-
Notifications
You must be signed in to change notification settings - Fork 77
No chaining provider and no persisted entities - auth workflow locks LDAP account #76
Comments
I've to admit that branch of the code is a mistery for me. I was following the same code of DaoAuthenticationProvider but it's truth So the question is How we can re authenticate an already logged user? |
What is the return value of |
When the User is authenticated, the condition |
Here is the solution ! Change I notice a strange thing btw, the Zend/Ldap driver is called twice, the first time is when the default connection defined in config.yml with username and password are used. The second one is when the bind method is directly called to authenticate User. In this case, I trace all the workflow to show up how it behaves : an Exception is correctly thrown (because username is filled, password is empty and AllowEmptyPassword is false) but in UserAuthenticationProvider the code below does not throw the Exception to the caller class (AuthenticationProviderManager) : try {
$this->userChecker->checkPreAuth($user);
$this->checkAuthentication($user, $token);
$this->userChecker->checkPostAuth($user);
} catch (BadCredentialsException $e) {
if ($this->hideUserNotFoundExceptions) {
throw new BadCredentialsException('Bad credentials', 0, $e);
}
throw $e;
} I don't know why and when the Exception is catched. This issue messed up my brain ! |
Do you want create a PR with the fix? About the driver called twice: |
I am not sure if the fix is correct, I gonna make new tests with fresh installation and chaining providers to be sure it does not bring regression. |
The change will make a BC Break with objects retrieved from BD. But this have to be fixed as you proposed. |
Use token `getCrendentials` instead user `getPassword`. Fix #76
Hello there,
First, sorry of my writing, I'll do my best.
I created an application which uses FR3DLdapBundle for authentication. The initial need it's to NOT persist the user in DB and reload him directly from LDAP database on each request (that's the bundle does). The goal it's to not duplicate the LDAP DB in a web app.
In that way, the documentation told me that you can disable the chaining provider with FOS to avoid persistance, so I did. I just override the LdapManager for return a personnal instance of User when the method createUser is called by the LdapManager.
Next, my issue. In the process of authentication (tell me if I get wrong), the user is searched in LDAP as :
$user = $this->userProvider->loadUserByUsername($username);
in LDAPAuthenticationProvider. The first time, no session token exists, then the User is created, hydrated and binded to LDAP to determine if ID are corrects.It's ok for me. But when Symfony redirects, for instance, to home page after successfully authentication, the User is re-searched in LDAP, the token is re-created from UserAuthenticationProvider in method authenticate but while my entity is not persited, the password do not exist any longer and bind method will failed. In result, the account is locked in my LDAP DB, not good ! The method
checkAuthtication
there,$currentUser->getPassword()
is null (I tried$token->getCredentials()
as mentionned in other issue).So what am I missing ?
Is there a way to keep credentials in session to revalid bind when User naviguate ? It seems, the bundle doest not cover this case ?
I tried many (many !) debug with var_dump in Symfony components, bundle to analyse the behavior. I could precise any point if needed (but not the solution : ))
The text was updated successfully, but these errors were encountered: