ldap + guard

ldap.php

<?php

namespace CoreBundle\Security;

use Doctrine\ORM\EntityManager;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\User\UserProviderInterface;
use Symfony\Component\Security\Guard\AbstractGuardAuthenticator;
use UserBundle\Entity\User;

/**
 * Class LdapAuthenticator
 * @package CoreBundle\Security
 *
 * Configure la logique d'authentification à Sésame (LDAP)
 */
class LdapAuthenticator extends AbstractGuardAuthenticator
{
    private $em;

    public function __construct(EntityManager $em)
    {
        $this->em = $em;
    }

    public function start(Request $request, AuthenticationException $authException = null)
    {
        return new RedirectResponse('login');
    }

    public function getCredentials(Request $request)
    {
        if ($request->getPathInfo() != '/login_check') {
            return;
        }

        return array(
            'username' => $request->request->get('_username'),
            'password' => $request->request->get('_password'),
        );
    }

    /**
     * Return a UserInterface object based on the credentials.
     *
     * The *credentials* are the return value from getCredentials()
     *
     * You may throw an AuthenticationException if you wish. If you return
     * null, then a UsernameNotFoundException is thrown for you.
     *
     * @param mixed $credentials
     * @param UserProviderInterface $userProvider
     *
     * @throws AuthenticationException
     *
     * @return UserInterface|null
     */
    public function getUser($credentials, UserProviderInterface $userProvider)
    {
        if (is_null($credentials['username'])) {
            return null;
        }

        $baseDN = "dc=example,dc=com";
        $ldapServer = "ldap.forumsys.com";
        $ldapServerPort = 389;
        $password = $credentials['password'];
        $dn = 'uid=' . $credentials['username'] . ',dc=example,dc=com';

        if (!($conn = @ldap_connect($ldapServer, $ldapServerPort))) {
            throw new AuthenticationException('Can\'t reach LDAP');
        }

        if (!@ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3)) {
            throw new AuthenticationException('Can\'t use LDAP V3');
        }

        if (!@ldap_bind($conn, $dn, $password)) {
            throw new AuthenticationException('LDAP bind error:' . ldap_error($conn));
        }

        $query = "uid=" . $credentials['username'];
        $result = @ldap_search($conn, $baseDN, $query);

        if (@ldap_count_entries($conn, $result) != 1) {
            throw new UsernameNotFoundException();
        }

        $info = @ldap_get_entries($conn, $result)[0];

        @ldap_close($conn);

        $user = $this->em->getRepository('UserBundle:User')->findOneBy(array('NNI' => $info['uid']));

        if (!$user) { //create new user entry. Could also use a proxy user : one user used by every connected user.
            $user = new User();

            // TODO : Set correct fields and activate flush
            $user->setNNI($info['uid']);

            $this->em->persist($user);
            $this->em->flush();
        }

        return $user;
    }

    /**
     * Returns true if the credentials are valid.
     *
     * If any value other than true is returned, authentication will
     * fail. You may also throw an AuthenticationException if you wish
     * to cause authentication to fail.
     *
     * The *credentials* are the return value from getCredentials()
     *
     * @param mixed $credentials
     * @param UserInterface $user
     *
     * @return bool
     *
     * @throws AuthenticationException
     */
    public function checkCredentials($credentials, UserInterface $user)
    {
        return true;
    }

    /**
     * Called when authentication executed, but failed (e.g. wrong username password).
     *
     * This should return the Response sent back to the user, like a
     * RedirectResponse to the login page or a 403 response.
     *
     * If you return null, the request will continue, but the user will
     * not be authenticated. This is probably not what you want to do.
     *
     * @param Request $request
     * @param AuthenticationException $exception
     *
     * @return \Symfony\Component\HttpFoundation\Response|null
     */
    public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
    {
    }

    /**
     * Called when authentication executed and was successful!
     *
     * This should return the Response sent back to the user, like a
     * RedirectResponse to the last page they visited.
     *
     * If you return null, the current request will continue, and the user
     * will be authenticated. This makes sense, for example, with an API.
     *
     * @param Request $request
     * @param TokenInterface $token
     * @param string $providerKey The provider (i.e. firewall) key
     *
     * @return \Symfony\Component\HttpFoundation\Response|null
     */
    public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey)
    {
        return new RedirectResponse('/');
    }

    public function supportsRememberMe()
    {
        return false;
    }
}