ruby-ldap · mtodd · Dec 10, 2014 · Dec 1, 2014 · Dec 1, 2014 · Dec 10, 2014
diff --git a/test/fixtures/cacert.pem b/test/fixtures/cacert.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDRzCCAf+gAwIBAgIEVHpbmjANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhy
+dWJ5bGRhcDAeFw0xNDExMjkyMzQ5NDZaFw0xNTExMjkyMzQ5NDZaMBMxETAPBgNV
+BAMTCHJ1YnlsZGFwMIIBUjANBgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEA4pKe
+cDCNuL53fkpO/WSAS+gmMTsOs+oOK71kZlk2QT/MBz8TxC6m358qCADjnXcMVVxa
+ySQbQlVKZMkIvLNciZbiLDgC5II0NbHACNa8rqenoKRjS4J9W3OhA8EmnXn/Me+8
+uMCI9tfnKNRZYdkQZlra4I+Idn+xYfl/5q5b/7ZjPS2zY/585hFEYE+5vfOZVBSU
+3HMNSeuJvTehLv7dD7aQfXNM4cRgHXequkJQ/HLLFAO4AgJ+LJrFWpj7GWz3crgr
+9G5px4T78wJH3NQiOsG6UBXPw8c4T+Z6GAWX2l1zs1gZsaiCVbAraqK3404lL7yp
++ThbsW3ifzgNPhmjScXBLdbEDrrAKosW7kkTOGzxiMCBmNlj2SKhcztoduAtfF1f
+Fs2Jk8MRTHwO8ThD7wIDAQABo0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB
+/wQFAwMHBAAwHQYDVR0OBBYEFJDm67ekyFu4/Z7VcO6Vk/5pinGcMA0GCSqGSIb3
+DQEBCwUAA4IBMQDHeEPzfYRtjynpUKyrtxx/6ZVOfCLuz4eHkBZggz/pJacDCv/a
+I//W03XCk8RWq/fWVVUzvxXgPwnYcw992PLM7XW81zp6ruRUDWooYnjHZZz3bRhe
+kC4QvM2mZhcsMVmhmWWKZn81qXgVdUY1XNRhk87cuXjF/UTpEieFvWAsCUkFZkqB
+AmySCuI/FuPaauT1YAltkIlYAEIGNJGZDMf2BTVUQpXhTXeS9/AZWLNDBwiq+fwo
+YYnsr9MnBXCEmg1gVSR/Ay2AZmbYfiYtb5kU8uq2lSWAUb4LX6HZl82wo3OilrJ2
+WXl6Qf+Fcy4qqkRt4AKHjtzizpEDCOVYuuG0Zoy+QnxNXRsEzpb8ymnJFrcgYfk/
+6Lv2gWAFl5FqCZp7gBWg55eL2coT4C+mbNTF
+-----END CERTIFICATE-----
diff --git a/test/integration/test_bind.rb b/test/integration/test_bind.rb
@@ -20,8 +20,15 @@ def test_bind_fail
     refute @ldap.bind(method: :simple, username: "uid=user1,ou=People,dc=rubyldap,dc=com", password: "not my password"), @ldap.get_operation_result.inspect
   end
 
-  def test_bind_tls
-    @ldap.encryption(method: :start_tls, tls_options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS)
+  def test_bind_tls_with_cafile
+    tls_options = OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.merge(:ca_file => CA_FILE)
+    @ldap.encryption(method: :start_tls, tls_options: tls_options)
+    assert @ldap.bind(method: :simple, username: "uid=user1,ou=People,dc=rubyldap,dc=com", password: "passworD1"), @ldap.get_operation_result.inspect
+  end
+
+  def test_bind_tls_with_verify_none
+    tls_options = OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.merge(:verify_mode => OpenSSL::SSL::VERIFY_NONE)
+    @ldap.encryption(method: :start_tls, tls_options: tls_options)
     assert @ldap.bind(method: :simple, username: "uid=user1,ou=People,dc=rubyldap,dc=com", password: "passworD1"), @ldap.get_operation_result.inspect
   end
 end
diff --git a/test/test_helper.rb b/test/test_helper.rb
@@ -6,6 +6,18 @@
 # Whether integration tests should be run.
 INTEGRATION = ENV.fetch("INTEGRATION", "skip") != "skip"
 
+# The CA file to verify certs against for tests.
+# Override with CA_FILE env variable; otherwise checks for the VM-specific path
+# and falls back to the test/fixtures/cacert.pem for local testing.
+CA_FILE =
+  ENV.fetch("CA_FILE") do
+    if File.exist?("/etc/ssl/certs/cacert.pem")
+      "/etc/ssl/certs/cacert.pem"
+    else
+      File.expand_path("fixtures/cacert.pem", File.dirname(__FILE__))
+    end
+  end
+
 if RUBY_VERSION < "2.0"
   class String
     def b