LDAP Authentication with Symfony 2.8

…衆ロ難τιáo~ 提交于 2019-12-20 23:25:16

问题


I'm trying to use the new LdapUserProvider in Symfony 2.8. I believe I have configured everything per the docs.

My user can successfully authenticate, and then gets redirected to the secured page. After the redirection is where the issue begins. Symfony tries to bind as the authenticated user, but with a null password, which is rejected by open ldap.

Here are the relevant log entries and config values.

Config:

services:
    app.ldap:
        class: Symfony\Component\Ldap\LdapClient
        arguments: [ "localhost" ]

Security:

security:
    firewalls:
        restricted_area:
            provider: app_users
            form_login_ldap:
                service: app.ldap
                dn_string: "uid={username},DC=mydomain,DC=net"
                check_path: login_check
                login_path: login
    providers:
        app_users:
            ldap:
                service: app.ldap
                base_dn: dc=mydomain,dc=net
                search_dn: cn=Manager,DC=mydomain,DC=net
                search_password: secretPassword
                filter: "(&(aptAccountEnabled=1)(ObjectClass=aptAccount)(uid={username}))"
                default_roles: ROLE_USER

And the log file:

[2015-12-18 13:55:11] request.INFO: Matched route "login_check". {"route_parameters":{"_route":"login_check"},"request_uri":"http://ancdev.admin.aptalaska.net/~dmorphis/Portal/web/app_dev.php/Login/Verify"} []
[2015-12-18 13:55:11] security.DEBUG: Read existing security token from the session. {"key":"_security_restricted_area"} []
[2015-12-18 13:55:11] security.DEBUG: User was reloaded from a user provider. {"username":"dan.smartrg","provider":"Symfony\\Component\\Security\\Core\\User\\LdapUserProvider"} []
[2015-12-18 13:55:26] security.INFO: User has been authenticated successfully. {"username":"dan.smartrg"} []
<snip>
[2015-12-18 13:55:26] security.DEBUG: Stored the security token in the session. {"key":"_security_restricted_area"} []
<snip>
[2015-12-18 13:55:27] request.INFO: Matched route "home.index". {"route_parameters":{"_controller":"Apt\\PortalBundle\\Controller\\DefaultController::indexAction","_route":"home.index"},"request_uri":"http://ancdev.admin.aptalaska.net/~dmorphis/Portal/web/app_dev.php/"} []
[2015-12-18 13:55:28] security.DEBUG: Read existing security token from the session. {"key":"_security_restricted_area"} []
[2015-12-18 13:55:28] security.DEBUG: User was reloaded from a user provider. {"username":"dan.smartrg","provider":"Symfony\\Component\\Security\\Core\\User\\LdapUserProvider"} []
[2015-12-18 13:56:15] php.DEBUG: ldap_bind(): Unable to bind to server: Server is unwilling to perform {"type":2,"file":"/home/dmorphis/public_html/Portal/vendor/symfony/symfony/src/Symfony/Component/Ldap/LdapClient.php","line":73,"level":28928} []
[2015-12-18 13:56:15] app.ERROR: Bad credentials. [{"file":"/home/dmorphis/public_html/Portal/app/cache/dev/classes.php","line":2697,"function":"authenticate","class":"Symfony\\Component\\Security\\Core\\Authentication\\Provider\\UserAuthenticationProvide <truncated>
[2015-12-18 13:56:15] security.INFO: An AuthenticationException was thrown; redirecting to authentication entry point.

回答1:


Finally I found what was the problem.

You have to chain the UserProvider:

chain_provider:
    chain:
             providers: [in_memory, app_users]
    in_memory:
        memory: ~
    app_users:
        ldap:
           .....</i>



回答2:


I had same problem. In my case it was wrong configuration of framework.session.handler_id – I had to change it from native file handler to null which is default PHP session handler.




回答3:


I had almost exactly the same problem. After intense debugging, I came to the line:

in \Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken::__construct:

parent::setAuthenticated(count($roles) > 0);

This was a problem, because I diagnosed, that UsernamePasswordToken was coming unauthenticated from session storage to begin with. This was caused by no roles assigned due to my custom overriding of default services.

Normally, LDAP will be called only once on login and no password should be stored in session. Only authenticated = true in serialized token.

Are you sure you are getting unserialised authenticated token?




回答4:


In Symfony 3.1, the LdapClient component was deprecated. So I wanted to update the solution. This solution should also work for Symfony 2.8/2.9 apps.

#security.yml
security:
    firewalls:
        restricted_area:
            provider: app_users
            form_login_ldap:
                service: ldap.auth
                dn_string: "%dn_string%"

    providers:
        app_users:
            ldap:
                service: ldap.auth
                base_dn: "dc=domain,dc=net"
                search_dn: "cn=Manager,DC=domain,DC=net"
                search_password: secretPassword
                filter: "(&(aptAccountEnabled=1)(ObjectClass=aptAccount)({uid_key}={username}))"
                default_roles: ROLE_USER
                uid_key: uid

#services.yml
services:
    ldap.auth:
        class: 'Symfony\Component\Ldap\Ldap'
        factory:
            - 'Symfony\Component\Ldap\Ldap'
            - 'create'
        arguments:
            - 'ext_ldap'  # adapter
            -
              host: database
              options:
                  protocol_version: 3


来源:https://stackoverflow.com/questions/34365482/ldap-authentication-with-symfony-2-8

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!