2 ways to access a firewalled LDAP server from a Heroku Ruby App

2 ways to access a firewalled LDAP server from a Heroku Ruby App

Integrating a Ruby app with a corporate LDAP service is straightforward. Just install the Ruby Net LDAP library and away you go.

You can run in to a problem though when deploying your app to the cloud on something like Heroku because its likely that the LDAP server will be behind a corporate firewall. To create a firewall rule to allow you to access the LDAP server from Heroku requires a static IP which Heroku won’t give you out of the box. This is where our service, QuotaGuard Static comes in, giving you a load balanced pair of Static IP address that you can proxy traffic through. As part of this we offer a SOCKS5 proxy which can handle LDAP traffic.

Once you have provisioned our service you have two options. The best fit depends on your exact use case so feel free to leave us a comment if you’d like more advice.

1. Use our SOCKS wrapper script

The wrapper sends all outbound TCP traffic through our SOCKS5 proxy, including all AD calls. We have an example Rails LDAP app showing this on our GitHub.

Pros
* Easy to configure, just a one line install.
* If you know the Active Directory (AD) host’s public DNS/IP address you can add an IP Mask to only send AD traffic through the proxy, reducing the number of calls you make through QuotaGuard Static.

Cons
* If you have multiple or often changing AD hosts then maintaining an appropriate mask can be a maintenance overhead
* The wrapper only works on Linux so if you’re developing on Apple OSX or Windows you can’t test it locally

2. Use our patched version of net-ldap.

We have produced a patched version of net-ldap which routes all LDAP traffic through our SOCKS proxy. This uses a patched version of socksify-ruby so you just need to add these two lines to your Gemfile to get started:

gem ‘socksify’, github: “quotaguard/socksify-ruby”, branch: “master”
gem ‘net-ldap’, github: “quotaguard/ruby-net-ldap”, branch: “master”

Pros
* Works across all platforms
* No extra configuration needed when you add more AD hosts or AD hostnames change

Cons
* Relies on our custom gems which we’re not constantly updating with upstream changes

Know any other options? Drop us a comment and let us know.