Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Ldap] Deprecate '{username}' parameter use in favour of '{user_identifier}' in LDAP configuration #46683

Merged
merged 1 commit into from Jul 29, 2022
Merged

[Ldap] Deprecate '{username}' parameter use in favour of '{user_identifier}' in LDAP configuration #46683

merged 1 commit into from Jul 29, 2022

Conversation

ktherage
Copy link
Contributor

@ktherage ktherage commented Jun 15, 2022
edited

Q A
Branch? 6.2
Bug fix? no
New feature? no
Deprecations? no
Tickets
License MIT
Doc PR

This PR aims to fix a missing forward compatibility as done in src/Symfony/Component/Ldap/Security/LdapUserProvider.php at line 80 when authenticating with LDAP and using the following configuration :

security:
// ...
    firewalls:œ
    // ...
        main:
            form_login_ldap:
                // ...
                query_string: '(whatever={user_identifier})'
                dn_string: 'uid={user_identifier},dc=example,dc=com'

instead of :

security:
// ...
    firewalls:
    // ...
        main:
            form_login_ldap:
                // ...
                query_string: '(whatever={username})'
                dn_string: 'uid={username},dc=example,dc=com'

maybe related to : #40403

@carsonbot carsonbot added this to the 5.4 milestone Jun 15, 2022
@carsonbot carsonbot changed the title [LDAP] Fixing missing 'user_identifier' forward compatibility in CheckLdapCredentialsListener [Ldap] Fixing missing 'user_identifier' forward compatibility in CheckLdapCredentialsListener Jun 15, 2022
@ktherage ktherage mentioned this pull request Jun 15, 2022
Closed
@carsonbot
Copy link

Hey!

I think @Jayfrown has recently worked with this code. Maybe they can help review this?

Cheers!

Carsonbot

Jayfrown
Jayfrown approved these changes Jun 16, 2022
View reviewed changes
Copy link
Contributor

@Jayfrown Jayfrown left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@nicolas-grekas
Copy link
Member

It looks like this would benefit from triggering a deprecation when {username} is used. This also means this should target 6.2.

@nicolas-grekas nicolas-grekas modified the milestones: 5.4, 6.2 Jun 20, 2022
@wouterj
Copy link
Member

wouterj commented Jun 20, 2022

I agree with @nicolas-grekas.

There is no "forward compatibility" here, as we don't replace {user_identifier} in Symfony 6.0:

symfony/src/Symfony/Component/Ldap/Security/CheckLdapCredentialsListener.php

Line 87 in e0ad2ee

$query = str_replace('{username}', $username, $ldapBadge->getQueryString());

It would be a good idea to change this parameter name though. That would mean replacing both (like you introduce this PR) and trigger a deprecation when {username} is used. This would then need to go in the current development version (6.2), so we can remove {username} in 7.0.

Status: needs work

@ktherage ktherage changed the base branch from 5.4 to 6.2 June 29, 2022 12:51
@ktherage
Copy link
Contributor Author

ktherage commented Jun 29, 2022
edited

@nicolas-grekas / @wouterj,

I made some changes based on your returns.
As it seems centralised in LdapBadge in 6.2, I've added the deprecations on LdapBadge's construction and replaced {username} parameter by {user_identifier} if used.

This will allow a smoother change when droping deprecation notice IMO.

@ktherage ktherage changed the title [Ldap] Fixing missing 'user_identifier' forward compatibility in CheckLdapCredentialsListener [Ldap] Deprecate '{username}' parameter use in favour of '{user_indentifier}' in LDAP configuration Jun 29, 2022
wouterj
wouterj reviewed Jul 23, 2022
View reviewed changes
Copy link
Member

@wouterj wouterj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like your proposal of doing the cleaning up in the LdapBadge. I've left one comment in a place that is not directly dependent on LdapBadge, but other than that this is ready to go imho!

src/Symfony/Component/Ldap/Security/LdapUserProvider.php Outdated Show resolved Hide resolved
@nicolas-grekas nicolas-grekas force-pushed the ldap_forward_compat branch 2 times, most recently from 4efdadb to 1f11b3e Compare July 28, 2022 12:40
@nicolas-grekas nicolas-grekas changed the title [Ldap] Deprecate '{username}' parameter use in favour of '{user_indentifier}' in LDAP configuration [Ldap] Deprecate '{username}' parameter use in favour of '{user_identifier}' in LDAP configuration Jul 28, 2022
nicolas-grekas
nicolas-grekas approved these changes Jul 28, 2022
View reviewed changes
Copy link
Member

@nicolas-grekas nicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(I just pushed the last changes)

@fabpot
Copy link
Member

fabpot commented Jul 29, 2022

Thank you @ktherage.

@fabpot fabpot mentioned this pull request Jul 29, 2022
Closed
@fabpot fabpot merged commit e137bd3 into symfony:6.2 Jul 29, 2022
@fabpot fabpot mentioned this pull request Oct 24, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wouterj wouterj wouterj left review comments

@fabpot fabpot fabpot approved these changes

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

@Jayfrown Jayfrown Jayfrown approved these changes

@chalasr chalasr Awaiting requested review from chalasr chalasr is a code owner

Assignees
No one assigned
Labels
Bug Ldap Status: Reviewed
Projects
None yet
Milestone
6.2
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@ktherage @carsonbot @nicolas-grekas @wouterj @fabpot @Jayfrown