Re: [Coquelicot] [PATCH] Add LDAP authentication (with uid lookup)

Hi!

Rowan Thorpe:

I squashed it to a single commit, which is below (can be applied in git, as it is "git format-patch" output). You may wish to add in the docs that the underlying ldap module doesn't validate server certs yet - I just added it as an in-code comment. Also, the copyright notices will need bumping to 2014 :-)

I'm finally getting to your patch. I have a couple of changes in the way, but I just wanted to highlight one thing:

•    result = ldap.bind_as( :base => settings.ldap_base,
  

•                           :filter => "(uid=" + params[:ldap_user] + ")",
  

•                           :password => params[:ldap_password] )
  

This code puts a user controlled string directly into the filter. Bad idea. Net::Ldap::Filter provides an `escape` method which is made for these occasions.