Added query_string LDAP config option #7420
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Maybe merge with #7414 ? |
|
ah doh .. didn't see this PR :-/ lets wait for feedback. for example I am not sure if it made sense adding another example or not like I did. |
|
No problem. ;-) |
|
integrated #7414 |
lsmith77
force-pushed
the
ldap_query_string
branch
2 times, most recently
from
a9bd37a
to
1735f08
Compare
fabpot
added a commit
to symfony/symfony
that referenced
this pull request
Jan 28, 2017
… of searching for the DN (lsmith77, nietonfir) This PR was merged into the 3.3-dev branch. Discussion ---------- [Security] make LdapBindAuthenticationProvider capable of searching for the DN | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | yes | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #16823, #20905 | License | MIT | Doc PR | symfony/symfony-docs#7420 I guess due to the separation between the user and auth provider something like the following isn't ok (note: the following works just fine for me but if course in the end the username is the DN and not the user provided shorter username): ```diff diff --git a/src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.php b/src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.php index 5ebb09a..18d7825 100644 --- a/src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.php +++ b/src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.php @@ -70,7 +70,7 @@ class LdapBindAuthenticationProvider extends UserAuthenticationProvider */ protected function checkAuthentication(UserInterface $user, UsernamePasswordToken $token) { - $username = $token->getUsername(); + $username = $user->getUsername(); $password = $token->getCredentials(); if ('' === $password) { @@ -78,10 +78,7 @@ class LdapBindAuthenticationProvider extends UserAuthenticationProvider } try { - $username = $this->ldap->escape($username, '', LdapInterface::ESCAPE_DN); - $dn = str_replace('{username}', $username, $this->dnString); - - $this->ldap->bind($dn, $password); + $this->ldap->bind($username, $password); } catch (ConnectionException $e) { throw new BadCredentialsException('The presented password is invalid.'); } diff --git a/src/Symfony/Component/Security/Core/User/LdapUserProvider.php b/src/Symfony/Component/Security/Core/User/LdapUserProvider.php index fc42419..8194c4c 100644 --- a/src/Symfony/Component/Security/Core/User/LdapUserProvider.php +++ b/src/Symfony/Component/Security/Core/User/LdapUserProvider.php @@ -115,7 +115,7 @@ class LdapUserProvider implements UserProviderInterface { $password = $this->getPassword($entry); - return new User($username, $password, $this->defaultRoles); + return new User($entry->getDn(), $password, $this->defaultRoles); } /** ``` Therefore I created an entire new auth provider. Commits ------- 8ddd533 Merge pull request #1 from nietonfir/http_basic_ldap a783e5c Update HttpBasicLdapFactory a30191f make LdapBindAuthenticationProvider capable of searching for the DN
|
the relevant code branch was merged |
chalasr
pushed a commit
to chalasr/symfony
that referenced
this pull request
Jan 29, 2017
…capable of searching for the DN (lsmith77, nietonfir) This PR was merged into the 3.3-dev branch. Discussion ---------- [Security] make LdapBindAuthenticationProvider capable of searching for the DN | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | yes | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | symfony#16823, symfony#20905 | License | MIT | Doc PR | symfony/symfony-docs#7420 I guess due to the separation between the user and auth provider something like the following isn't ok (note: the following works just fine for me but if course in the end the username is the DN and not the user provided shorter username): ```diff diff --git a/src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.php b/src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.php index 5ebb09a..18d7825 100644 --- a/src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.php +++ b/src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.php @@ -70,7 +70,7 @@ class LdapBindAuthenticationProvider extends UserAuthenticationProvider */ protected function checkAuthentication(UserInterface $user, UsernamePasswordToken $token) { - $username = $token->getUsername(); + $username = $user->getUsername(); $password = $token->getCredentials(); if ('' === $password) { @@ -78,10 +78,7 @@ class LdapBindAuthenticationProvider extends UserAuthenticationProvider } try { - $username = $this->ldap->escape($username, '', LdapInterface::ESCAPE_DN); - $dn = str_replace('{username}', $username, $this->dnString); - - $this->ldap->bind($dn, $password); + $this->ldap->bind($username, $password); } catch (ConnectionException $e) { throw new BadCredentialsException('The presented password is invalid.'); } diff --git a/src/Symfony/Component/Security/Core/User/LdapUserProvider.php b/src/Symfony/Component/Security/Core/User/LdapUserProvider.php index fc42419..8194c4c 100644 --- a/src/Symfony/Component/Security/Core/User/LdapUserProvider.php +++ b/src/Symfony/Component/Security/Core/User/LdapUserProvider.php @@ -115,7 +115,7 @@ class LdapUserProvider implements UserProviderInterface { $password = $this->getPassword($entry); - return new User($username, $password, $this->defaultRoles); + return new User($entry->getDn(), $password, $this->defaultRoles); } /** ``` Therefore I created an entire new auth provider. Commits ------- 8ddd533 Merge pull request #1 from nietonfir/http_basic_ldap a783e5c Update HttpBasicLdapFactory a30191f make LdapBindAuthenticationProvider capable of searching for the DN
javiereguiluz
changed the title
xabbuh
reviewed
Feb 3, 2017
reference/configuration/security.rst
Outdated
| **type**: ``string`` **default**: ``null`` | ||
|
|
||
| This is the string which will be used to query for the DN. The ``{username}`` | ||
| placeholder will be replaced with the user-provided value (his login). |
There was a problem hiding this comment.
We should use "their" instead of "his".
xabbuh
reviewed
Feb 3, 2017
reference/configuration/security.rst
Outdated
| This is the string which will be used to query for the DN. The ``{username}`` | ||
| placeholder will be replaced with the user-provided value (his login). | ||
| Depending on your LDAP server's configuration, you will need to override | ||
| this value. This setting is only necessary if the users DN cannot be derived |
xabbuh
reviewed
Feb 3, 2017
reference/configuration/security.rst
Outdated
| placeholder will be replaced with the user-provided value (his login). | ||
| Depending on your LDAP server's configuration, you will need to override | ||
| this value. This setting is only necessary if the users DN cannot be derived | ||
| statically using the `dn_string` config option. |
xabbuh
reviewed
Feb 3, 2017
security/ldap.rst
Outdated
|
|
||
| .. code-block:: php | ||
|
|
||
| $container->loadFromExtension('security', array( |
There was a problem hiding this comment.
we should add the // app/config/security.php comment above
xabbuh
reviewed
Feb 3, 2017
security/ldap.rst
Outdated
| # ... | ||
| form_login_ldap: | ||
| login_path: login | ||
| check_path: login_check |
There was a problem hiding this comment.
Recently we updated the docs to use the same route for login_path and check_path. I think we should do that here too.
There was a problem hiding this comment.
if I look at form_login.rst it seems like those config options are simply omitted there .. that being said there are also some previously existing places in this file where we have the check_path in examples .. so should i remove login_path/check_path for all examples in this file?
There was a problem hiding this comment.
diff --git a/security/ldap.rst b/security/ldap.rst
index bd812fd..d91e977 100644
--- a/security/ldap.rst
+++ b/security/ldap.rst
@@ -310,8 +310,6 @@ Configuration example for form login
main:
# ...
form_login_ldap:
- login_path: login
- check_path: login_check
# ...
service: ldap
dn_string: 'uid={username},dc=example,dc=com'
@@ -329,8 +327,6 @@ Configuration example for form login
<config>
<firewall name="main">
<form-login-ldap
- login-path="login"
- check-path="login_check"
service="ldap"
dn-string="uid={username},dc=example,dc=com" />
</firewall>
@@ -343,8 +339,6 @@ Configuration example for form login
'firewalls' => array(
'main' => array(
'form_login_ldap' => array(
- 'login_path' => 'login',
- 'check_path' => 'login_check',
'service' => 'ldap',
'dn_string' => 'uid={username},dc=example,dc=com',
// ...
@@ -419,8 +413,6 @@ Configuration example for form login and query_string
main:
# ...
form_login_ldap:
- login_path: login
- check_path: login_check
# ...
service: ldap
dn_string: 'dc=example,dc=com'
@@ -439,8 +431,6 @@ Configuration example for form login and query_string
<config>
<firewall name="main">
<form-login-ldap
- login-path="login"
- check-path="login_check"
service="ldap"
dn-string="dc=example,dc=com"
query-string="(&(uid={username})(memberOf=cn=users,ou=Services,dc=example,dc=com))" />
@@ -455,8 +445,6 @@ Configuration example for form login and query_string
'firewalls' => array(
'main' => array(
'form_login_ldap' => array(
- 'login_path' => 'login',
- 'check_path' => 'login_check',
'service' => 'ldap',
'dn_string' => 'dc=example,dc=com',
'query_string' => '(&(uid={username})(memberOf=cn=users,ou=Services,dc=example,dc=com))',
1735f08
to
3e4e277
Compare
lsmith77
force-pushed
the
ldap_query_string
branch
from
3e4e277
to
143ae0a
Compare
lsmith77
force-pushed
the
ldap_query_string
branch
from
143ae0a
to
b82cafd
Compare
|
@xabbuh ok .. all comments should be addressed |
|
👍 Status: Reviewed |
|
Thank you @lsmith77. |
xabbuh
added a commit
that referenced
this pull request
Feb 28, 2017
…reguiluz, lsmith77) This PR was merged into the master branch. Discussion ---------- Added query_string LDAP config option docs for symfony/symfony#21402 Commits ------- b82cafd clean up 446ba38 added query_string LDAP config option ed58da8 Minor reword f133269 Explain the query_string ldap authentication provider configuration key
|
And thank you very much @nietonfir! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
docs for symfony/symfony#21402