使用 Symfony 2.8 进行 LDAP 身份验证
LDAP Authentication with Symfony 2.8
我正在尝试在 Symfony 2.8 中使用新的 LdapUserProvider。我相信我已经配置了一切 per the docs.
我的用户可以成功通过身份验证,然后被重定向到安全页面。重定向之后是问题开始的地方。 Symfony 尝试以经过身份验证的用户身份进行绑定,但密码为空,这被打开的 ldap 拒绝。
这是相关的日志条目和配置值。
配置:
services:
app.ldap:
class: Symfony\Component\Ldap\LdapClient
arguments: [ "localhost" ]
安全:
security:
firewalls:
restricted_area:
provider: app_users
form_login_ldap:
service: app.ldap
dn_string: "uid={username},DC=mydomain,DC=net"
check_path: login_check
login_path: login
providers:
app_users:
ldap:
service: app.ldap
base_dn: dc=mydomain,dc=net
search_dn: cn=Manager,DC=mydomain,DC=net
search_password: secretPassword
filter: "(&(aptAccountEnabled=1)(ObjectClass=aptAccount)(uid={username}))"
default_roles: ROLE_USER
和日志文件:
[2015-12-18 13:55:11] request.INFO: Matched route "login_check". {"route_parameters":{"_route":"login_check"},"request_uri":"http://ancdev.admin.aptalaska.net/~dmorphis/Portal/web/app_dev.php/Login/Verify"} []
[2015-12-18 13:55:11] security.DEBUG: Read existing security token from the session. {"key":"_security_restricted_area"} []
[2015-12-18 13:55:11] security.DEBUG: User was reloaded from a user provider. {"username":"dan.smartrg","provider":"Symfony\Component\Security\Core\User\LdapUserProvider"} []
[2015-12-18 13:55:26] security.INFO: User has been authenticated successfully. {"username":"dan.smartrg"} []
<snip>
[2015-12-18 13:55:26] security.DEBUG: Stored the security token in the session. {"key":"_security_restricted_area"} []
<snip>
[2015-12-18 13:55:27] request.INFO: Matched route "home.index". {"route_parameters":{"_controller":"Apt\PortalBundle\Controller\DefaultController::indexAction","_route":"home.index"},"request_uri":"http://ancdev.admin.aptalaska.net/~dmorphis/Portal/web/app_dev.php/"} []
[2015-12-18 13:55:28] security.DEBUG: Read existing security token from the session. {"key":"_security_restricted_area"} []
[2015-12-18 13:55:28] security.DEBUG: User was reloaded from a user provider. {"username":"dan.smartrg","provider":"Symfony\Component\Security\Core\User\LdapUserProvider"} []
[2015-12-18 13:56:15] php.DEBUG: ldap_bind(): Unable to bind to server: Server is unwilling to perform {"type":2,"file":"/home/dmorphis/public_html/Portal/vendor/symfony/symfony/src/Symfony/Component/Ldap/LdapClient.php","line":73,"level":28928} []
[2015-12-18 13:56:15] app.ERROR: Bad credentials. [{"file":"/home/dmorphis/public_html/Portal/app/cache/dev/classes.php","line":2697,"function":"authenticate","class":"Symfony\Component\Security\Core\Authentication\Provider\UserAuthenticationProvide <truncated>
[2015-12-18 13:56:15] security.INFO: An AuthenticationException was thrown; redirecting to authentication entry point.
我遇到了几乎完全相同的问题。经过紧张的调试,终于上线了:
在\Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken::__construct中:
parent::setAuthenticated(count($roles) > 0);
这是一个问题,因为我诊断出 UsernamePasswordToken 即将从会话存储未经身份验证 开始。这是由于我自定义覆盖默认服务而没有分配角色造成的。
通常情况下,LDAP 只会在登录时调用一次,会话中不应存储密码。序列化令牌中只有 authenticated = true。
您确定您获得的是未序列化的经过身份验证的令牌吗?
终于找到问题所在了
您必须链接 UserProvider:
chain_provider:
chain:
providers: [in_memory, app_users]
in_memory:
memory: ~
app_users:
ldap:
.....</i>
我遇到了同样的问题。在我的例子中,framework.session.handler_id 的配置错误——我不得不将其从本机文件处理程序更改为 null,这是默认的 PHP 会话处理程序。
在 Symfony 3.1 中,LdapClient 组件已被弃用。所以我想更新解决方案。此解决方案也适用于 Symfony 2.8/2.9 应用程序。
#security.yml
security:
firewalls:
restricted_area:
provider: app_users
form_login_ldap:
service: ldap.auth
dn_string: "%dn_string%"
providers:
app_users:
ldap:
service: ldap.auth
base_dn: "dc=domain,dc=net"
search_dn: "cn=Manager,DC=domain,DC=net"
search_password: secretPassword
filter: "(&(aptAccountEnabled=1)(ObjectClass=aptAccount)({uid_key}={username}))"
default_roles: ROLE_USER
uid_key: uid
#services.yml
services:
ldap.auth:
class: 'Symfony\Component\Ldap\Ldap'
factory:
- 'Symfony\Component\Ldap\Ldap'
- 'create'
arguments:
- 'ext_ldap' # adapter
-
host: database
options:
protocol_version: 3
我正在尝试在 Symfony 2.8 中使用新的 LdapUserProvider。我相信我已经配置了一切 per the docs.
我的用户可以成功通过身份验证,然后被重定向到安全页面。重定向之后是问题开始的地方。 Symfony 尝试以经过身份验证的用户身份进行绑定,但密码为空,这被打开的 ldap 拒绝。
这是相关的日志条目和配置值。
配置:
services:
app.ldap:
class: Symfony\Component\Ldap\LdapClient
arguments: [ "localhost" ]
安全:
security:
firewalls:
restricted_area:
provider: app_users
form_login_ldap:
service: app.ldap
dn_string: "uid={username},DC=mydomain,DC=net"
check_path: login_check
login_path: login
providers:
app_users:
ldap:
service: app.ldap
base_dn: dc=mydomain,dc=net
search_dn: cn=Manager,DC=mydomain,DC=net
search_password: secretPassword
filter: "(&(aptAccountEnabled=1)(ObjectClass=aptAccount)(uid={username}))"
default_roles: ROLE_USER
和日志文件:
[2015-12-18 13:55:11] request.INFO: Matched route "login_check". {"route_parameters":{"_route":"login_check"},"request_uri":"http://ancdev.admin.aptalaska.net/~dmorphis/Portal/web/app_dev.php/Login/Verify"} []
[2015-12-18 13:55:11] security.DEBUG: Read existing security token from the session. {"key":"_security_restricted_area"} []
[2015-12-18 13:55:11] security.DEBUG: User was reloaded from a user provider. {"username":"dan.smartrg","provider":"Symfony\Component\Security\Core\User\LdapUserProvider"} []
[2015-12-18 13:55:26] security.INFO: User has been authenticated successfully. {"username":"dan.smartrg"} []
<snip>
[2015-12-18 13:55:26] security.DEBUG: Stored the security token in the session. {"key":"_security_restricted_area"} []
<snip>
[2015-12-18 13:55:27] request.INFO: Matched route "home.index". {"route_parameters":{"_controller":"Apt\PortalBundle\Controller\DefaultController::indexAction","_route":"home.index"},"request_uri":"http://ancdev.admin.aptalaska.net/~dmorphis/Portal/web/app_dev.php/"} []
[2015-12-18 13:55:28] security.DEBUG: Read existing security token from the session. {"key":"_security_restricted_area"} []
[2015-12-18 13:55:28] security.DEBUG: User was reloaded from a user provider. {"username":"dan.smartrg","provider":"Symfony\Component\Security\Core\User\LdapUserProvider"} []
[2015-12-18 13:56:15] php.DEBUG: ldap_bind(): Unable to bind to server: Server is unwilling to perform {"type":2,"file":"/home/dmorphis/public_html/Portal/vendor/symfony/symfony/src/Symfony/Component/Ldap/LdapClient.php","line":73,"level":28928} []
[2015-12-18 13:56:15] app.ERROR: Bad credentials. [{"file":"/home/dmorphis/public_html/Portal/app/cache/dev/classes.php","line":2697,"function":"authenticate","class":"Symfony\Component\Security\Core\Authentication\Provider\UserAuthenticationProvide <truncated>
[2015-12-18 13:56:15] security.INFO: An AuthenticationException was thrown; redirecting to authentication entry point.
我遇到了几乎完全相同的问题。经过紧张的调试,终于上线了:
在\Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken::__construct中:
parent::setAuthenticated(count($roles) > 0);
这是一个问题,因为我诊断出 UsernamePasswordToken 即将从会话存储未经身份验证 开始。这是由于我自定义覆盖默认服务而没有分配角色造成的。
通常情况下,LDAP 只会在登录时调用一次,会话中不应存储密码。序列化令牌中只有 authenticated = true。
您确定您获得的是未序列化的经过身份验证的令牌吗?
终于找到问题所在了
您必须链接 UserProvider:
chain_provider:
chain:
providers: [in_memory, app_users]
in_memory:
memory: ~
app_users:
ldap:
.....</i>
我遇到了同样的问题。在我的例子中,framework.session.handler_id 的配置错误——我不得不将其从本机文件处理程序更改为 null,这是默认的 PHP 会话处理程序。
在 Symfony 3.1 中,LdapClient 组件已被弃用。所以我想更新解决方案。此解决方案也适用于 Symfony 2.8/2.9 应用程序。
#security.yml
security:
firewalls:
restricted_area:
provider: app_users
form_login_ldap:
service: ldap.auth
dn_string: "%dn_string%"
providers:
app_users:
ldap:
service: ldap.auth
base_dn: "dc=domain,dc=net"
search_dn: "cn=Manager,DC=domain,DC=net"
search_password: secretPassword
filter: "(&(aptAccountEnabled=1)(ObjectClass=aptAccount)({uid_key}={username}))"
default_roles: ROLE_USER
uid_key: uid
#services.yml
services:
ldap.auth:
class: 'Symfony\Component\Ldap\Ldap'
factory:
- 'Symfony\Component\Ldap\Ldap'
- 'create'
arguments:
- 'ext_ldap' # adapter
-
host: database
options:
protocol_version: 3