zend-authentication icon indicating copy to clipboard operation
zend-authentication copied to clipboard
verified publisher icon zendframework

Login with Mail Address and LDAP fallback

Open mano87 opened this issue 8 years ago • 4 comments

Hello, for internal user authentication we will use LDAP Adapter and for external users the Zend DB Adapter. All external users uses the mail address as username. Also with the LDAP Adapter we will use the email address as username. We have more external than internal users.

  1. How could the login login scheme look like?
  2. LDAP as Fallback Adapter?
  3. But how can we make sense that the LDAP also uses the mail address for the login? (first LDAP search and then bind with dn?)
class AuthenticationService extends ZendAuthenticationService implements AuthenticationServiceInterface
{
    /**
     * Authentication fallback adapter
     *
     * @var AdapterInterface
     */
    private $fallbackAdapter = null;

    /**
     * @param AdapterInterface $adapter
     * @return $this
     */
    public function setFallbackAdapter(AdapterInterface $adapter)
    {
        $this->fallbackAdapter = $adapter;
        return $this;
    }

    /**
     * @return AdapterInterface
     */
    public function getFallbackAdapter()
    {
        return $this->fallbackAdapter;
    }

    /**
     * @param AdapterInterface|null $fallbackAdapter
     * @return Result
     */
    public function fallbackAuthenticate(AdapterInterface $fallbackAdapter = null)
    {
        if (!$fallbackAdapter) {
            $fallbackAdapter = $this->getFallbackAdapter();
        }

        return $fallbackAdapter->authenticate();
    }

    /**
     * @return mixed
     */
    public function getIdentity()
    {
        if ($this->hasIdentity()) {
            $user = parent::getIdentity();
        } else {
            $user = new UserEntity();
            $user->setId(0);
            $user->setUsername('Gast');
            $user->setRole('guest');
        }

        return $user;
    }

}

@heiglandreas

mano87 avatar Jun 29 '17 10:06 mano87

Regarding your 3rd Question: You should always first bind with a known user to the LDAP, then search for the user that tries to log in with the provided information and then (re)bind to the ldap with the DN of the found user and the provided password.

That way you are

a) LDAP-compliant and b) have the possibility to use any (unique) attribute to identify a user.

I'm using that so users can use there email-address or their UID to log into the systems.

Have a look for a plain PHP-Implementation here

heiglandreas avatar Jun 30 '17 05:06 heiglandreas

From what I've seen right now in Zend\Authentication\Adapter\Ldap that's not an LDAP-Adapter but an AD-Adapter (or an adapter where all users are known to be part of one subtree) as the described way of authentication via retrieve user after a bind with a privileged user doesn't seem to be supported… Or I'm missing it ATM…

So it looks to me as there's a complete authentication-adapter missing. And that's the one you're looking for…

heiglandreas avatar Jun 30 '17 06:06 heiglandreas

I've hacked together a gist that might help you creating a solution. Take care, it's not been tested!!

heiglandreas avatar Jun 30 '17 07:06 heiglandreas

This repository has been closed and moved to laminas/laminas-authentication; a new issue has been opened at https://github.com/laminas/laminas-authentication/issues/4.

weierophinney avatar Dec 31 '19 21:12 weierophinney