New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Ldap] Improve the LDAP component #16665
Comments
@csarrazi Thank you so much for the time you have put into this. In implementing this in 2.8, we have found that authentication is limited to only users whose DNs fit the configured dn_string, for example: dn_string: "uid={username},ou=people,dc=example,dc=com" A user with "uid=foo,ou=something,ou=people,dc=example,dc=com" cannot authenticate. The immediate reason is that after discovering information from ldap in the ->find() method, the DN is discarded when LdapUserProvider::loadUser() creates the User instance. Because the DN is discarded, later LdapBindAuthenticationProvider::checkAuthentication() recombines the basic username with what is configured in dn_string: $dn = str_replace('{username}', $username, $this->dnString); It would seem if User were extended to store the DN, it would not be necessary to set dn_string, and users in various OU's could authenticate. |
Hum, could you be a bit more precise regarding your configuration. Are you using the Ldap user provider along with the |
Also (unless I'm overlooking something), the LDAP component currently uses the |
There is a polyfill dependency that provides a php implementation of
ldap_escape in case you're not on php 5.6
|
Ah, then I did overlook something hah (: Thanks. That's the same function I've seen in a SO answer. I do notice that it doesn't encode carriage returns properly when escaping DNs. I've mentioned it in the comments on SO where it's posted too, but I don't think I ever got a response. Huge edge case I guess (who in their right mind puts a carriage return in a DN..), but it's listed in the RFC. |
Can you please open an issue on the symfony-polyfill? And if you have a patch, PR is welcomed :-) |
Regarding the carriage return, we should add a test case in both the PHP extension, and in |
@csarrazi If you want me to open a new issue, say the word. Here is the configuration:
|
Should be in a new issue, but this feedback is great regardless! :) |
@csarrazi The version of LDAP escape in polyfill actually already does more than the official version of I can submit a PR with new tests and also account for the carriage return. But should that carriage return be handled properly in the polyfill function if the official |
The Polyfill is expected to behave exactly the same as the reference php
implementation, so if you know some different behavior, please submit a
test case for it, and a fix if possible :-)
|
Submitted the polyfill fix here: symfony/polyfill#14 . |
This is a complete example also with authentication form? Why I can not authenticate. |
@Xeyos88 The documentation will be updated as soon as the component will be marked as stable, which should be good for 3.1. Until then, as mentioned in the subtree split, the component is still a work in progress. |
This PR was merged into the 3.1-dev branch. Discussion ---------- [Ldap] Fixed CS and hardened some code | Q | A | ------------- | --- | Bug fix? | no | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #16665 | License | MIT | Doc PR | no This PR takes into account remaining comments from #16665 Commits ------- eefa70d Fixed CS and hardened some code
A few issues are remaining, and will likely need to be fixed after release 3.0 (3.1 or later):
Here is the list of issues which were mentioned in #14602:
I'm separating all these from the current PR (#15994), as I am currently the only person working on the LDAP component on a regular basis, and won't have time to handle these remaining features for Symfony's 2.8 / 3.0 releases.
The text was updated successfully, but these errors were encountered: