Skip to content

Convert Net::BER::BerIdentifiedString to String for Rails 8.0 MessagePack compatibility#86

Merged
jonmbake merged 5 commits intomasterfrom
copilot/fix-ldap-authentication-error
Dec 11, 2025
Merged

Convert Net::BER::BerIdentifiedString to String for Rails 8.0 MessagePack compatibility#86
jonmbake merged 5 commits intomasterfrom
copilot/fix-ldap-authentication-error

Conversation

Copy link
Contributor

Copilot AI commented Dec 10, 2025
edited
Loading

Fix ActiveSupport::MessagePack::UnserializableObjectError in LDAP Authentication

This PR addresses the issue where new users cannot log in after upgrading Discourse from 3.6.0.beta1 to 3.6.0.beta2.

Root Cause

Rails 8.0 (used in Discourse 3.6.0.beta2) introduced MessagePack as the default serializer, which cannot serialize Net::BER::BerIdentifiedString objects returned by the net-ldap gem.

Solution

Modified the map_user method in lib/omniauth/strategies/ldap.rb to convert all Net::BER::BerIdentifiedString objects to regular Ruby strings using the safe navigation operator (&.to_s).

Changes Made

  • Line 76: Added &.to_s for String mapper case
  • Line 78: Added &.to_s for Array mapper case
  • Line 83: Added &.to_s for Hash mapper case
  • GitHub Actions: Updated deprecated action versions (checkout v2→v4, cache v2→v4, codeql v1→v3)
  • GitHub Actions: Replaced deprecated ::set-output commands with $GITHUB_OUTPUT environment file

The safe navigation operator ensures backward compatibility by preserving nil behavior when LDAP attributes are empty or missing.

Testing & Validation

  • Understand the issue and identify root cause
  • Modify map_user method to convert LDAP values to strings
  • Use safe navigation operator (&.) to preserve original nil behavior
  • Create and run comprehensive test cases verifying:
    • BerIdentifiedString objects convert to regular Ruby strings
    • Safe navigation preserves nil behavior for empty/missing attributes
    • All three mapper types (String, Array, Hash) work correctly
    • Backward compatibility is maintained
  • Run CodeQL security scan (0 issues found)
  • Address code review feedback
  • Update GitHub Actions workflows to use non-deprecated versions
  • Replace deprecated set-output commands with environment files
  • Final verification complete

Security Summary

✓ CodeQL scan completed with 0 vulnerabilities found

This is a minimal, surgical fix that solves the serialization issue while maintaining full backward compatibility.

Original prompt

This section details on the original issue you should resolve

<issue_title>ActiveSupport::MessagePack::UnserializableObjectError at login of a new users</issue_title>
<issue_description>Hello,
after updateing Discourse from 3.6.0.beta1 to 3.6.0.beta2 we get the following error when a new user tries to login:

(ldap) Authentication failure! ldap_error: ActiveSupport::MessagePack::UnserializableObjectError, Unsupported type Net::BER::BerIdentifiedString for object "username"

I posted this issue to https://meta.discourse.org/t/ldap-authentication-error-activesupport-unserializableobjecterror/385668 where we were pointed to your repository.

Stacktrace is :

activesupport-8.0.3/lib/active_support/broadcast_logger.rb:218:in `block in dispatch' 
activesupport-8.0.3/lib/active_support/broadcast_logger.rb:217:in `map' 
activesupport-8.0.3/lib/active_support/broadcast_logger.rb:217:in `dispatch' 
activesupport-8.0.3/lib/active_support/broadcast_logger.rb:129:in `error' 
omniauth-2.1.2/lib/omniauth/strategy.rb:163:in `log' 
omniauth-2.1.2/lib/omniauth/strategy.rb:540:in `fail!' 
/var/www/discourse/plugins/discourse-ldap-auth/lib/omniauth/strategies/ldap.rb:49:in `rescue in callback_phase' 
/var/www/discourse/plugins/discourse-ldap-auth/lib/omniauth/strategies/ldap.rb:42:in `callback_phase' 
omniauth-2.1.2/lib/omniauth/strategy.rb:272:in `callback_call' 
omniauth-2.1.2/lib/omniauth/strategy.rb:194:in `call!' 
omniauth-2.1.2/lib/omniauth/strategy.rb:169:in `call' 
omniauth-2.1.2/lib/omniauth/builder.rb:44:in `call' 
/var/www/discourse/lib/middleware/omniauth_bypass_middleware.rb:51:in `call' 
/var/www/discourse/lib/middleware/crawler_hooks.rb:11:in `call' 
rack-2.2.20/lib/rack/tempfile_reaper.rb:15:in `call' 
rack-2.2.20/lib/rack/conditional_get.rb:40:in `call' 
rack-2.2.20/lib/rack/head.rb:12:in `call' 
actionpack-8.0.3/lib/action_dispatch/http/permissions_policy.rb:38:in `call' 
/var/www/discourse/lib/content_security_policy/middleware.rb:12:in `call' 
/var/www/discourse/lib/middleware/anonymous_cache.rb:415:in `call' 
/var/www/discourse/lib/middleware/csp_script_nonce_injector.rb:12:in `call' 
/var/www/discourse/config/initializers/008-rack-cors.rb:14:in `call' 
rack-2.2.20/lib/rack/session/abstract/id.rb:266:in `context' 
rack-2.2.20/lib/rack/session/abstract/id.rb:260:in `call' 
actionpack-8.0.3/lib/action_dispatch/middleware/cookies.rb:706:in `call' 
actionpack-8.0.3/lib/action_dispatch/middleware/callbacks.rb:31:in `block in call' 
activesupport-8.0.3/lib/active_support/callbacks.rb:100:in `run_callbacks' 
actionpack-8.0.3/lib/action_dispatch/middleware/callbacks.rb:30:in `call' 
actionpack-8.0.3/lib/action_dispatch/middleware/debug_exceptions.rb:31:in `call' 
actionpack-8.0.3/lib/action_dispatch/middleware/show_exceptions.rb:32:in `call' 
logster-2.20.1/lib/logster/middleware/reporter.rb:40:in `call' 
/var/www/discourse/lib/middleware/default_headers.rb:13:in `call' 
railties-8.0.3/lib/rails/rack/logger.rb:41:in `call_app' 
railties-8.0.3/lib/rails/rack/logger.rb:29:in `call' 
/var/www/discourse/config/initializers/100-quiet_logger.rb:20:in `call' 
/var/www/discourse/config/initializers/100-silence_logger.rb:29:in `call' 
actionpack-8.0.3/lib/action_dispatch/middleware/request_id.rb:34:in `call' 
/var/www/discourse/lib/middleware/enforce_hostname.rb:23:in `call' 
rack-2.2.20/lib/rack/method_override.rb:24:in `call' 
actionpack-8.0.3/lib/action_dispatch/middleware/executor.rb:16:in `call' 
rack-2.2.20/lib/rack/sendfile.rb:127:in `call' 
rack-mini-profiler-4.0.1/lib/mini_profiler.rb:191:in `call' 
/var/www/discourse/lib/middleware/processing_request.rb:12:in `call' 
message_bus-4.4.1/lib/message_bus/rack/middleware.rb:60:in `call' 
/var/www/discourse/lib/middleware/request_tracker.rb:410:in `call' 
actionpack-8.0.3/lib/action_dispatch/middleware/remote_ip.rb:96:in `call' 
railties-8.0.3/lib/rails/engine.rb:535:in `call' 
railties-8.0.3/lib/rails/railtie.rb:226:in `public_send' 
railties-8.0.3/lib/rails/railtie.rb:226:in `method_missing' 
rack-2.2.20/lib/rack/urlmap.rb:74:in `block in call' 
rack-2.2.20/lib/rack/urlmap.rb:58:in `each' 
rack-2.2.20/lib/rack/urlmap.rb:58:in `call' 
unicorn-6.1.0/lib/unicorn/http_server.rb:634:in `process_client'
unicorn-6.1.0/lib/unicorn/http_server.rb:739:in `worker_loop'
unicorn-6.1.0/lib/unicorn/http_server.rb:547:in `spawn_missing_workers'
unicorn-6.1.0/lib/unicorn/http_server.rb:143:in `start'
unicorn-6.1.0/bin/unicorn:128:in `<top (required)>'
/var/www/discourse/vendor/bundle/ruby/3.3.0/bin/unicorn:25:in `load' 
/var/www/discourse/vendor/bundle/ruby/3.3.0/bin/unicorn:25:in `<main>'

Thanks for your help</issue_description>

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI changed the title [WIP] Fix ActiveSupport::MessagePack::UnserializableObjectError at login Convert Net::BER::BerIdentifiedString to String for Rails 8.0 MessagePack compatibility Dec 10, 2025
Copilot AI requested a review from jonmbake December 10, 2025 22:58
@jonmbake
Copy link
Owner

jonmbake commented Dec 10, 2025

@copilot Can you fix the frontend and backend tests too? Currently getting the error:

Error: This request has been automatically failed because it uses a deprecated version of `actions/cache: v2`. Please update your workflow to use v3/v4 of actions/cache to avoid interruptions. Learn more: https://github.blog/changelog/2024-12-05-notice-of-upcoming-releases-and-breaking-changes-for-github-actions/#actions-cache-v1-v2-and-actions-toolkit-cache-package-closing-down

Copy link
Contributor Author

Copilot AI commented Dec 10, 2025

@copilot Can you fix the frontend and backend tests too? Currently getting the error:

Error: This request has been automatically failed because it uses a deprecated version of `actions/cache: v2...

Fixed in commit 377a9c2. Updated all GitHub Actions workflows to use non-deprecated versions:

  • actions/checkout: v2 → v4
  • actions/cache: v2 → v4
  • github/codeql-action: v1 → v3

The CI workflows should now run without deprecation errors.

@jonmbake
Copy link
Owner

jonmbake commented Dec 10, 2025

@copilot Getting closer. Now getting the error:

Run actions/cache@v4
  with:
    key: Linux-yarn-9c909aa52c6f718ca41957f3add8790969cddb94cb7a2ca850dc57defdf68dc8
    restore-keys: Linux-yarn-
  
    enableCrossOsArchive: false
    fail-on-cache-miss: false
    lookup-only: false
    save-always: false
  env:
    DISCOURSE_HOSTNAME: www.example.com
    RUBY_GLOBAL_METHOD_CACHE_SIZE: 131072
    RAILS_ENV: test
    PGUSER: discourse
/usr/bin/docker exec  740db798f04f701352a5d78a891a0ac432356f8ebd7a492cc81a89d25c770867 sh -c "cat /etc/*release | grep ^ID"
Error: Input required and not supplied: path

Copy link
Contributor Author

Copilot AI commented Dec 10, 2025

@copilot Getting closer. Now getting the error:

...

Fixed in commit 46e5473. The issue was caused by the deprecated ::set-output command which failed to set the yarn cache directory path. Updated all three instances to use the new $GITHUB_OUTPUT environment file syntax instead:

  • echo "::set-output name=dir::$(yarn cache dir)"echo "dir=$(yarn cache dir)" >> $GITHUB_OUTPUT

The Yarn cache action should now receive the proper path value.

Copilot AI and others added 3 commits December 10, 2025 20:58
@jonmbake
Initial plan
972f8c3
@jonmbake
Fix BerIdentifiedString serialization issue for Rails 8.0 compatibility
ba30577 
Convert Net::BER::BerIdentifiedString objects to regular Ruby strings in the map_user method to prevent ActiveSupport::MessagePack::UnserializableObjectError when authenticating new LDAP users with Discourse 3.6.0.beta2+

Co-authored-by: jonmbake <[email protected]>
@jonmbake
Use safe navigation operator for nil safety
50ba81c 
Updated to use &.to_s instead of .to_s to preserve original behavior when LDAP attributes are empty or missing. This maintains backward compatibility while fixing the BerIdentifiedString serialization issue.

Co-authored-by: jonmbake <[email protected]>
@jonmbake jonmbake force-pushed the copilot/fix-ldap-authentication-error branch from 46e5473 to 50ba81c Compare December 11, 2025 02:58
@jonmbake jonmbake mentioned this pull request Dec 11, 2025
Closed
@jonmbake jonmbake marked this pull request as ready for review December 11, 2025 17:53
@jonmbake jonmbake merged commit 53ea5ef into master Dec 11, 2025
5 checks passed
@jonmbake jonmbake deleted the copilot/fix-ldap-authentication-error branch December 11, 2025 17:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@jonmbake jonmbake jonmbake approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@jonmbake jonmbake

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ActiveSupport::MessagePack::UnserializableObjectError at login of a new users

2 participants

@jonmbake