radebatz / ldap-auth-service-provider
Silex Ldap authentication service provider.
Installs: 19 413
Dependents: 0
Suggesters: 0
Security: 0
Stars: 5
Watchers: 1
Forks: 2
Open Issues: 3
Requires
- php: >=5.5.9
- psr/log: ^1.0
- silex/silex: ^1.3|~2.0
- symfony/security: ~2.8|^3.0
- zendframework/zend-ldap: ~2.4
Requires (Dev)
- monolog/monolog: ^1.13
- phpunit/phpunit: ~4
- satooshi/php-coveralls: dev-master
- symfony/browser-kit: ~2.8|^3.0
README
This service provider provides Ldap based authentication and authorization.
Basic Usage
- Form based authentication
- roles are mapped based on the user being in the specified LDAP group(s).
- The LDAP sn attribute is mapped to the userName property of the user object created
// register service with name LDAP-FORM $app->register(new LdapAuthenticationServiceProvider('LDAP-FORM'), array( 'security.ldap.LDAP-FORM.options' => array( 'auth' => array( 'entryPoint' => 'form', ), 'ldap' => array( 'host' => 'localhost', 'username' => 'username-for-initial-bind', 'password' => 'xxx', ), ) )); // configure firewalls $app->register(new SecurityServiceProvider(), array( 'security.firewalls' => array( 'login' => array( 'pattern' => '^/login$', ), 'default' => array( 'pattern' => '^.*$', 'anonymous' => true, 'LDAP-FORM' => array( // form options 'check_path' => '/login_check_ldap', 'require_previous_session' => false, ), 'users' => function () use ($app) { // use the pre-configured Ldap user provider return $app['security.ldap.LDAP-FORM.user_provider'](array( // configure LDAP attribute to use for auth bind call (dn is the default) 'authName' => 'dn', 'attr' => array( // LDAP attribute => user property // these require setter support in the user class 'sn' => 'lastName', ), 'roles' => array( 'CN=Development,OU=Groups,DC=radebatz,DC=net' => 'ROLE_USER', 'CN=Admins,OU=Groups,DC=radebatz,DC=net' => 'ROLE_ADMIN', ), 'baseDn' => 'DC=radebatz,DC=net', )); }, ), ) ));
Installation
The recommended way to install ldap-auth-service-provider is through composer.
Install the latest version with:
$ composer require radebatz/ldap-auth-service-provider
Configuring Ldap
The Ldap related code depends on zend-ldap
, so all configuration options are just passed through.
For more details check the zend-ldap docs
.
The default username value used to autheticate (bind) a user is the LDAP dn attribute (there is a default mapping 'dn' => 'authName'
).
To change this or allow an alternative fallback attribute, the following attribute mapping could have been used in the example above:
'attr' => array(
// LDAP attribute => user property
'sn' => 'lastName',
),
NOTE: The property 'authName' of the loaded user object is used for the bind when validating the user credentials (password). As a default the LDAP 'dn' attribute is mapped to the authName property of the user.
In addition the provider allows to configure a list of hosts to try. If none in the list can't be connected, the regularly configured host is used as last resort.
Example:
ldap:
ldap:
hosts:
- ldap1
- ldap2
host: localhost
In this case the code will try to connect in the order: ldap1, ldap2, localhost.
Custom user class
The LdapUserProvider class allows to configure a custom User class to be used.
Only restriction is that the custom class has a constructor that is compatible with the default class Symfony\\Component\\Security\\Core\\User\\User
.
Requirements
- Silex 2.0
- PHP 5.5
License
All code is licensed under the MIT license.
Changelog
Issues that break backwards compatibility are flagged [BC].
v1.0.0
- Initial release
v1.1.0
- Move options into security.ldap.[serviceName] namespace
- Add preconfigured user provider
v1.2.0
- Add Silex 1.3 support
- bug fixes
v1.2.1
- Add hosts option to allow a list of fallback servers
v1.2.2
- Fix LdapException handling
- Add Psr\Log dependency
- [BC] Make the logger an optional second constructor argument instead of taking it from $app
v1.3.0
- Use users DN as name when trying to bind user [#15]
- add new authName mapping to allow to control what LDAP attribute to use to bind when authentication (defaults to DN)
- Fix merging of LdapUserProvider defaults
- Check for values array when mapping LDAP data to user instance
- [BC] Custom user classes must either support magic get/set methods or at least implement
getAuthName()
,setAuthName($authName)