ldaptools-bundle icon indicating copy to clipboard operation
ldaptools-bundle copied to clipboard
verified publisher icon ldaptools

Active Directory and sAMAccountName

Open Xeyos88 opened this issue 8 years ago • 13 comments

Hi, I'm trying to use the bundle for authentication through Active Directory, but I have some difficulty using sAMAccaountName for authentication. You could give me a configuration example. With or without anonymous bind, it is not important.

Xeyos88 avatar Sep 11 '17 13:09 Xeyos88

If you want to force the sAMAccountName for authentication you could change the bind_format of your connection:

# app/config/config.yaml

ldap_tools:
    domains:
        example:
            domain_name: example.local
            username: foo
            password: secret
            # Force it to use the sAMAccountName, double '%' to escape symfony params...
            bind_format: "example\\%%username%%"

At least I think that should work fine.

ChadSikorra avatar Sep 11 '17 13:09 ChadSikorra

With the \ character in the bind_format I have an error of invalid YAML. I'll do some tests. If I continue to make mistakes I will post my configuration to ask for help.

Xeyos88 avatar Sep 11 '17 13:09 Xeyos88

Sorry about that, need double backslash to escape it in YAML. Just corrected my example.

ChadSikorra avatar Sep 11 '17 14:09 ChadSikorra

Works perfectly thx, it also works with anonymous bindings, username and password parameters are superfluous.

Xeyos88 avatar Sep 12 '17 08:09 Xeyos88

Could you please give some more details on what you're talking about? It should not accept an anonymous bind on login.

ChadSikorra avatar Sep 14 '17 12:09 ChadSikorra

This is my configuration, without username and password parameters, and works.

domains:
        example:
            bind_format: "domain\\%%username%%"
            domain_name: host
            base_dn: "OU=Example,DC=test,DC=ex,DC=ex,DC=com"
            servers: ["server_ip"]

Xeyos88 avatar Sep 14 '17 13:09 Xeyos88

What does your Symfony security config look like? I cannot replicate that using the same config on a Symfony app on my test domain. I've also double-checked a few spots in the code and cannot think how the logic could go wrong. Though obviously it's possible I overlooked something.

ChadSikorra avatar Sep 14 '17 13:09 ChadSikorra

Any update on this @Xeyos88 ? I'd need the security config to help you any further. The only things I can think of is a possible issue in access_control, or you're chaining user providers and possibly fall through to a separate authentication provider unrelated to the LDAP one. There's a lot of factors that could cause something like this to go wrong.

The LdapTools authentication mechanism prohibits anonymous binds unless explicitly told not to:

https://github.com/ldaptools/ldaptools/blob/master/src/LdapTools/Operation/Handler/AuthenticationOperationHandler.php#L74 https://github.com/ldaptools/ldaptools/blob/master/src/LdapTools/Operation/AuthenticationOperation.php#L190

ChadSikorra avatar Sep 21 '17 18:09 ChadSikorra

sorry for delay. My security config

security:
    hide_user_not_found: false

    encoders:
        AppBundle\Entity\User: plaintext

    role_hierarchy:
        ROLE_ADMIN: [ROLE_USER, ROLE_MODERATOR]
        ROLE_SUPER_ADMIN: ROLE_ADMIN
        ROLE_MODERATOR: ROLE_USER

    providers:

        fos_userbundle:
            id: fos_user.user_provider.username

        in_memory:
            memory: ~

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        main:
            pattern: ^/
            form_login:
                csrf_token_generator: security.csrf.token_manager
                provider: fos_userbundle
                login_path: homepage
                check_path: fos_user_security_check
            guard:
                authenticators:
                    - ldap_tools.security.ldap_guard_authenticator
            logout: true
            anonymous: true
    access_control:
        - { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY }

Xeyos88 avatar Sep 22 '17 08:09 Xeyos88

Your access control list is allowing basically anything. I think you'd want to use:

        - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/, roles: ROLE_USER }

Assuming you want to login protect the whole site anyway. Also, are you only expecting to load users from FOSUserBundle, but still always authenticate them with LDAP? Or are you trying to mix it so authentication can occur with FOSUserBundle or LDAP?

ChadSikorra avatar Sep 22 '17 12:09 ChadSikorra

Authentication is done by LDAP and then user data loaded from FOSUserBundle table.

Xeyos88 avatar Sep 22 '17 12:09 Xeyos88

Then I think you'd want to chain your user provider and get rid of the form_login section. Your providers and firewall section would look like:

    providers:
        chain_provider:
            chain:
                providers: [fos_userbundle, ldap]
        ldap:
            id: ldap_tools.security.user.ldap_user_provider
        fos_userbundle:
            id: fos_user.user_provider.username

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        main:
            pattern: ^/
            provider: chain_provider
            guard:
                authenticators:
                    - ldap_tools.security.ldap_guard_authenticator
            logout: ~
            anonymous: ~

You'd still need to make the above changes I mentioned to your access_control section.

ChadSikorra avatar Sep 22 '17 13:09 ChadSikorra

I try this configuration for automatic creation of users in DB after login, but doesn't works (with listener class, as in the guide).

Xeyos88 avatar Sep 22 '17 13:09 Xeyos88