From 9a145e1bdee1570f8cd2c10a92dc345a0cd22a7e Mon Sep 17 00:00:00 2001 From: Markus Schafroth Date: Mon, 15 Feb 2016 19:24:53 +0100 Subject: [PATCH 1/7] [ldap][2.8] Optional search for DN before bind May be used e.g. if DN does not contain username. --- src/Symfony/Component/Ldap/LdapClient.php | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) mode change 100644 => 100755 src/Symfony/Component/Ldap/LdapClient.php diff --git a/src/Symfony/Component/Ldap/LdapClient.php b/src/Symfony/Component/Ldap/LdapClient.php old mode 100644 new mode 100755 index e7a0bc45e64d9..40e189093e6fb --- a/src/Symfony/Component/Ldap/LdapClient.php +++ b/src/Symfony/Component/Ldap/LdapClient.php @@ -30,6 +30,7 @@ class LdapClient implements LdapClientInterface private $useStartTls; private $optReferrals; private $connection; + private $charmaps; /** * Constructor. @@ -68,7 +69,17 @@ public function bind($dn = null, $password = null) if (!$this->connection) { $this->connect(); } - + + $dnArr = explode(";",$dn); + if(count($dnArr) > 1) + { + $searchResult = $this->find($dnArr[1], $dnArr[0], '*'); + + if(count($searchResult)) + { + $dn = $searchResult[0]['dn']; + } + } if (false === @ldap_bind($this->connection, $dn, $password)) { throw new ConnectionException(ldap_error($this->connection)); } From 59ac802f857abc686b3a769b2ec595b1a1137582 Mon Sep 17 00:00:00 2001 From: Markus Schafroth Date: Mon, 15 Feb 2016 19:40:06 +0100 Subject: [PATCH 2/7] Comply to coding standard --- src/Symfony/Component/Ldap/LdapClient.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/Symfony/Component/Ldap/LdapClient.php b/src/Symfony/Component/Ldap/LdapClient.php index 40e189093e6fb..495bf95fdc43a 100755 --- a/src/Symfony/Component/Ldap/LdapClient.php +++ b/src/Symfony/Component/Ldap/LdapClient.php @@ -69,12 +69,12 @@ public function bind($dn = null, $password = null) if (!$this->connection) { $this->connect(); } - - $dnArr = explode(";",$dn); + + $dnArr = explode(';',$dn); if(count($dnArr) > 1) { $searchResult = $this->find($dnArr[1], $dnArr[0], '*'); - + if(count($searchResult)) { $dn = $searchResult[0]['dn']; From 1254d41bc0a459f5ea77871fe542f1196b546d7d Mon Sep 17 00:00:00 2001 From: Markus Schafroth Date: Mon, 15 Feb 2016 20:30:21 +0100 Subject: [PATCH 3/7] Reverted file permissions --- src/Symfony/Component/Ldap/LdapClient.php | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100755 => 100644 src/Symfony/Component/Ldap/LdapClient.php diff --git a/src/Symfony/Component/Ldap/LdapClient.php b/src/Symfony/Component/Ldap/LdapClient.php old mode 100755 new mode 100644 From b0e74e8acbf56aea1d04f078d111eee97bc8661d Mon Sep 17 00:00:00 2001 From: Markus Schafroth Date: Thu, 18 Feb 2016 13:28:29 +0100 Subject: [PATCH 4/7] [ldap][2.8] Added search before bind to LdapClient using LdapUserProvider functionality --- src/Symfony/Component/Ldap/LdapClient.php | 22 ++++++---- .../Security/Core/User/LdapUserProvider.php | 44 +++++++++++-------- 2 files changed, 39 insertions(+), 27 deletions(-) mode change 100644 => 100755 src/Symfony/Component/Ldap/LdapClient.php mode change 100644 => 100755 src/Symfony/Component/Security/Core/User/LdapUserProvider.php diff --git a/src/Symfony/Component/Ldap/LdapClient.php b/src/Symfony/Component/Ldap/LdapClient.php old mode 100644 new mode 100755 index 495bf95fdc43a..aeb37adebf56d --- a/src/Symfony/Component/Ldap/LdapClient.php +++ b/src/Symfony/Component/Ldap/LdapClient.php @@ -13,6 +13,7 @@ use Symfony\Component\Ldap\Exception\ConnectionException; use Symfony\Component\Ldap\Exception\LdapException; +use Symfony\Component\Security\Core\User\LdapUserProvider; /** * @author Grégoire Pineau @@ -42,7 +43,7 @@ class LdapClient implements LdapClientInterface * @param bool $useStartTls * @param bool $optReferrals */ - public function __construct($host = null, $port = 389, $version = 3, $useSsl = false, $useStartTls = false, $optReferrals = false) + public function __construct($host = null, $port = 389, $version = 3, $useSsl = false, $useStartTls = false, $optReferrals = false, $ldapBaseDn = null, $ldapSearchDn = null, $ldapSearchPassword = null, $ldapUidKey = null, $ldapFilter = null) { if (!extension_loaded('ldap')) { throw new LdapException('The ldap module is needed.'); @@ -54,6 +55,11 @@ public function __construct($host = null, $port = 389, $version = 3, $useSsl = f $this->useSsl = (bool) $useSsl; $this->useStartTls = (bool) $useStartTls; $this->optReferrals = (bool) $optReferrals; + $this->ldapBaseDn = $ldapBaseDn; + $this->ldapSearchDn = $ldapSearchDn; + $this->ldapSearchPassword = $ldapSearchPassword; + $this->ldapUidKey = $ldapUidKey; + $this->ldapFilter = $ldapFilter; } public function __destruct() @@ -70,16 +76,14 @@ public function bind($dn = null, $password = null) $this->connect(); } - $dnArr = explode(';',$dn); - if(count($dnArr) > 1) - { - $searchResult = $this->find($dnArr[1], $dnArr[0], '*'); - - if(count($searchResult)) - { - $dn = $searchResult[0]['dn']; + if($this->ldapBaseDn && $this->ldapSearchDn){ + $ldapUserProvider = new LdapUserProvider($this, $this->ldapBaseDn, $this->ldapSearchDn, $this->ldapSearchPassword, null, $this->ldapUidKey, $this->ldapFilter); + $ldapUser = $ldapUserProvider->getUser($dn); + if(count($ldapUser)){ + $dn = $ldapUser['dn']; } } + if (false === @ldap_bind($this->connection, $dn, $password)) { throw new ConnectionException(ldap_error($this->connection)); } diff --git a/src/Symfony/Component/Security/Core/User/LdapUserProvider.php b/src/Symfony/Component/Security/Core/User/LdapUserProvider.php old mode 100644 new mode 100755 index 15935648abd30..102a3598851af --- a/src/Symfony/Component/Security/Core/User/LdapUserProvider.php +++ b/src/Symfony/Component/Security/Core/User/LdapUserProvider.php @@ -55,24 +55,7 @@ public function __construct(LdapClientInterface $ldap, $baseDn, $searchDn = null */ public function loadUserByUsername($username) { - try { - $this->ldap->bind($this->searchDn, $this->searchPassword); - $username = $this->ldap->escape($username, '', LDAP_ESCAPE_FILTER); - $query = str_replace('{username}', $username, $this->defaultSearch); - $search = $this->ldap->find($this->baseDn, $query); - } catch (ConnectionException $e) { - throw new UsernameNotFoundException(sprintf('User "%s" not found.', $username), 0, $e); - } - - if (!$search) { - throw new UsernameNotFoundException(sprintf('User "%s" not found.', $username)); - } - - if ($search['count'] > 1) { - throw new UsernameNotFoundException('More than one user found'); - } - - $user = $search[0]; + $user = $this->getUser($username); return $this->loadUser($username, $user); } @@ -105,4 +88,29 @@ public function supportsClass($class) { return $class === 'Symfony\Component\Security\Core\User\User'; } + + /** + * {@inheritdoc} + */ + private function getUser($username) + { + try { + $this->ldap->bind($this->searchDn, $this->searchPassword); + $username = $this->ldap->escape($username, '', LDAP_ESCAPE_FILTER); + $query = str_replace('{username}', $username, $this->defaultSearch); + $search = $this->ldap->find($this->baseDn, $query); + } catch (ConnectionException $e) { + throw new UsernameNotFoundException(sprintf('User "%s" not found.', $username), 0, $e); + } + + if (!$search) { + throw new UsernameNotFoundException(sprintf('User "%s" not found.', $username)); + } + + if ($search['count'] > 1) { + throw new UsernameNotFoundException('More than one user found'); + } + + return $search[0]; + } } From b79e663a94c58efd4ca65af26623df18b20096c5 Mon Sep 17 00:00:00 2001 From: Markus Schafroth Date: Thu, 18 Feb 2016 15:49:54 +0100 Subject: [PATCH 5/7] [ldap][2.8] moved "search DN before bind" functionality to LdapBindAuthenticationProvider --- src/Symfony/Component/Ldap/LdapClient.php | 8 -------- .../LdapBindAuthenticationProvider.php | 20 ++++++++++++++++--- .../Security/Core/User/LdapUserProvider.php | 2 +- 3 files changed, 18 insertions(+), 12 deletions(-) mode change 100755 => 100644 src/Symfony/Component/Ldap/LdapClient.php mode change 100755 => 100644 src/Symfony/Component/Security/Core/User/LdapUserProvider.php diff --git a/src/Symfony/Component/Ldap/LdapClient.php b/src/Symfony/Component/Ldap/LdapClient.php old mode 100755 new mode 100644 index aeb37adebf56d..0d34ad1dc44cf --- a/src/Symfony/Component/Ldap/LdapClient.php +++ b/src/Symfony/Component/Ldap/LdapClient.php @@ -75,14 +75,6 @@ public function bind($dn = null, $password = null) if (!$this->connection) { $this->connect(); } - - if($this->ldapBaseDn && $this->ldapSearchDn){ - $ldapUserProvider = new LdapUserProvider($this, $this->ldapBaseDn, $this->ldapSearchDn, $this->ldapSearchPassword, null, $this->ldapUidKey, $this->ldapFilter); - $ldapUser = $ldapUserProvider->getUser($dn); - if(count($ldapUser)){ - $dn = $ldapUser['dn']; - } - } if (false === @ldap_bind($this->connection, $dn, $password)) { throw new ConnectionException(ldap_error($this->connection)); diff --git a/src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.php b/src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.php index adc42ef3b38f5..a65fe026eaa2b 100644 --- a/src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.php +++ b/src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.php @@ -19,6 +19,7 @@ use Symfony\Component\Security\Core\User\UserProviderInterface; use Symfony\Component\Ldap\LdapClientInterface; use Symfony\Component\Ldap\Exception\ConnectionException; +use Symfony\Component\Security\Core\User\LdapUserProvider; /** * LdapBindAuthenticationProvider authenticates a user against an LDAP server. @@ -74,9 +75,22 @@ protected function checkAuthentication(UserInterface $user, UsernamePasswordToke $password = $token->getCredentials(); try { - $username = $this->ldap->escape($username, '', LDAP_ESCAPE_DN); - $dn = str_replace('{username}', $username, $this->dnString); - + + $username = $this->ldap->escape($username, '', LDAP_ESCAPE_DN); + $dn = str_replace('{username}', $username, $this->dnString); + + if($this->ldap->ldapBaseDn && $this->ldap->ldapSearchDn){ + if($this->userProvider instanceof LdapUserProvider) { + $ldapUser = $this->userProvider->getUser($dn); + } + else{ + $ldapUserProvider = new LdapUserProvider($this->ldap, $this->ldap->ldapBaseDn, $this->ldap->ldapSearchDn, $this->ldap->ldapSearchPassword, array(), $this->ldap->ldapUidKey, $this->ldap->ldapFilter); + $ldapUser = $ldapUserProvider->getUser($dn); + if(count($ldapUser)){ + $dn = $ldapUser['dn']; + } + } + } $this->ldap->bind($dn, $password); } catch (ConnectionException $e) { throw new BadCredentialsException('The presented password is invalid.'); diff --git a/src/Symfony/Component/Security/Core/User/LdapUserProvider.php b/src/Symfony/Component/Security/Core/User/LdapUserProvider.php old mode 100755 new mode 100644 index 102a3598851af..60bad165b56f5 --- a/src/Symfony/Component/Security/Core/User/LdapUserProvider.php +++ b/src/Symfony/Component/Security/Core/User/LdapUserProvider.php @@ -92,7 +92,7 @@ public function supportsClass($class) /** * {@inheritdoc} */ - private function getUser($username) + public function getUser($username) { try { $this->ldap->bind($this->searchDn, $this->searchPassword); From c909859b8be916c7d1fbcea7502fae3f640558e2 Mon Sep 17 00:00:00 2001 From: Markus Schafroth Date: Mon, 29 Feb 2016 12:02:03 +0100 Subject: [PATCH 6/7] [ldap][2.8] removed unused field --- src/Symfony/Component/Ldap/LdapClient.php | 1 - 1 file changed, 1 deletion(-) mode change 100644 => 100755 src/Symfony/Component/Ldap/LdapClient.php diff --git a/src/Symfony/Component/Ldap/LdapClient.php b/src/Symfony/Component/Ldap/LdapClient.php old mode 100644 new mode 100755 index 0d34ad1dc44cf..e3f91706b8b74 --- a/src/Symfony/Component/Ldap/LdapClient.php +++ b/src/Symfony/Component/Ldap/LdapClient.php @@ -31,7 +31,6 @@ class LdapClient implements LdapClientInterface private $useStartTls; private $optReferrals; private $connection; - private $charmaps; /** * Constructor. From faec22516ba98ab3db68279c27ac3dfe11c8caff Mon Sep 17 00:00:00 2001 From: Markus Schafroth Date: Mon, 29 Feb 2016 12:06:47 +0100 Subject: [PATCH 7/7] [ldap][2.8] removed unused "use" statement --- src/Symfony/Component/Ldap/LdapClient.php | 1 - 1 file changed, 1 deletion(-) diff --git a/src/Symfony/Component/Ldap/LdapClient.php b/src/Symfony/Component/Ldap/LdapClient.php index e3f91706b8b74..558ab45dc4cd9 100755 --- a/src/Symfony/Component/Ldap/LdapClient.php +++ b/src/Symfony/Component/Ldap/LdapClient.php @@ -13,7 +13,6 @@ use Symfony\Component\Ldap\Exception\ConnectionException; use Symfony\Component\Ldap\Exception\LdapException; -use Symfony\Component\Security\Core\User\LdapUserProvider; /** * @author Grégoire Pineau