Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

[Security] make LdapBindAuthenticationProvider capable of searching for the DN#21402

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
fabpot merged 3 commits intosymfony:masterfromlsmith77:ldap_query_auth_provider
Jan 28, 2017

Conversation

@lsmith77
Copy link
Contributor

@lsmith77lsmith77 commentedJan 25, 2017
edited
Loading

QA
Branch?master
Bug fix?no
New feature?yes
BC breaks?no
Deprecations?no
Tests pass?yes
Fixed tickets#16823,#20905
LicenseMIT
Doc PRsymfony/symfony-docs#7420

I guess due to the separation between the user and auth provider something like the following isn't ok (note: the following works just fine for me but if course in the end the username is the DN and not the user provided shorter username):

diff --git a/src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.php b/src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.phpindex 5ebb09a..18d7825 100644--- a/src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.php+++ b/src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.php@@ -70,7 +70,7 @@ class LdapBindAuthenticationProvider extends UserAuthenticationProvider      */     protected function checkAuthentication(UserInterface $user, UsernamePasswordToken $token)     {-        $username = $token->getUsername();+        $username = $user->getUsername();         $password = $token->getCredentials();          if ('' === $password) {@@ -78,10 +78,7 @@ class LdapBindAuthenticationProvider extends UserAuthenticationProvider         }          try {-            $username = $this->ldap->escape($username, '', LdapInterface::ESCAPE_DN);-            $dn = str_replace('{username}', $username, $this->dnString);--            $this->ldap->bind($dn, $password);+            $this->ldap->bind($username, $password);         } catch (ConnectionException $e) {             throw new BadCredentialsException('The presented password is invalid.');         }diff --git a/src/Symfony/Component/Security/Core/User/LdapUserProvider.php b/src/Symfony/Component/Security/Core/User/LdapUserProvider.phpindex fc42419..8194c4c 100644--- a/src/Symfony/Component/Security/Core/User/LdapUserProvider.php+++ b/src/Symfony/Component/Security/Core/User/LdapUserProvider.php@@ -115,7 +115,7 @@ class LdapUserProvider implements UserProviderInterface     {         $password = $this->getPassword($entry);-        return new User($username, $password, $this->defaultRoles);+        return new User($entry->getDn(), $password, $this->defaultRoles);     }      /**

Therefore I created an entire new auth provider.

linaori and nietonfir reacted with thumbs up emoji

$provider ='security.authentication.provider.ldap_'.$method.'.'.$id;

switch($method) {
Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

there is probably a more elegant way to do this without duplicating so much code

@lsmith77lsmith77 changed the titleadded LdapQueryAuthenticationProvider[Security] added LdapQueryAuthenticationProviderJan 25, 2017
@lsmith77lsmith77force-pushed theldap_query_auth_provider branch 2 times, most recently fromd7b1939 to12e9d07CompareJanuary 25, 2017 12:41
@lsmith77lsmith77force-pushed theldap_query_auth_provider branch from12e9d07 toa26e0b1CompareJanuary 25, 2017 12:42
thrownewBadCredentialsException('The presented password is invalid.');
}

$this->ldap->bind($result->getIterator()->current()->getDn(),$password);
Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

this could probably be rewritten as$this->ldap->bind($result[0]->getDn(), $password);


$provider ='security.authentication.provider.ldap_'.$method.'.'.$id;

switch ($method) {
Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

there is probably a more elegant way to reduce the code duplication

@nicolas-grekasnicolas-grekas added this to the3.x milestoneJan 25, 2017
@nicolas-grekas
Copy link
Member

ping@csarrazi

@lsmith77lsmith77force-pushed theldap_query_auth_provider branch 2 times, most recently from90395dd to04b82a8CompareJanuary 25, 2017 17:44
*
* The only way to check user credentials is to first find the DN via query and then bind
*
* @author Charles Sarrazin <charles@sarraz.in>
Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

@csarrazi since I usedLdapBindAuthenticationProvider as the base I figured I should leave you as an author

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

BTW I did however think its not appropriate to extend fromLdapBindAuthenticationProvider even though it would reduce some code duplication.

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

another approach could be to integrate the logic intoLdapBindAuthenticationProvider

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I think it would actually be better to integrate the logic insideLdapBindAuthenticationProvider.

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

@csarrazi ok .. how should I handle the new parameter without breaking BC on the constructor signature? use setter injection?

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

something like

diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/FormLoginLdapFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/FormLoginLdapFactory.phpindex cd4158d..3d9d4b2 100644--- a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/FormLoginLdapFactory.php+++ b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/FormLoginLdapFactory.php@@ -27,7 +27,7 @@ class FormLoginLdapFactory extends FormLoginFactory     protected function createAuthProvider(ContainerBuilder $container, $id, $config, $userProviderId)     {         $provider = 'security.authentication.provider.ldap_bind.'.$id;-        $container+        $definition = $container             ->setDefinition($provider, new ChildDefinition('security.authentication.provider.ldap_bind'))             ->replaceArgument(0, new Reference($userProviderId))             ->replaceArgument(1, new Reference('security.user_checker.'.$id))@@ -36,6 +36,10 @@ class FormLoginLdapFactory extends FormLoginFactory             ->replaceArgument(4, $config['dn_string'])         ; +        if (!empty($config['query_string'])) {+            $definition->addMethodCall('setQueryString', [$config['query_string']]);+        }+         return $provider;     } @@ -47,6 +51,7 @@ class FormLoginLdapFactory extends FormLoginFactory             ->children()                 ->scalarNode('service')->defaultValue('ldap')->end()                 ->scalarNode('dn_string')->defaultValue('{username}')->end()+                ->scalarNode('query_string')->end()             ->end()         ;     }diff --git a/src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.php b/src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.phpindex 5ebb09a..3dfe028 100644--- a/src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.php+++ b/src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.php@@ -33,6 +33,7 @@ class LdapBindAuthenticationProvider extends UserAuthenticationProvider     private $userProvider;     private $ldap;     private $dnString;+    private $queryString;      /**      * Constructor.@@ -54,6 +55,16 @@ class LdapBindAuthenticationProvider extends UserAuthenticationProvider     }      /**+     * Set a query string to use in order to find a DN for the username+     *+     * @param string $queryString+     */+    public function setQueryString($queryString)+    {+        $this->queryString = $queryString;+    }++    /**      * {@inheritdoc}      */     protected function retrieveUser($username, UsernamePasswordToken $token)@@ -79,7 +90,21 @@ class LdapBindAuthenticationProvider extends UserAuthenticationProvider          try {             $username = $this->ldap->escape($username, '', LdapInterface::ESCAPE_DN);-            $dn = str_replace('{username}', $username, $this->dnString);++            if ($this->queryString) {+                $query = str_replace('{username}', $username, $this->queryString);++                $query = $this->ldap->query($this->dnString, $query);+                $result = $query->execute();+                if (1 !== $result->count()) {+                    throw new BadCredentialsException('The presented username is invalid.');+                }++                $dn = $result[0]->getDn();+            } else {+                $username = $this->ldap->escape($username, '', LdapInterface::ESCAPE_DN);+                $dn = str_replace('{username}', $username, $this->dnString);+            }              $this->ldap->bind($dn, $password);         } catch (ConnectionException $e) {

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Yup, setter injection would be the way to go. By default the new attribute should be null, and the current behaviour should be the correct one in this case.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

One thing, though. It seems that you have duplicate logic in theelse part of yourif statement:

$username =$this->ldap->escape($username,'', LdapInterface::ESCAPE_DN);

@lsmith77lsmith77force-pushed theldap_query_auth_provider branch from04b82a8 to4f7487cCompareJanuary 25, 2017 19:42
@lsmith77lsmith77 changed the title[Security] added LdapQueryAuthenticationProvider[Security] make LdapBindAuthenticationProvider capable of searching for the query stringJan 25, 2017
@lsmith77
Copy link
ContributorAuthor

@csarrazi pushed (and fixed the duplicate code)

@lsmith77lsmith77force-pushed theldap_query_auth_provider branch from4f7487c toa70f80aCompareJanuary 25, 2017 19:44
@lsmith77lsmith77 changed the title[Security] make LdapBindAuthenticationProvider capable of searching for the query string[Security] make LdapBindAuthenticationProvider capable of searching for the DNJan 25, 2017
@lsmith77lsmith77force-pushed theldap_query_auth_provider branch froma70f80a to93a02b2CompareJanuary 25, 2017 20:10
@lsmith77lsmith77force-pushed theldap_query_auth_provider branch from93a02b2 toa30191fCompareJanuary 25, 2017 20:32
@lsmith77
Copy link
ContributorAuthor

added some tests

@lsmith77
Copy link
ContributorAuthor

I will test it tomorrow again when I have direct access to the LDAP server of the project where I am implementing this to confirm the tests are sufficient and the code is indeed working.

@nietonfir
Copy link

nietonfir commentedJan 25, 2017
edited
Loading

Just tested (both the original PR and the updated one - against currentstable@3.2.2) against an OpenLDAP directory configured with a meta backend serving as a proxy for two different OpenLDAP instances (thus two different DNs - see#16823), works like a charm.

Your changes can also be applied directly toHttpBasicLdapFactory:

diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/HttpBasicLdapFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/HttpBasicLdapFactory.phpindex 961af71..4665c07 100644--- a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/HttpBasicLdapFactory.php+++ b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/HttpBasicLdapFactory.php@@ -28,7 +28,7 @@ class HttpBasicLdapFactory extends HttpBasicFactory     public function create(ContainerBuilder $container, $id, $config, $userProvider, $defaultEntryPoint)     {         $provider = 'security.authentication.provider.ldap_bind.'.$id;-        $container+        $definition = $container             ->setDefinition($provider, new ChildDefinition('security.authentication.provider.ldap_bind'))             ->replaceArgument(0, new Reference($userProvider))             ->replaceArgument(1, new Reference('security.user_checker.'.$id))@@ -40,6 +40,11 @@ class HttpBasicLdapFactory extends HttpBasicFactory         // entry point         $entryPointId = $this->createEntryPoint($container, $id, $config, $defaultEntryPoint);++        if (!empty($config['query_string'])) {+            $definition->addMethodCall('setQueryString', array($config['query_string']));+        }+         // listener         $listenerId = 'security.authentication.listener.basic.'.$id;         $listener = $container->setDefinition($listenerId, new ChildDefinition('security.authentication.listener.basic'));@@ -57,6 +62,7 @@ class HttpBasicLdapFactory extends HttpBasicFactory             ->children()                 ->scalarNode('service')->defaultValue('ldap')->end()                 ->scalarNode('dn_string')->defaultValue('{username}')->end()+                ->scalarNode('query_string')->end()             ->end()         ;     }
csarrazi reacted with thumbs up emoji

nietonfir pushed a commit to nietonfir/symfony-docs that referenced this pull requestJan 26, 2017
so that it matches the current FormLoginLdapFactory ldap implementation,where the DN can be search for before binding.
@nietonfir
Copy link

@lsmith77 created a PR to your branch. Hope that's what you meant… ;-)

@lsmith77
Copy link
ContributorAuthor

thx

nietonfir pushed a commit to nietonfir/symfony that referenced this pull requestJan 26, 2017
@nietonfirnietonfir mentioned this pull requestJan 26, 2017
@lsmith77lsmith77force-pushed theldap_query_auth_provider branch from5f89a03 to0679a74CompareJanuary 26, 2017 21:47
@lsmith77
Copy link
ContributorAuthor

added support for HTTP basic as well and linked a doc PR.

will do final testing on my end tomorrow.

@csarrazi are the unit tests sufficient or do we also need some functional tests?


if ($this->queryString) {
$query =str_replace('{username}',$username,$this->queryString);

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Remove newline.

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

done

$query =str_replace('{username}',$username,$this->queryString);

$query =$this->ldap->query($this->dnString,$query);
$result =$query->execute();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Add newline after this one and merge this line with the previous one (no need to keep the query variable, as it is not used for anything but for running itsexecute() method.

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

done

@csarrazi
Copy link
Contributor

I don't think we need functional tests for this one. Functional tests are limited to the Ldap component's integration with OpenLDAP. The component was not updated here, so no functional tests are needed. Unit tests are sufficient here.

@lsmith77lsmith77force-pushed theldap_query_auth_provider branch from0679a74 to8ddd533CompareJanuary 27, 2017 07:30
@lsmith77
Copy link
ContributorAuthor

@csarrazi ok fixed your comments and tested it against the production LDAP server. all is well to merge from my side

@csarrazi
Copy link
Contributor

👍

@fabpot
Copy link
Member

Thank you@lsmith77.

@fabpotfabpot closed thisJan 28, 2017
@fabpotfabpot merged commit8ddd533 intosymfony:masterJan 28, 2017
fabpot added a commit that referenced this pull requestJan 28, 2017
… of searching for the DN (lsmith77, nietonfir)This PR was merged into the 3.3-dev branch.Discussion----------[Security] make LdapBindAuthenticationProvider capable of searching for the DN| Q             | A| ------------- | ---| Branch?       | master| Bug fix?      | no| New feature?  | yes| BC breaks?    | no| Deprecations? | no| Tests pass?   | yes| Fixed tickets |#16823,#20905| License       | MIT| Doc PR        |symfony/symfony-docs#7420I guess due to the separation between the user and auth provider something like the following isn't ok  (note: the following works just fine for me but if course in the end the username is the DN and not the user provided shorter username):```diffdiff --git a/src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.php b/src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.phpindex5ebb09a..18d7825 100644--- a/src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.php+++ b/src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.php@@ -70,7 +70,7 @@ class LdapBindAuthenticationProvider extends UserAuthenticationProvider      */     protected function checkAuthentication(UserInterface $user, UsernamePasswordToken $token)     {-        $username = $token->getUsername();+        $username = $user->getUsername();         $password = $token->getCredentials();         if ('' === $password) {@@ -78,10 +78,7 @@ class LdapBindAuthenticationProvider extends UserAuthenticationProvider         }         try {-            $username = $this->ldap->escape($username, '', LdapInterface::ESCAPE_DN);-            $dn = str_replace('{username}', $username, $this->dnString);--            $this->ldap->bind($dn, $password);+            $this->ldap->bind($username, $password);         } catch (ConnectionException $e) {             throw new BadCredentialsException('The presented password is invalid.');         }diff --git a/src/Symfony/Component/Security/Core/User/LdapUserProvider.php b/src/Symfony/Component/Security/Core/User/LdapUserProvider.phpindexfc42419..8194c4c 100644--- a/src/Symfony/Component/Security/Core/User/LdapUserProvider.php+++ b/src/Symfony/Component/Security/Core/User/LdapUserProvider.php@@ -115,7 +115,7 @@ class LdapUserProvider implements UserProviderInterface     {         $password = $this->getPassword($entry);-        return new User($username, $password, $this->defaultRoles);+        return new User($entry->getDn(), $password, $this->defaultRoles);     }     /**```Therefore I created an entire new auth provider.Commits-------8ddd533 Merge pull request#1 from nietonfir/http_basic_ldapa783e5c Update HttpBasicLdapFactorya30191f make LdapBindAuthenticationProvider capable of searching for the DN
@lsmith77lsmith77 deleted the ldap_query_auth_provider branchJanuary 28, 2017 22:49
chalasr pushed a commit to chalasr/symfony that referenced this pull requestJan 29, 2017
…capable of searching for the DN (lsmith77, nietonfir)This PR was merged into the 3.3-dev branch.Discussion----------[Security] make LdapBindAuthenticationProvider capable of searching for the DN| Q             | A| ------------- | ---| Branch?       | master| Bug fix?      | no| New feature?  | yes| BC breaks?    | no| Deprecations? | no| Tests pass?   | yes| Fixed tickets |symfony#16823,symfony#20905| License       | MIT| Doc PR        |symfony/symfony-docs#7420I guess due to the separation between the user and auth provider something like the following isn't ok  (note: the following works just fine for me but if course in the end the username is the DN and not the user provided shorter username):```diffdiff --git a/src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.php b/src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.phpindex5ebb09a..18d7825 100644--- a/src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.php+++ b/src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.php@@ -70,7 +70,7 @@ class LdapBindAuthenticationProvider extends UserAuthenticationProvider      */     protected function checkAuthentication(UserInterface $user, UsernamePasswordToken $token)     {-        $username = $token->getUsername();+        $username = $user->getUsername();         $password = $token->getCredentials();         if ('' === $password) {@@ -78,10 +78,7 @@ class LdapBindAuthenticationProvider extends UserAuthenticationProvider         }         try {-            $username = $this->ldap->escape($username, '', LdapInterface::ESCAPE_DN);-            $dn = str_replace('{username}', $username, $this->dnString);--            $this->ldap->bind($dn, $password);+            $this->ldap->bind($username, $password);         } catch (ConnectionException $e) {             throw new BadCredentialsException('The presented password is invalid.');         }diff --git a/src/Symfony/Component/Security/Core/User/LdapUserProvider.php b/src/Symfony/Component/Security/Core/User/LdapUserProvider.phpindexfc42419..8194c4c 100644--- a/src/Symfony/Component/Security/Core/User/LdapUserProvider.php+++ b/src/Symfony/Component/Security/Core/User/LdapUserProvider.php@@ -115,7 +115,7 @@ class LdapUserProvider implements UserProviderInterface     {         $password = $this->getPassword($entry);-        return new User($username, $password, $this->defaultRoles);+        return new User($entry->getDn(), $password, $this->defaultRoles);     }     /**```Therefore I created an entire new auth provider.Commits-------8ddd533 Merge pull request#1 from nietonfir/http_basic_ldapa783e5c Update HttpBasicLdapFactorya30191f make LdapBindAuthenticationProvider capable of searching for the DN
lsmith77 pushed a commit to lsmith77/symfony-docs that referenced this pull requestFeb 3, 2017
xabbuh added a commit to symfony/symfony-docs that referenced this pull requestFeb 28, 2017
…reguiluz, lsmith77)This PR was merged into the master branch.Discussion----------Added query_string LDAP config optiondocs forsymfony/symfony#21402Commits-------b82cafd clean up446ba38 added query_string LDAP config optioned58da8 Minor rewordf133269 Explain the query_string ldap authentication provider configuration key
@nicolas-grekasnicolas-grekas modified the milestones:3.x,3.3Mar 24, 2017
@fabpotfabpot mentioned this pull requestMay 1, 2017
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

1 more reviewer

@csarrazicsarrazicsarrazi requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Projects

None yet

Milestone

3.3

Development

Successfully merging this pull request may close these issues.

6 participants

@lsmith77@nicolas-grekas@nietonfir@csarrazi@fabpot@carsonbot
[8]ページ先頭
©2009-2025 Movatter.jp