption: "ssl",  # or "tls"
+  base: "dc=example,dc=com",
+  uid:  "uid"
+
+# Use a private CA bundle and restrict protocol/ciphers
+use OmniAuth::Strategies::LDAP,
+  host: ENV["LDAP_HOST"],
+  port: 636,
+  encryption: "ssl",
+  base: "dc=example,dc=com",
+  uid:  "uid",
+  tls_options: {
+    ca_file: "/etc/ssl/private/my_org_ca.pem",
+    ssl_version: "TLSv1_2",
+    ciphers: ["TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256"],
+  }
+
+# Opt out of verification (NOT recommended – use only in trusted test/dev scenarios)
+use OmniAuth::Strategies::LDAP,
+  host: ENV["LDAP_HOST"],
+  port: 636,
+  encryption: "ssl",
+  base: "dc=example,dc=com",
+  uid:  "uid",
+  disable_verify_certificates: true
+```
+
+Note: Net::LDAP historically defaulted to no certificate validation when `tls_options` were not provided. This library mitigates that by always providing secure `tls_options` unless you explicitly disable verification.
+
 ## 💡 Info you can shake a stick at
 
 | Tokens to Remember      | [![Gem name][⛳️name-img]][⛳️gem-name] [![Gem namespace][⛳️namespace-img]][⛳️gem-namespace]                                                                                                                                                                                                                                                                          |

docs/OmniAuth.html

@@ -107,7 +107,7 @@ <h2>Defined Under Namespace</h2>
 </div>
 
       <div id="footer">
-  Generated on Thu Nov  6 02:24:32 2025 by
+  Generated on Thu Nov  6 04:21:53 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/OmniAuth/LDAP.html

@@ -135,7 +135,7 @@ <h2>
 </div>
 
       <div id="footer">
-  Generated on Thu Nov  6 02:24:32 2025 by
+  Generated on Thu Nov  6 04:21:53 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/OmniAuth/LDAP/Adaptor.html

@@ -1273,7 +1273,9 @@ <h3 class="signature first" id="bind_as-instance_method">
 173
 174
 175
-176</pre>
+176
+177
+178</pre>
     </td>
     <td>
       <pre class="code"><span class="info file"># File 'lib/omniauth-ldap/adaptor.rb', line 131</span>
@@ -1284,6 +1286,8 @@ <h3 class="signature first" id="bind_as-instance_method">
   <span class='ivar'>@last_password_policy_response</span> <span class='op'>=</span> <span class='kw'>nil</span>
   <span class='ivar'>@connection</span><span class='period'>.</span><span class='id identifier rubyid_open'>open</span> <span class='kw'>do</span> <span class='op'>|</span><span class='id identifier rubyid_me'>me</span><span class='op'>|</span>
     <span class='id identifier rubyid_rs'>rs</span> <span class='op'>=</span> <span class='id identifier rubyid_me'>me</span><span class='period'>.</span><span class='id identifier rubyid_search'>search</span><span class='lparen'>(</span><span class='id identifier rubyid_args'>args</span><span class='rparen'>)</span>
+    <span class='id identifier rubyid_raise'>raise</span> <span class='const'><span class='object_link'><a href="Adaptor/ConnectionError.html" title="OmniAuth::LDAP::Adaptor::ConnectionError (class)">ConnectionError</a></span></span><span class='period'>.</span><span class='id identifier rubyid_new'><span class='object_link'><a href="#initialize-instance_method" title="OmniAuth::LDAP::Adaptor#initialize (method)">new</a></span></span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>LDAP search operation failed</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span> <span class='kw'>unless</span> <span class='id identifier rubyid_rs'>rs</span>
+
     <span class='kw'>if</span> <span class='id identifier rubyid_rs'>rs</span> <span class='op'>&amp;&amp;</span> <span class='id identifier rubyid_rs'>rs</span><span class='period'>.</span><span class='id identifier rubyid_first'>first</span>
       <span class='id identifier rubyid_dn'>dn</span> <span class='op'>=</span> <span class='id identifier rubyid_rs'>rs</span><span class='period'>.</span><span class='id identifier rubyid_first'>first</span><span class='period'>.</span><span class='id identifier rubyid_dn'>dn</span>
       <span class='kw'>if</span> <span class='id identifier rubyid_dn'>dn</span>
@@ -1334,7 +1338,7 @@ <h3 class="signature first" id="bind_as-instance_method">
 </div>
 
       <div id="footer">
-  Generated on Thu Nov  6 02:24:32 2025 by
+  Generated on Thu Nov  6 04:21:53 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/OmniAuth/LDAP/Adaptor/AuthenticationError.html

@@ -114,7 +114,7 @@
 </div>
 
       <div id="footer">
-  Generated on Thu Nov  6 02:24:32 2025 by
+  Generated on Thu Nov  6 04:21:53 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/OmniAuth/LDAP/Adaptor/ConfigurationError.html

@@ -114,7 +114,7 @@
 </div>
 
       <div id="footer">
-  Generated on Thu Nov  6 02:24:32 2025 by
+  Generated on Thu Nov  6 04:21:53 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/OmniAuth/LDAP/Adaptor/ConnectionError.html

@@ -114,7 +114,7 @@
 </div>
 
       <div id="footer">
-  Generated on Thu Nov  6 02:24:32 2025 by
+  Generated on Thu Nov  6 04:21:53 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/OmniAuth/LDAP/Adaptor/LdapError.html

@@ -114,7 +114,7 @@
 </div>
 
       <div id="footer">
-  Generated on Thu Nov  6 02:24:32 2025 by
+  Generated on Thu Nov  6 04:21:53 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>

docs/OmniAuth/LDAP/Version.html

@@ -111,7 +111,7 @@ <h2>
 </div>
 
       <div id="footer">
-  Generated on Thu Nov  6 02:24:32 2025 by
+  Generated on Thu Nov  6 04:21:53 2025 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.37 (ruby-3.4.7).
 </div>