Authentication via LDAP in Symfony 3

2
votes

I am trying to implement active directory authentication in my Symfony application.

I can't seem to authenticate successfully. The following is logged each time I try to login via a web form:

2016-08-17 17:07:08] php.DEBUG: ldap_bind(): Unable to bind to server: Invalid credentials {"type":2,"file":"/Users/firstname.lastname/Sites/url-builder/url_builder/vendor/symfony/symfony/src/Symfony/Component/Ldap/Adapter/ExtLdap/Connection.php","line":53,"level":28928} [] [2016-08-17 17:07:08] security.INFO: Authentication request failed. {"exception":"[object] (Symfony\Component\Security\Core\Exception\BadCredentialsException(code: 0): Bad credentials. at /Users/firstname.lastname/Sites/url-builder/url_builder/vendor/symfony/symfony/src/Symfony/Component/Security/Core/Authentication/Provider/UserAuthenticationProvider.php:90, Symfony\Component\Security\Core\Exception\BadCredentialsException(code: 0): The presented password is invalid. at /Users/first.name/Sites/url-builder/url_builder/vendor/symfony/symfony/src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.php:86)"} [] [2016-08-17 17:07:08] security.DEBUG: Authentication failure, redirect triggered. {"failure_path":"login"} [] [2016-08-17 17:07:08] request.INFO: Matched route "{route}". {"route":"login","route_parameters":{"_controller":"UrlBuilderBundle\Controller\SecurityController::loginAction","_route":"login"},"request_uri":"http://www.url-builder.dev/app_dev.php/auth/login","method":"GET"} []

I have configured the user provider to read users from the database:

providers:
    urlbuilder_provider:
        entity:
            class: UrlBuilderBundle:User
            property: username

I have configured Ldap authentication via form in the firewalls section:

           provider: urlbuilder_provider
            # activate different ways to authenticate

            # http_basic: ~
            # http://symfony.com/doc/current/book/security.html#a-configuring-how-your-users-will-authenticate

            form_login_ldap:
                login_path: login
                check_path: login
                service:  app.ldap
                dn_string: 'uid={username},dc=global,dc=com'
                default_target_path: /manage-user

My login action has the following content:

public function loginAction(Request $request)
{
    $authenticationUtils = $this->get('security.authentication_utils');

    // get the login error if there is one
    $error = $authenticationUtils->getLastAuthenticationError();

    // last username entered by the user
    $lastUsername = $authenticationUtils->getLastUsername();

    return $this->render(
        'security/login.html.twig',
        array(
            // last username entered by the user
            'last_username' => $lastUsername,
            'error'         => $error,
        )
    );
}

I tested ldap authentication in a standalone PHP script and it worked as expected. I am storing user details in a database table but want to authenticate against active directory. My feeling is that the problem is how the username and password are submitted to LDAP but can't quite put my finger on it.

I am well and truly stumped, appreciate if anyone could shed some light on this.

Update

The usernames in the AD that I am authenticating against have the domain 'global' so this means the username will be in the following format: 'global\firstname.lastname'

I feel the backslash in the username string is the source of my issue. I 'var_dump'-ed the username that is being passed in the bind(), the characters '5c' are being added just after the backslash; 'global\5cfirstname.lastname'. How can I ensure that backslash is handled correctly?

3
phpsymfonysecurityauthenticationldap

3 Answers

1
votes

I solved my issue by changing dn_string: 'uid={username},dc=global,dc=com' to dn_string: global\{username}.

This means the user does not provide the domain in their username when logging in via the form and hence avoids the issue where '5c' is added after the backslash.

0
votes

For Active Directory, you should use the following DN string in your form_login_ldap config: dn_string: '{username}'. In fact, you don't even need to define it all because that's the default value. See this: http://symfony.com/doc/current/security/ldap.html#dn-string

The reason it doesn't work currently is because if a user uses the name foo to login to the form, it will try to bind with a DN string uid=foo,dc=global,dc=com.

-1
votes

I used ldap with Laravel and my code look something like that.

Open connection

$ldap_connection = ldap_connect(config('app.ldap_server'), config('app.ldap_port'));

Check connection and login with ldap

     $username = "test"
     $password = "test"

     if($ldap_connection){
                    ldap_set_option($ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3);
                    ldap_set_option($ldap_connection, LDAP_OPT_REFERRALS, 0);
                    $ldap_bind = @ldap_bind($ldap_connection, $username, $password);
                    if($ldap_bind){
                        // Here you put the code for save in database
                    }
                }

End connection.

ldap_close($ldap_connection);