2

I'm trying to create a user provider so that I can authenticate through an Active directory server.

The problem is that, unlike most other LDAP servers, Active directory doesn't allow to retrieve some user's password attribute, even encrypted.

Here is my User class :

class LdapUser implements UserInterface
{
    private $username;
    private $first_name;
    private $last_name;
    private $password;
    private $salt;
    private $roles;

    public function __construct($username, $first_name, $last_name, $password, $salt, array $roles) {
        $this->username = $username;
        $this->first_name = $first_name;
        $this->last_name = $last_name;
        $this->password = $password;
        $this->salt = $salt;
        $this->roles = $roles;
    }

    ...

}

And here is my loadUserByUsername method (In my UserProvider class) :

public function loadUserByUsername($username)
{

    $server = "my_ldap_server";
    $root_dn = "my_root_dn";
    $root_pw = "my_root_pw";

    $ds = ldap_connect($server);
    if ($ds) {

        ldap_bind($ds, $root_dn, $root_pw);
        $search = ldap_search($ds, "my_branch", "(sAMAccountName=".$username.")", array("sn", "givenName"));
        $info = ldap_get_entries($ds, $sr);

        if($info['count'] > 0) {
            $user = $info[0];
            return new LdapUser($username, $user['givenName'][0], $user['sn'][0], '???PASSWORD???', '???SALT???', array('ROLE_USER'));
        } else {
            throw new UsernameNotFoundException(sprintf('Username "%s" does not exist.', $username));
        }

        ldap_close($ds);
    } else {
        echo "Connexion au serveur LDAP impossible";
    }
}

As you can see, I can't pass the password to my LdapUser class, since it's not accessible through Active Directory.

However, I think it's still possible to authenticate te user, by doing a ldap_bind($username, $password) with the password entered by the user in the login form. The problem is I can't figure out how to access this password in my LdapUserProvider class.

I tried $_POST['password'] but I got an undefined index error...

Any help would be welcome :)

Improve this question

3 Answers 3

Reset to default
1

There are a few LDAP Authentication bundles ready to use.

As pointed out below, you can try FR3D/LdapBundle, but it needs FOSUserBundle to work. You can also try IMAG (BorisMorel/LdapBundle), if you don't want to (or don't need to) use FOSUserBundle. BorisMorel uses php-ldap to work, it requires no additional bundle nor any zend components.

Even if you don't want to use them, I'd suggest you check out BorisMorel's implementation for more information. The code's quite simple to understand as it's very straightforward.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Your code sets the authentication state of a connection by transmitting a bind request. Does this code attempt to search for an entry, retrieve the password from that entry and then bind as that distinguished name? If so, even if you could retrieve the password, a properly configured directory server will not allow the transmission of a pre-encoded password. Passwords should always be transmitted in clear text over a secure connection (TLS or SSL) so the server can perform password quality and history validation. Therefore, your code must know the clear-text password beforehand. Alternatively, a LDAP-compliant server might allow the use of a proxied authentication for certain entries.

see also

Improve this answer

Comments

0

Try FR3dLdapBundle

The 2.0.x branch has support with Active Directory if you install Zend\Ldap component from Zend Framework 2

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.