你必須在現有的代碼2個主要問題:
- 的Symfony的
LdapUserProvider
組件在默認情況下使用Active Directory(Windows)中的模式:sAMAccountName={username}
,而不是打開LDAP的uid={username}
- 您使用內置在
http
安全防火牆中,默認情況下使用DaoAuthenticationProvider
身份驗證提供程序。如果使用LDAP身份驗證,則需要使用LdapBindAuthenticationProvider
。
第一個問題可以通過傳遞用戶標識符鍵來解決,以LdapUserProvider
:
$app['ldap.users'] = function() use ($app) {
return new LdapUserProvider(
// your LDAP adapter
$app['ldap'],
// base DN
'dc=example,dc=com',
// you don't need search DN
null,
// you don't need search password
null,
// list of default roles, can be empty array
['ROLE_USER'],
// user identifier key for LDAP
// this identitfer must be set explicitly
'uid'
);
};
通知第三和第四參數可以null
,因爲他們將永遠不會被使用:LdapBindAuthenticationProvider
會先調用,所以LDAP連接已經被綁定。
第二個問題需要一點點編碼。 Symfony內置了http_basic_ldap
身份驗證提供程序,非常適合您的需求。不幸的是,Silex沒有一個,所以你需要自己做。使用Silex文檔以供參考:Defining a custom Authentication Provider
這是我對Silex的form_login_ldap
實現的示例。 註冊所有LDAP相關的服務:
$app // register other services
->register(new LdapServiceProvider())
->register(new LdapUsersServiceProvider())
->register(new LdapSecurityServiceProvider())
->register(new \Silex\Provider\SecurityServiceProvider(), [
'security.firewalls' => [
'login' => [
'pattern' => '^/login$',
],
'secured' => [
'pattern' => '^.*$',
'form_login_ldap' => [
'login_path' => 'login',
'check_path' => 'login_check',
'default_target_path' => 'backoffice',
],
'users' => $this['ldap.users'],
],
],
])
;
服務供應商LDAP適配器
use Pimple\Container;
use Pimple\ServiceProviderInterface;
use Symfony\Component\Ldap\Ldap;
class LdapServiceProvider implements ServiceProviderInterface
{
public function register(Container $app)
{
$app['ldap'] = function() {
return Ldap::create('ext_ldap', [
'connection_string' => 'ldap.example.com',
]);
};
}
}
服務提供商LDAP用戶
use Pimple\Container;
use Pimple\ServiceProviderInterface;
use Symfony\Component\Security\Core\User\LdapUserProvider;
class LdapUsersServiceProvider implements ServiceProviderInterface
{
public function register(Container $app)
{
$app['ldap.users'] = function() use ($app) {
return new LdapUserProvider(
$app['ldap'],
'dc=example,dc=com',
null,
null,
['ROLE_USER'],
'uid'
);
};
}
}
服務提供商的安全認證監聽器廠爲LDAP表格(對你來說最有意思的部分)
use Pimple\Container;
use Pimple\ServiceProviderInterface;
use Symfony\Component\Security\Core\Authentication\Provider\LdapBindAuthenticationProvider;
class LdapSecurityServiceProvider implements ServiceProviderInterface
{
public function register(Container $app)
{
$app['security.authentication_listener.factory.form_login_ldap'] = $app->protect(function ($name, $options) use ($app) {
// define the authentication provider object
$app['security.authentication_provider.'.$name.'.form_login_ldap'] = function() use ($app, $name) {
return new LdapBindAuthenticationProvider(
$app['security.user_provider.'.$name],
$app['security.user_checker'],
$name,
$app['ldap'],
'uid={username},dc=example,dc=com',
$app['security.hide_user_not_found']
);
};
// define the authentication listener object
$app['security.authentication_listener.'.$name.'.form_login_ldap'] = $app['security.authentication_listener.form._proto']($name, $options);
// define the entry point object
$app[$entryPoint = 'security.entry_point.'.$name.'.form_login_ldap'] = $app['security.entry_point.form._proto']($name, array());
return array(
// the authentication provider id
'security.authentication_provider.'.$name.'.form_login_ldap',
// the authentication listener id
'security.authentication_listener.'.$name.'.form_login_ldap',
// the entry point id
$entryPoint,
// the position of the listener in the stack
'form'
);
});
}
}