How to tell Ruby Net/Ldap to ignore server cert hostname mismatch?

Question

I'm setting up a test environment which consists of VM clones of our production servers. I have all the clones behind a single IP (on the hypervisor) and doing NAT (Linux) to access the services in the test environment.

I have a DNS record on my test instance IP named 'test.internal.com'. When I want to contact the LDAP server in 'testing', I can issue ldapsearch from the command line to retrieve information (this succeeds OK).

Now I'd like to connect to the test instance to test my Ruby applications however when I connect, Ruby says: hostname "test.internal.com" does not match the server certificate (Net::LDAP::Error). Obviously this is true since the certificate on my LDAP server is not configured for test.internal.com.

Do I need to get a new cert for my LDAP server with an alternative name for test.internal.com or is there some way to tell Ruby to ignore the problem? I've found OpenSSL::SSL::VERIFY_NONE for the tls_options but it doesn't seem to be working.

#!/usr/bin/ruby

require 'net/ldap'
require 'io/console'
require 'highline/import'

ldapHost = 'test.internal.com'
ldapPort = '8389'
baseDn   = "dc=internal,dc=com"

user = gets
username = "uid=" + user + ',ou=users,dc=internal,dc=com'
password = ask("Password: ") { |q| q.echo = "*" }

ldap_con = Net::LDAP.new ({   :host => ldapHost,
                              :port => ldapPort,
                              :base => baseDn,
                              :encryption => :start_tls, tls_options: { verify_mode: OpenSSL::SSL::VERIFY_NONE },
                              :auth => { :method => :simple, :username => username, :password => password }
                           })

op_filter = Net::LDAP::Filter.eq( "objectClass", "posixGroup" )

ldap_con.search( :base => baseDn, :filter => op_filter, :attributes=> 'dn') do |entry|
  puts "DN: #{entry.dn}"
end

Answer 1

Counter to the documentation, tls_options are not a top level argument for the connection object, but rather an argument to the encryption key:

ldap_con = Net::LDAP.new ({   :host => ldapHost,
                              :port => ldapPort,
                              :base => baseDn,
                              :encryption => {
                                  :method => :start_tls,
                                  :tls_options => { :verify_mode => OpenSSL::SSL::VERIFY_NONE }
                              },
                              :auth => { :method => :simple, :username => username, :password => password }
                       })