-
-
Save Stoakes/41b7d30a2dfd42059c9566b186cc1af4 to your computer and use it in GitHub Desktop.
ldap + guard
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
namespace CoreBundle\Security; | |
use Doctrine\ORM\EntityManager; | |
use Symfony\Component\HttpFoundation\RedirectResponse; | |
use Symfony\Component\HttpFoundation\Request; | |
use Symfony\Component\HttpFoundation\Response; | |
use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException; | |
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; | |
use Symfony\Component\Security\Core\Exception\AccessDeniedException; | |
use Symfony\Component\Security\Core\Exception\AuthenticationException; | |
use Symfony\Component\Security\Core\Exception\UsernameNotFoundException; | |
use Symfony\Component\Security\Core\User\UserInterface; | |
use Symfony\Component\Security\Core\User\UserProviderInterface; | |
use Symfony\Component\Security\Guard\AbstractGuardAuthenticator; | |
use UserBundle\Entity\User; | |
/** | |
* Class LdapAuthenticator | |
* @package CoreBundle\Security | |
* | |
* Configure la logique d'authentification à Sésame (LDAP) | |
*/ | |
class LdapAuthenticator extends AbstractGuardAuthenticator | |
{ | |
private $em; | |
public function __construct(EntityManager $em) | |
{ | |
$this->em = $em; | |
} | |
public function start(Request $request, AuthenticationException $authException = null) | |
{ | |
return new RedirectResponse('login'); | |
} | |
public function getCredentials(Request $request) | |
{ | |
if ($request->getPathInfo() != '/login_check') { | |
return; | |
} | |
return array( | |
'username' => $request->request->get('_username'), | |
'password' => $request->request->get('_password'), | |
); | |
} | |
/** | |
* Return a UserInterface object based on the credentials. | |
* | |
* The *credentials* are the return value from getCredentials() | |
* | |
* You may throw an AuthenticationException if you wish. If you return | |
* null, then a UsernameNotFoundException is thrown for you. | |
* | |
* @param mixed $credentials | |
* @param UserProviderInterface $userProvider | |
* | |
* @throws AuthenticationException | |
* | |
* @return UserInterface|null | |
*/ | |
public function getUser($credentials, UserProviderInterface $userProvider) | |
{ | |
if (is_null($credentials['username'])) { | |
return null; | |
} | |
$baseDN = "dc=example,dc=com"; | |
$ldapServer = "ldap.forumsys.com"; | |
$ldapServerPort = 389; | |
$password = $credentials['password']; | |
$dn = 'uid=' . $credentials['username'] . ',dc=example,dc=com'; | |
if (!($conn = @ldap_connect($ldapServer, $ldapServerPort))) { | |
throw new AuthenticationException('Can\'t reach LDAP'); | |
} | |
if (!@ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3)) { | |
throw new AuthenticationException('Can\'t use LDAP V3'); | |
} | |
if (!@ldap_bind($conn, $dn, $password)) { | |
throw new AuthenticationException('LDAP bind error:' . ldap_error($conn)); | |
} | |
$query = "uid=" . $credentials['username']; | |
$result = @ldap_search($conn, $baseDN, $query); | |
if (@ldap_count_entries($conn, $result) != 1) { | |
throw new UsernameNotFoundException(); | |
} | |
$info = @ldap_get_entries($conn, $result)[0]; | |
@ldap_close($conn); | |
$user = $this->em->getRepository('UserBundle:User')->findOneBy(array('NNI' => $info['uid'])); | |
if (!$user) { //create new user entry. Could also use a proxy user : one user used by every connected user. | |
$user = new User(); | |
// TODO : Set correct fields and activate flush | |
$user->setNNI($info['uid']); | |
$this->em->persist($user); | |
$this->em->flush(); | |
} | |
return $user; | |
} | |
/** | |
* Returns true if the credentials are valid. | |
* | |
* If any value other than true is returned, authentication will | |
* fail. You may also throw an AuthenticationException if you wish | |
* to cause authentication to fail. | |
* | |
* The *credentials* are the return value from getCredentials() | |
* | |
* @param mixed $credentials | |
* @param UserInterface $user | |
* | |
* @return bool | |
* | |
* @throws AuthenticationException | |
*/ | |
public function checkCredentials($credentials, UserInterface $user) | |
{ | |
return true; | |
} | |
/** | |
* Called when authentication executed, but failed (e.g. wrong username password). | |
* | |
* This should return the Response sent back to the user, like a | |
* RedirectResponse to the login page or a 403 response. | |
* | |
* If you return null, the request will continue, but the user will | |
* not be authenticated. This is probably not what you want to do. | |
* | |
* @param Request $request | |
* @param AuthenticationException $exception | |
* | |
* @return \Symfony\Component\HttpFoundation\Response|null | |
*/ | |
public function onAuthenticationFailure(Request $request, AuthenticationException $exception) | |
{ | |
} | |
/** | |
* Called when authentication executed and was successful! | |
* | |
* This should return the Response sent back to the user, like a | |
* RedirectResponse to the last page they visited. | |
* | |
* If you return null, the current request will continue, and the user | |
* will be authenticated. This makes sense, for example, with an API. | |
* | |
* @param Request $request | |
* @param TokenInterface $token | |
* @param string $providerKey The provider (i.e. firewall) key | |
* | |
* @return \Symfony\Component\HttpFoundation\Response|null | |
*/ | |
public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey) | |
{ | |
return new RedirectResponse('/'); | |
} | |
public function supportsRememberMe() | |
{ | |
return false; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment