jmleroy / ldap-bundle
LDAP Bundle for Symfony 3 (backward compatible)
Requires
- php: >=5.3.3
- ext-ldap: *
- symfony/symfony: >2.6
README
LdapBundle provides LDAP authentication without using Apache's mod_ldap. The bundle instead relies on PHP's LDAP extension along with a form to authenticate users. LdapBundle can also be used for authorization by retrieving the user's roles defined in LDAP.
Credits
This Bundle was originally created by Boris Morel and then forked by Subramanya Vajiraya. Since this bundle was discontinued by its original maintainer and probably abandoned by its last forker (last update was from 2017), and since I needed to fix it, I both submitted a pull request and forked it myself. Anyone is free to use this bundle and modify it as they please. I will try to keep this bundle up to date. If you do manage to update the project, please submit a pull request and I would be happy to examine and merge it.
Install
- Download with composer
- Enable the Bundle
- Configure LdapBundle in security.yml
- Import LdapBundle routing
- Implement Logout
- Use chain provider
- Subscribe to PRE_BIND event
- Subscribe to POST_BIND event
Get the Bundle
Composer
Add LdapBundle in your project's composer.json
{
"require": {
"jmleroy/ldap-bundle": "dev-master"
}
}
or
composer require jmleroy/ldap-bundle
Enable the Bundle
<?php // app/AppKernel.php public function registerBundles() { $bundles = array( // ... new IMAG\LdapBundle\IMAGLdapBundle(), ); }
Configure security.yml
Note:
An example
security.ymlfile is located within the bundle at./Resources/Docs/security.yml
# ./IMAG/LdapBundle/Resources/config/security.yml security: firewalls: restricted_area: pattern: ^/ anonymous: ~ provider: ldap imag_ldap: ~ # alternative configuration # imag_ldap: # login_path: /ninja/login logout: path: /logout target: / providers: ldap: id: imag_ldap.security.user.provider encoders: IMAG\LdapBundle\User\LdapUser: plaintext access_control: - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/, roles: IS_AUTHENTICATED_FULLY } imag_ldap: client: host: your.host.foo port: 389 # version: 3 # Optional # username: foo # Optional # password: bar # Optional # network_timeout: 10 # Optional # referrals_enabled: true # Optional # bind_username_before: true # Optional # skip_roles: false # Optional user: base_dn: ou=people,dc=host,dc=foo # filter: (&(foo=bar)(ObjectClass=Person)) #Optional name_attribute: uid role: base_dn: ou=group, dc=host, dc=foo # filter: (ou=group) #Optional name_attribute: cn user_attribute: member user_id: [ dn or username ] # user_class: IMAG\LdapBundle\User\LdapUser # Optional
You should configure the parameters under the imag_ldap section to match your environment.
Note:
The optional parameters have default values if not set. You can disable default values by setting a parameter to NULL.
# app/config/security.yml imag_ldap: # ... role: # ... filter: NULL
Import routing
# app/config/routing.yml imag_ldap: resource: "@IMAGLdapBundle/Resources/config/routing.yml"
Implement Login
Just add a hidden tag to the login form with id set as ldap_authenticate.
<input type="hidden" name="_csrf_token" value="{{ csrf_token('ldap_authenticate') }}">
Implement Logout
Just create a link with a logout target.
<a href="{{ path('logout') }}">Logout</a>
Note:
You can refer to the official Symfony documentation : http://symfony.com/doc/current/book/security.html#logging-out
Chain provider
You can also chain the login form with other providers, such as database_provider, in_memory provider, etc.
# app/config/security.yml security: firewalls: secured_area: pattern: ^/ anonymous: ~ imag_ldap: provider: multiples logout: path: logout providers: multiples: chain: providers: [ldap, db] ldap: id: imag_ldap.security.user.provider db: entity: { class: FQDN\User }
Note:
If you have set the config option
bind_username_before: trueyou must chain the providers with the ldap provider in the last position.
# app/config/security.yml providers: [db, ldap]
Subscribe to PRE_BIND event
The PRE_BIND is fired before the user is authenticated via LDAP. Here you can write a listener to perform your own logic before the user is bound/authenticated to LDAP. For example, to add your own roles or do other authentication/authorization checks with your application.
If you want to break the authentication process within your listener, throw an Exception.
Example listener:
<service id="ldap.listener" class="Acme\HelloBundle\EventListener\LdapSecuritySubscriber"> <tag name="kernel.event_subscriber" /> </service>
Example:
<?php namespace Acme\HelloBundle\EventListener; use Symfony\Component\EventDispatcher\EventSubscriberInterface; use IMAG\LdapBundle\Event\LdapUserEvent; /** * Performs logic before the user is found to LDAP */ class LdapSecuritySubscriber implements EventSubscriberInterface { public static function getSubscribedEvents() { return array( \IMAG\LdapBundle\Event\LdapEvents::PRE_BIND => 'onPreBind', ); } /** * Modifies the User before binding data from LDAP * * @param \IMAG\LdapBundle\Event\LdapUserEvent $event */ public function onPreBind(LdapUserEvent $event) { $user = $event->getUser(); $config = $this->appContext->getConfig(); $ldapConf = $config['ldap']; if (!in_array($user->getUsername(), $ldapConf['allowed'])) { throw new \Exception(sprintf('LDAP user %s not allowed', $user->getUsername())); } $user->addRole('ROLE_LDAP'); $event->setUser($user); } }
Subscribe to POST_BIND event
The POST_BIND is fired after the user is authenticated via LDAP. You can use it in exactly the same manner as PRE_BIND.
Note:
However each time a page is refreshed, Symfony call the refreshUser method in the provider that is used and doesn't trigger these events (PRE_BIND and POST_BIND). If you want to override user (for example like credentials, roles ...), you must create a new provider and override this method.