jmleroy/ldap-bundle 问题修复 & 功能扩展

解决BUG、新增功能、兼容多环境部署,快速响应你的开发需求

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

jmleroy/ldap-bundle

Composer 安装命令:

composer require jmleroy/ldap-bundle

包简介

LDAP Bundle for Symfony 3 (backward compatible)

README 文档

README

LdapBundle provides LDAP authentication without using Apache's mod_ldap. The bundle instead relies on PHP's LDAP extension along with a form to authenticate users. LdapBundle can also be used for authorization by retrieving the user's roles defined in LDAP.

Credits

This Bundle was originally created by Boris Morel and then forked by Subramanya Vajiraya. Since this bundle was discontinued by its original maintainer and probably abandoned by its last forker (last update was from 2017), and since I needed to fix it, I both submitted a pull request and forked it myself. Anyone is free to use this bundle and modify it as they please. I will try to keep this bundle up to date. If you do manage to update the project, please submit a pull request and I would be happy to examine and merge it.

Install

  1. Download with composer
  2. Enable the Bundle
  3. Configure LdapBundle in security.yml
  4. Import LdapBundle routing
  5. Implement Logout
  6. Use chain provider
  7. Subscribe to PRE_BIND event
  8. Subscribe to POST_BIND event

Get the Bundle

Composer

Add LdapBundle in your project's composer.json

{
    "require": {
        "jmleroy/ldap-bundle": "dev-master"
    }
}

or

composer require jmleroy/ldap-bundle

Enable the Bundle

<?php
// app/AppKernel.php

public function registerBundles()
{
    $bundles = array(
        // ...
        new IMAG\LdapBundle\IMAGLdapBundle(),
    );
}

Configure security.yml

Note:

An example security.yml file is located within the bundle at ./Resources/Docs/security.yml

# ./IMAG/LdapBundle/Resources/config/security.yml

security:
  firewalls:
    restricted_area:
      pattern:          ^/
      anonymous:        ~
      provider:         ldap
      imag_ldap:        ~
      # alternative configuration
      # imag_ldap:
      #   login_path:   /ninja/login
      logout:
        path:           /logout
        target:         /

  providers:
    ldap:
      id: imag_ldap.security.user.provider
                
  encoders:
    IMAG\LdapBundle\User\LdapUser: plaintext

  access_control:
    - { path: ^/login,          roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/,               roles: IS_AUTHENTICATED_FULLY }

imag_ldap:
  client:
    host: your.host.foo
    port: 389
#    version: 3 # Optional
#    username: foo # Optional
#    password: bar # Optional
#    network_timeout: 10 # Optional
#    referrals_enabled: true # Optional
#    bind_username_before: true # Optional
#    skip_roles: false # Optional

  user:
    base_dn: ou=people,dc=host,dc=foo
#    filter: (&(foo=bar)(ObjectClass=Person)) #Optional
    name_attribute: uid
  role:
    base_dn: ou=group, dc=host, dc=foo
#    filter: (ou=group) #Optional
    name_attribute: cn
    user_attribute: member
    user_id: [ dn or username ]
    
#  user_class: IMAG\LdapBundle\User\LdapUser # Optional

You should configure the parameters under the imag_ldap section to match your environment.

Note:

The optional parameters have default values if not set. You can disable default values by setting a parameter to NULL.

# app/config/security.yml
imag_ldap:
  # ...
  role:
    # ...
    filter: NULL

Import routing

# app/config/routing.yml

imag_ldap:
  resource: "@IMAGLdapBundle/Resources/config/routing.yml"

Implement Login

Just add a hidden tag to the login form with id set as ldap_authenticate.

<input type="hidden" name="_csrf_token" value="{{ csrf_token('ldap_authenticate') }}">

Implement Logout

Just create a link with a logout target.

<a href="{{ path('logout') }}">Logout</a>

Note:

You can refer to the official Symfony documentation : http://symfony.com/doc/current/book/security.html#logging-out

Chain provider

You can also chain the login form with other providers, such as database_provider, in_memory provider, etc.

# app/config/security.yml
security:
    firewalls:
        secured_area:
            pattern: ^/
            anonymous: ~
            imag_ldap:
                provider: multiples
            logout:
                path: logout
    providers:
        multiples:
            chain:
                providers: [ldap, db]          
        ldap:
            id: imag_ldap.security.user.provider
        db:
            entity: { class: FQDN\User }

Note:

If you have set the config option bind_username_before: true you must chain the providers with the ldap provider in the last position.

# app/config/security.yml

providers: [db, ldap]          

Subscribe to PRE_BIND event

The PRE_BIND is fired before the user is authenticated via LDAP. Here you can write a listener to perform your own logic before the user is bound/authenticated to LDAP. For example, to add your own roles or do other authentication/authorization checks with your application.

If you want to break the authentication process within your listener, throw an Exception.

Example listener:

<service id="ldap.listener" class="Acme\HelloBundle\EventListener\LdapSecuritySubscriber">
    <tag name="kernel.event_subscriber" />
</service>

Example:

<?php

namespace Acme\HelloBundle\EventListener;

use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use IMAG\LdapBundle\Event\LdapUserEvent;

/**
 * Performs logic before the user is found to LDAP
 */
class LdapSecuritySubscriber implements EventSubscriberInterface
{
    public static function getSubscribedEvents()
    {
        return array(
            \IMAG\LdapBundle\Event\LdapEvents::PRE_BIND => 'onPreBind',
        );
    }

    /**
     * Modifies the User before binding data from LDAP
     *
     * @param \IMAG\LdapBundle\Event\LdapUserEvent $event
     */
    public function onPreBind(LdapUserEvent $event)
    {
        $user = $event->getUser();
        $config = $this->appContext->getConfig();

        $ldapConf = $config['ldap'];

        if (!in_array($user->getUsername(), $ldapConf['allowed'])) {
            throw new \Exception(sprintf('LDAP user %s not allowed', $user->getUsername()));
        }

		$user->addRole('ROLE_LDAP');
        $event->setUser($user);
    }
}

Subscribe to POST_BIND event

The POST_BIND is fired after the user is authenticated via LDAP. You can use it in exactly the same manner as PRE_BIND.

Note:

However each time a page is refreshed, Symfony call the refreshUser method in the provider that is used and doesn't trigger these events (PRE_BIND and POST_BIND). If you want to override user (for example like credentials, roles ...), you must create a new provider and override this method.

jmleroy/ldap-bundle 适用场景与选型建议

jmleroy/ldap-bundle 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 970 次下载、GitHub Stars 达 0, 最近一次更新时间为 2019 年 03 月 29 日, 在 PHP 生态内属于活跃度较高的组件。

我们在过去多个企业项目中使用过 jmleroy/ldap-bundle 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 jmleroy/ldap-bundle 我们能提供哪些服务?
定制开发 / 二次开发

基于 jmleroy/ldap-bundle 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 970
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 0
  • 点击次数: 0
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 0
  • Watchers: 1
  • Forks: 92
  • 开发语言: PHP

其他信息

  • 授权协议: MIT
  • 更新时间: 2019-03-29