8000 Merge remote-tracking branch 'nietonfir/ldap_security' into ldap_quer… · symfony/symfony-docs@1d89999 · GitHub
[go: up one dir, main page]

Skip to content

Commit 1d89999

Browse files
committed
Merge remote-tracking branch 'nietonfir/ldap_security' into ldap_query_string
2 parents ec7dadc + 6135043 commit 1d89999

File tree

2 files changed

+29
-5
lines changed

2 files changed

+29
-5
lines changed

reference/configuration/security.rst

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -142,9 +142,10 @@ Each part will be explained in the next section.
142142
http_basic:
143143
provider: some_key_from_above
144144
http_basic_ldap:
145-
provider: some_key_from_above
146-
service: ldap
147-
dn_string: '{username}'
145+
provider: some_key_from_above
146+
service: ldap
147+
dn_string: '{username}'
148+
query_string: ~
148149
http_digest:
149150
provider: some_key_from_above
150151
guard:
@@ -237,8 +238,9 @@ Each part will be explained in the next section.
237238
# new in Symfony 2.3
238239
require_previous_session: true
239240
240-
service: ~
241-
dn_string: '{username}'
241+
service: ~
242+
dn_string: '{username}'
243+
query_string: ~
242244
243245
remember_me:
244246
token_provider: name

security/ldap.rst

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -270,6 +270,28 @@ For example, if your users have DN strings in the form
270270
``uid=einstein,dc=example,dc=com``, then the ``dn_string`` will be
271271
``uid={username},dc=example,dc=com``.
272272

273+
query_string
274+
............
275+
276+
**type**: ``string`` **default**: ``null``
277+
278+
This (optional) key makes the user provider search for a user and then use the
279+
found DN for the bind process. This is useful when using multiple LDAP user
280+
providers with different ``base_dn``. The value of this option must be a valid
281+
search string (e.g. ``uid="{username}"``). The placeholder value will be
282+
replaced by the actual username.
283+
284+
When this option is used, ``dn_string`` has to be updated accordingly. Following
285+
the previous example, if your users have the following two DN:
286+
``dc=companyA,dc=example,dc=com`` and ``dc=companyB,dc=example,dc=com``, then
287+
``dn_string`` should be ``dc=example,dc=com``. If the ``query_string`` option is
288+
``uid="{username}"``, then the authentication provider can authenticate users
289+
from both DN.
290+
291+
Bear in mind that usernames must be unique across both DN, as the authentication
292+
provider won't be able to select the correct user for the bind process if more
293+
than one is found.
294+
273295
Examples are provided below, for both ``form_login_ldap`` and
274296
``http_basic_ldap``.
275297

0 commit comments

Comments
 (0)
0