Login/Register
LDAP Authentication with Symfony 2.8
Asked Answered
Solved phpsymfonyauthenticationsymfony-2.8
T

4

7

I'm trying to use the new LdapUserProvider in Symfony 2.8. I believe I have configured everything per the docs.

My user can successfully authenticate, and then gets redirected to the secured page. After the redirection is where the issue begins. Symfony tries to bind as the authenticated user, but with a null password, which is rejected by open ldap.

Here are the relevant log entries and config values.

Config:

services:
    app.ldap:
        class: Symfony\Component\Ldap\LdapClient
        arguments: [ "localhost" ]

Security:

security:
    firewalls:
        restricted_area:
            provider: app_users
            form_login_ldap:
                service: app.ldap
                dn_string: "uid={username},DC=mydomain,DC=net"
                check_path: login_check
                login_path: login
    providers:
        app_users:
            ldap:
                service: app.ldap
                base_dn: dc=mydomain,dc=net
                search_dn: cn=Manager,DC=mydomain,DC=net
                search_password: secretPassword
                filter: "(&(aptAccountEnabled=1)(ObjectClass=aptAccount)(uid={username}))"
                default_roles: ROLE_USER

And the log file:

[2015-12-18 13:55:11] request.INFO: Matched route "login_check". {"route_parameters":{"_route":"login_check"},"request_uri":"http://ancdev.admin.aptalaska.net/~dmorphis/Portal/web/app_dev.php/Login/Verify"} []
[2015-12-18 13:55:11] security.DEBUG: Read existing security token from the session. {"key":"_security_restricted_area"} []
[2015-12-18 13:55:11] security.DEBUG: User was reloaded from a user provider. {"username":"dan.smartrg","provider":"Symfony\\Component\\Security\\Core\\User\\LdapUserProvider"} []
[2015-12-18 13:55:26] security.INFO: User has been authenticated successfully. {"username":"dan.smartrg"} []
<snip>
[2015-12-18 13:55:26] security.DEBUG: Stored the security token in the session. {"key":"_security_restricted_area"} []
<snip>
[2015-12-18 13:55:27] request.INFO: Matched route "home.index". {"route_parameters":{"_controller":"Apt\\PortalBundle\\Controller\\DefaultController::indexAction","_route":"home.index"},"request_uri":"http://ancdev.admin.aptalaska.net/~dmorphis/Portal/web/app_dev.php/"} []
[2015-12-18 13:55:28] security.DEBUG: Read existing security token from the session. {"key":"_security_restricted_area"} []
[2015-12-18 13:55:28] security.DEBUG: User was reloaded from a user provider. {"username":"dan.smartrg","provider":"Symfony\\Component\\Security\\Core\\User\\LdapUserProvider"} []
[2015-12-18 13:56:15] php.DEBUG: ldap_bind(): Unable to bind to server: Server is unwilling to perform {"type":2,"file":"/home/dmorphis/public_html/Portal/vendor/symfony/symfony/src/Symfony/Component/Ldap/LdapClient.php","line":73,"level":28928} []
[2015-12-18 13:56:15] app.ERROR: Bad credentials. [{"file":"/home/dmorphis/public_html/Portal/app/cache/dev/classes.php","line":2697,"function":"authenticate","class":"Symfony\\Component\\Security\\Core\\Authentication\\Provider\\UserAuthenticationProvide <truncated>
[2015-12-18 13:56:15] security.INFO: An AuthenticationException was thrown; redirecting to authentication entry point.
Tammy answered 18/12, 2015 at 23:30 Comment(2)
The docs say to use Symfony\Component\Security\Ldap\Ldap, but the docs are wrong. The actual class is Symfony\Component\Ldap\LdapClientTammy
This seems pretty serious. Maybe open an issue on GitHub about it ? (it has way more visibility there)Tolly
T
0

In Symfony 3.1, the LdapClient component was deprecated. So I wanted to update the solution. This solution should also work for Symfony 2.8/2.9 apps.

#security.yml
security:
    firewalls:
        restricted_area:
            provider: app_users
            form_login_ldap:
                service: ldap.auth
                dn_string: "%dn_string%"

    providers:
        app_users:
            ldap:
                service: ldap.auth
                base_dn: "dc=domain,dc=net"
                search_dn: "cn=Manager,DC=domain,DC=net"
                search_password: secretPassword
                filter: "(&(aptAccountEnabled=1)(ObjectClass=aptAccount)({uid_key}={username}))"
                default_roles: ROLE_USER
                uid_key: uid

#services.yml
services:
    ldap.auth:
        class: 'Symfony\Component\Ldap\Ldap'
        factory:
            - 'Symfony\Component\Ldap\Ldap'
            - 'create'
        arguments:
            - 'ext_ldap'  # adapter
            -
              host: database
              options:
                  protocol_version: 3
Tammy answered 7/4, 2017 at 15:44 Comment(0)
W
4

Finally I found what was the problem.

You have to chain the UserProvider:

chain_provider:
    chain:
             providers: [in_memory, app_users]
    in_memory:
        memory: ~
    app_users:
        ldap:
           .....</i>
Workable answered 4/2, 2016 at 20:25 Comment(2)
adding the providers line above gives me an error on symfony 2.8Frausto
the markup is a bit broken, here: symfony.com/doc/2.8/security/multiple_user_providers.htmlDeadline
R
1

I had same problem. In my case it was wrong configuration of framework.session.handler_id – I had to change it from native file handler to null which is default PHP session handler.

Rasorial answered 4/5, 2016 at 10:56 Comment(0)
A
0

I had almost exactly the same problem. After intense debugging, I came to the line:

in \Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken::__construct:

parent::setAuthenticated(count($roles) > 0);

This was a problem, because I diagnosed, that UsernamePasswordToken was coming unauthenticated from session storage to begin with. This was caused by no roles assigned due to my custom overriding of default services.

Normally, LDAP will be called only once on login and no password should be stored in session. Only authenticated = true in serialized token.

Are you sure you are getting unserialised authenticated token?

Affix answered 31/1, 2016 at 23:22 Comment(0)
T
0

In Symfony 3.1, the LdapClient component was deprecated. So I wanted to update the solution. This solution should also work for Symfony 2.8/2.9 apps.

#security.yml
security:
    firewalls:
        restricted_area:
            provider: app_users
            form_login_ldap:
                service: ldap.auth
                dn_string: "%dn_string%"

    providers:
        app_users:
            ldap:
                service: ldap.auth
                base_dn: "dc=domain,dc=net"
                search_dn: "cn=Manager,DC=domain,DC=net"
                search_password: secretPassword
                filter: "(&(aptAccountEnabled=1)(ObjectClass=aptAccount)({uid_key}={username}))"
                default_roles: ROLE_USER
                uid_key: uid

#services.yml
services:
    ldap.auth:
        class: 'Symfony\Component\Ldap\Ldap'
        factory:
            - 'Symfony\Component\Ldap\Ldap'
            - 'create'
        arguments:
            - 'ext_ldap'  # adapter
            -
              host: database
              options:
                  protocol_version: 3
Tammy answered 7/4, 2017 at 15:44 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.