堆棧內存溢出
  簡體   English   中英

LDAP安全組Symfony 2

[英]LDAP Security groups Symfony 2

 原文  2014-03-07 09:44:31       php/ symfony/ authentication/ ldap

問題描述

我努力在我的Symfony2項目上進行LDAP自定義身份驗證。 我首先嘗試使用Fr3dLdapBundle和其他人,但它不可能讓它工作+它不支持安全組。

我終於使用了這兩個鏈接: - https://groups.google.com/forum/#!topic/symfony2/RUyl15zaH8A - http://symfony.com/doc/current/cookbook/security/custom_authentication_provider.html

但是現在我必須檢查有人登錄,如果他在安全組“AdminMyWebsite”中。 如果他是,我必須將他的角色設置為ROLE_ADMIN。 但我不知道該怎么做。

LdapProvider: 

<?php

namespace EspaceApprenti\UserBundle\Security\Authentication\Provider;

use EspaceApprenti\UserBundle\Security\Authentication\Token\LdapToken;
use Symfony\Component\Debug\Exception\ContextErrorException;
use Symfony\Component\Security\Core\Authentication\Provider\AuthenticationProviderInterface;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\User\UserProviderInterface;

class LdapProvider implements AuthenticationProviderInterface {

private $userProvider;
private $providerKey;
private $logger;
private $server;
private $port;
private $domaine;
private $dn;

public function __construct(UserProviderInterface $userProvider, $providerKey, $logger, $server, $port, $domaine, $dn) {
    $this->userProvider = $userProvider;
    $this->providerKey = $providerKey;
    $this->logger = $logger;

    $this->server = $server;
    $this->port = $port;
    $this->domaine = $domaine;
    $this->dn = $dn;
}

public function authenticate(TokenInterface $token) {

    if (!$this->supports($token)) {
        return null;
    }

    $user = $this->userProvider->loadUserByUsername($token->getUsername());

    $username = $token->getUsername();
    $password = $token->getCredentials();

    $this->logger->info(' -- LdapProvider -- ' . $username);
    if ($password) {
        if (!$this->ldapBind($username, $password)) {
            throw new AuthenticationException('Authentication failed ! ');
        }
    }

    $authenticatedToken = new LdapToken($user, $password, $this->providerKey, $user->getRoles());
    $authenticatedToken->setAttributes($token->getAttributes());

    return $authenticatedToken;
}

private function ldapBind($username, $password) {
    // returns true or false        
    $this->logger->info(' -- LdapProvider -> ldapBind() Serveur -- ' . $this->server);
    $this->logger->info(' -- LdapProvider -> ldapBind() Username -- ' . $username);
    $ds = ldap_connect($this->server, $this->port);
    if ($ds) {
        try {
            if (ldap_bind($ds, $this->domaine . '\\' . $username, $password)) {
                return true;
            } else {
                return false;
            }
        } catch (ContextErrorException $e) {
            $this->logger->error(' -- LdapProvider -> ldapBind() Unable to bind to server: Invalid credentials -- ' . $e->getMessage());
        }
    } else {
        $this->logger->info(' -- LdapProvider -> ldapBind() Unable to connect to LAPP Server -- ' . $this->server);
    }

}

public function supports(TokenInterface $token) {
    return $token instanceof LdapToken;
}

}

LdapFactory 

<?php

namespace EspaceApprenti\UserBundle\DependencyInjection\Security\Factory;

use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\AbstractFactory;
use Symfony\Component\DependencyInjection\ContainerBuilder;
use Symfony\Component\DependencyInjection\DefinitionDecorator;
use Symfony\Component\DependencyInjection\Reference;



class LdapFactory extends AbstractFactory
{
    protected function getListenerId()
{
    return 'security.authentication.listener.ldap';
}

protected function createAuthProvider(ContainerBuilder $container, $id, $config, $userProviderId)
{
    $providerId = 'security.authentication.provider.ldap.'.$id;

    $container
        ->setDefinition($providerId, new DefinitionDecorator('security.authentication.provider.ldap'))
        ->replaceArgument(0, new Reference($userProviderId))                
        ->replaceArgument(1, $id);

    return $providerId;
}

protected function createEntryPoint($container, $id, $config, $defaultEntryPoint)
{
    $entryPointId = 'security.authentication.ldap_entry_point.'.$id;
    $container
        ->setDefinition($entryPointId, new DefinitionDecorator('security.authentication.ldap_entry_point'))
        ->addArgument(new Reference('security.http_utils'))
        ->addArgument($config['login_path'])
        ->addArgument($config['use_forward'])
    ;

    return $entryPointId;
}    

public function getPosition()
{
    return 'form';
}

public function getKey()
{
    return 'ldap';
}

}

LdapListener 

<?php

namespace EspaceApprenti\UserBundle\Security\Firewall;

use EspaceApprenti\UserBundle\Security\Authentication\Token\LdapToken;
use Symfony\Component\EventDispatcher\EventDispatcherInterface;
use Symfony\Component\Form\Extension\Csrf\CsrfProvider\CsrfProviderInterface;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpKernel\Log\LoggerInterface;
use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
use Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException;
use Symfony\Component\Security\Core\SecurityContextInterface;
use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface;
use Symfony\Component\Security\Http\Firewall\AbstractAuthenticationListener;
use Symfony\Component\Security\Http\HttpUtils;
use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategyInterface;

class LdapListener extends AbstractAuthenticationListener
{
private $csrfProvider;
protected $logger;

/**
 * {@inheritdoc}
 */
public function __construct(SecurityContextInterface $securityContext, 
        AuthenticationManagerInterface $authenticationManager, 
        SessionAuthenticationStrategyInterface $sessionStrategy, 
        HttpUtils $httpUtils, 
        $providerKey, 
        AuthenticationSuccessHandlerInterface $successHandler, 
        AuthenticationFailureHandlerInterface $failureHandler, 
        array $options = array(), 
        LoggerInterface $logger = null, 
        EventDispatcherInterface $dispatcher = null, 
        CsrfProviderInterface $csrfProvider = null)
{
    parent::__construct($securityContext, $authenticationManager, $sessionStrategy, $httpUtils, $providerKey, $successHandler, $failureHandler, array_merge(array(
        'username_parameter' => '_username',
        'password_parameter' => '_password',
        'csrf_parameter'     => '_csrf_token',
        'intention'          => 'authenticate',
        'post_only'          => true,
    ), $options), $logger, $dispatcher);

    $this->csrfProvider = $csrfProvider;
    $this->logger = $logger;
}

/**
 * {@inheritdoc}
 */
protected function requiresAuthentication(Request $request)
{
    if ($this->options['post_only'] && !$request->isMethod('POST')) {
        return false;
    }

    return parent::requiresAuthentication($request);
}

/**
 * {@inheritdoc}
 */
protected function attemptAuthentication(Request $request)
{
    if (null !== $this->csrfProvider) {
        $csrfToken = $request->get($this->options['csrf_parameter'], null, true);

        if (false === $this->csrfProvider->isCsrfTokenValid($this->options['intention'], $csrfToken)) {
            throw new InvalidCsrfTokenException('Invalid CSRF token.');
        }
    }

    if ($this->options['post_only']) {
        $username = trim($request->request->get($this->options['username_parameter'], null, true));
        $password = $request->request->get($this->options['password_parameter'], null, true);
    } else {
        $username = trim($request->get($this->options['username_parameter'], null, true));
        $password = $request->get($this->options['password_parameter'], null, true);
    }
    $this->logger->alert('LdapAuthenticationListener : '. $username);
    $this->logger->alert('LdapAuthenticationListener : '. $this->providerKey);
    $request->getSession()->set(SecurityContextInterface::LAST_USERNAME, $username);

    return $this->authenticationManager->authenticate(new LdapToken($username, $password, $this->providerKey));
}
}

LdapToken 

<?php

namespace EspaceApprenti\UserBundle\Security\Authentication\Token;

use Symfony\Component\Security\Core\Authentication\Token\AbstractToken;

class LdapToken extends AbstractToken {

private $credentials;
private $providerKey;

/**
 * Constructor.
 *
 * @param string          $user        The username (like a nickname, email address, etc.), or a UserInterface instance or an object implementing a __toString method.
 * @param string          $credentials This usually is the password of the user
 * @param string          $providerKey The provider key
 * @param RoleInterface[] $roles       An array of roles
 *
 * @throws \InvalidArgumentException
 */
public function __construct($user, $credentials, $providerKey, array $roles = array())
{
    parent::__construct($roles);

    if (empty($providerKey)) {
        throw new \InvalidArgumentException('$providerKey must not be empty.');
    }

    $this->setUser($user);
    $this->credentials = $credentials;
    $this->providerKey = $providerKey;

    parent::setAuthenticated(count($roles) > 0);
}

/**
 * {@inheritdoc}
 */
public function setAuthenticated($isAuthenticated)
{
    if ($isAuthenticated) {
        throw new \LogicException('Cannot set this token to trusted after instantiation.');
    }

    parent::setAuthenticated(false);
}

public function getCredentials()
{
    return $this->credentials;
}

public function getProviderKey()
{
    return $this->providerKey;
}

/**
 * {@inheritdoc}
 */
public function eraseCredentials()
{
    parent::eraseCredentials();

    $this->credentials = null;
}

/**
 * {@inheritdoc}
 */
public function serialize()
{
    return serialize(array($this->credentials, $this->providerKey, parent::serialize()));
}

/**
 * {@inheritdoc}
 */
public function unserialize($serialized)
{
    list($this->credentials, $this->providerKey, $parentStr) = unserialize($serialized);
    parent::unserialize($parentStr);
}

}

誰能幫我這個 ?

問候

1 個解決方案

解決方案1
 1 已采納  2014-03-19 07:34:23

我解決了我的問題。 我在ldap_bind之后添加了一個ldap_search來檢查用戶是否是安全組的成員 

$ds = ldap_connect($this->server, $this->port);
        if ($ds) {
            try {
                if (ldap_bind($ds, $this->domaine . '\\' . $username, $password)){
                    $user = $this->m->getRepository('EspaceApprentiUserBundle:ApprenticeUser')->findOneBy(array('username' => $username));   
                    $filter = "(&(objectCategory=person)(samAccountName=" . $username . "))";
                    $result = ldap_search($ds, $this->dn, $filter);
                    $entries = ldap_get_entries($ds, $result);
                    if (in_array($this->administrator,$entries[0]['memberof']))
                    { 
                        $user->setRoles(array('ROLE_ADMIN'));
                        $this->m->persist($user);
                        $this->m->flush();
                    } else {
                        $user->setRoles(array('ROLE_USER'));
                        $this->m->persist($user);
                        $this->m->flush();
                    }       
                    return true;
                } else {
                    return false;
                }
            } catch (ContextErrorException $e) {
                $this->logger->error(' -- LdapProvider -> ldapBind() Unable to bind to server: Invalid credentials -- ' . $e->getMessage());
            }
        } else {
            $this->logger->info(' -- LdapProvider -> ldapBind() Unable to connect to LAPP Server -- ' . $this->server);
        }

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 使用PHP LDAP獲取用戶的安全組 LDAP-列表組 Symfony 4 LDAP認證 使用LDAP的Symfony身份驗證 使用LDAP登錄Symfony Symfony 2.8 LDAP 身份驗證 Symfony LDAP 檢查密碼 Symfony3 LDAP配置 使用Symfony 2.8進行LDAP身份驗證 Symfony3 ldap組件
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM