LDAP Authentication with Symfony 2.8

Question

I'm trying to use the new LdapUserProvider in Symfony 2.8. I believe I have configured everything per the docs .

My user can successfully authenticate, and then gets redirected to the secured page. After the redirection is where the issue begins. Symfony tries to bind as the authenticated user, but with a null password, which is rejected by open ldap.

Here are the relevant log entries and config values.

Config:

services:
    app.ldap:
        class: Symfony\Component\Ldap\LdapClient
        arguments: [ "localhost" ]

Security:

security:
    firewalls:
        restricted_area:
            provider: app_users
            form_login_ldap:
                service: app.ldap
                dn_string: "uid={username},DC=mydomain,DC=net"
                check_path: login_check
                login_path: login
    providers:
        app_users:
            ldap:
                service: app.ldap
                base_dn: dc=mydomain,dc=net
                search_dn: cn=Manager,DC=mydomain,DC=net
                search_password: secretPassword
                filter: "(&(aptAccountEnabled=1)(ObjectClass=aptAccount)(uid={username}))"
                default_roles: ROLE_USER

And the log file:

[2015-12-18 13:55:11] request.INFO: Matched route "login_check". {"route_parameters":{"_route":"login_check"},"request_uri":"http://ancdev.admin.aptalaska.net/~dmorphis/Portal/web/app_dev.php/Login/Verify"} []
[2015-12-18 13:55:11] security.DEBUG: Read existing security token from the session. {"key":"_security_restricted_area"} []
[2015-12-18 13:55:11] security.DEBUG: User was reloaded from a user provider. {"username":"dan.smartrg","provider":"Symfony\\Component\\Security\\Core\\User\\LdapUserProvider"} []
[2015-12-18 13:55:26] security.INFO: User has been authenticated successfully. {"username":"dan.smartrg"} []
<snip>
[2015-12-18 13:55:26] security.DEBUG: Stored the security token in the session. {"key":"_security_restricted_area"} []
<snip>
[2015-12-18 13:55:27] request.INFO: Matched route "home.index". {"route_parameters":{"_controller":"Apt\\PortalBundle\\Controller\\DefaultController::indexAction","_route":"home.index"},"request_uri":"http://ancdev.admin.aptalaska.net/~dmorphis/Portal/web/app_dev.php/"} []
[2015-12-18 13:55:28] security.DEBUG: Read existing security token from the session. {"key":"_security_restricted_area"} []
[2015-12-18 13:55:28] security.DEBUG: User was reloaded from a user provider. {"username":"dan.smartrg","provider":"Symfony\\Component\\Security\\Core\\User\\LdapUserProvider"} []
[2015-12-18 13:56:15] php.DEBUG: ldap_bind(): Unable to bind to server: Server is unwilling to perform {"type":2,"file":"/home/dmorphis/public_html/Portal/vendor/symfony/symfony/src/Symfony/Component/Ldap/LdapClient.php","line":73,"level":28928} []
[2015-12-18 13:56:15] app.ERROR: Bad credentials. [{"file":"/home/dmorphis/public_html/Portal/app/cache/dev/classes.php","line":2697,"function":"authenticate","class":"Symfony\\Component\\Security\\Core\\Authentication\\Provider\\UserAuthenticationProvide <truncated>
[2015-12-18 13:56:15] security.INFO: An AuthenticationException was thrown; redirecting to authentication entry point.

Answer 1

Finally I found what was the problem.

You have to chain the UserProvider :

chain_provider:
    chain:
             providers: [in_memory, app_users]
    in_memory:
        memory: ~
    app_users:
        ldap:
           .....</i>

Answer 2

I had same problem. In my case it was wrong configuration of framework.session.handler_id – I had to change it from native file handler to null which is default PHP session handler.

Answer 3

I had almost exactly the same problem. After intense debugging, I came to the line:

in \\Symfony\\Component\\Security\\Core\\Authentication\\Token\\UsernamePasswordToken::__construct :

parent::setAuthenticated(count($roles) > 0);

This was a problem, because I diagnosed, that UsernamePasswordToken was coming unauthenticated from session storage to begin with. This was caused by no roles assigned due to my custom overriding of default services.

Normally, LDAP will be called only once on login and no password should be stored in session. Only authenticated = true in serialized token.

Are you sure you are getting unserialised authenticated token?

Answer 4

In Symfony 3.1, the LdapClient component was deprecated. So I wanted to update the solution. This solution should also work for Symfony 2.8/2.9 apps.

#security.yml
security:
    firewalls:
        restricted_area:
            provider: app_users
            form_login_ldap:
                service: ldap.auth
                dn_string: "%dn_string%"

    providers:
        app_users:
            ldap:
                service: ldap.auth
                base_dn: "dc=domain,dc=net"
                search_dn: "cn=Manager,DC=domain,DC=net"
                search_password: secretPassword
                filter: "(&(aptAccountEnabled=1)(ObjectClass=aptAccount)({uid_key}={username}))"
                default_roles: ROLE_USER
                uid_key: uid

#services.yml
services:
    ldap.auth:
        class: 'Symfony\Component\Ldap\Ldap'
        factory:
            - 'Symfony\Component\Ldap\Ldap'
            - 'create'
        arguments:
            - 'ext_ldap'  # adapter
            -
              host: database
              options:
                  protocol_version: 3