LDAP Auth Only (No Database Synchronization)

[ozza]

Hello,

First, I want to thank you for your hard work for making such a useful library and I'd like to tell that I can be considered as both a Laravel and a LDAP newbie.

I am currently trying to make a simple user interface which will allow the LDAP users to change their attributes (password, telephone, address etc..) There is an OpenLDAP server already actively using by the company.

• The company doesn't want to add the web server into the domain which the application will run on. Is there any way to configure adldap2-laravel to connect the server by using the server's IP address? I tried official PHP-Ldap library to test if I can bind the admin user and fetch some data and I successfully achieved it. But I couldn't figure out where to configure the server's IP address in the adldap2-laravel library or it is not even possible.
• Second question is; is it possible to authenticate users by only LDAP database? I made a search through the issues and read the guides. It seems we need a User model and a database for the adldap2-laravel working. I want to achieve my goal by like;
  • Post user credentials from UI (uid an password)
  • Check credentials from the LDAP database
  • If matches, log the user in and allow the user to see and change his/her attributes

Sorry for the long post. It will be very appreciated if you can enlighten me. Thanks again.

[ozza]

Hello again,

I just solved my first question by reading adldap2 documentation (yeah I missed that, sorry). But the second question is still confuses me.

[stevebauman]

Hi @ozza, your second question is related to https://github.com/Adldap2/Adldap2-Laravel/issues/91#issuecomment-216922475.

At the moment this isn't possible, but it's definitely a requested feature that I'll certainly explore.

The only solution I see is to have separate configuration files and service providers per authentication method. I'm hoping having the availability of two authentication providers and configuration files doesn't become too messy.

I'll see what I can do!

[ozza]

Thank you for your answer @stevebauman.

I will be expecting to hear new enhancements from you.

[stevebauman]

Hi @ozza, I think some things need to be discussed for this to be possible.

The biggest hurdle here, is how would session persistence of the user actually work without re-binding to the server on every request?

For example, the retrieveById() method is used on every request when a user is authenticated:

https://github.com/Adldap2/Adldap2-Laravel/blob/master/src/AdldapAuthUserProvider.php#L26

If we don't have an already bound connection to the LDAP server, how can we perform a search on it to verify the user exists and return an Authenticatable object instance?

https://github.com/illuminate/auth/blob/master/Authenticatable.php

We could store Adldap\Models\User in the session, but that may pose a security issue as all the user data would be stored in a file or database, serialized.

Not to mention, we can't change any user attributes with this serialized instance (remember, we don't have a persistent connection with the LDAP server after the authentication request).

This feature sounds great, but I'm just not sure how this could be implemented without having a connection to the LDAP server.

This would be like having no connection to your MySQL database when performing regular Laravel authentication. How would you authenticate to the MySQL server on the fly without requiring any credentials first to gain access?

There's two ways to go here:

• I can implement the ability to authenticate without admin credentials specified in the configuration (database required)

Or

• I can implement the ability to authenticate with admin credentials specified in the configuration (no database required)

[ozza]

Hello @stevebauman, it's great to hear from you this quick!

To be honest my knowledge about the whole thing (PHP, Laravel, LDAP) is far lower from yours. Even so I tried to understand your response. If I got it wrong please don't be upset.

What I understand is; we need App\User for creating a session and if we made an LDAP request (search, update, etc..) we re-bind our LDAP connection with admin credentials. That makes sense.

What I don't understand is the database sync. feature. So far I can't manage to get the package fully working. I think I made the configuration well (adldap.php and adldap_auth.php). The code below is working fine;

Route::get('/test', function(){
    if(Adldap::auth()->attempt("uid=ttest,dc=test,dc=local", "secret", $bindAsUser = true)) {
        return Adldap::search()->where('uid', '=', 'ttest')->get();
    }
    return 'nah';
});

But when I try to login from the login page (which I created by using make:auth command), I'm getting an "Invalid Credentials" error. I read the "Auth login in LDAP #117" and tried to integrate a similar solution but still no luck.. So, currently I have no idea what will this library allow me to do. Can I log all the LDAP users in by using their own credentials? Can they change their attributes? etc..

I'm ok with using administrator credentials for this, as for your question. But can't put App\User model and session management topics anywhere right now.

I know I'm not much of helping and some deflected your point, but as I said, still trying to understand.

Thanks

P.S: I will make a total dummies example after I understand and get working it.

[barbuslex]

I need just LDAP Auth Only in my inc. it will be userfull to disable database synchronisation with a parameter in adldap_auth.php for exemple.

[stevebauman]

PR @barbuslex?

[barbuslex]

@stevebauman I just need the feature i dont have this one ^^

[barbuslex]

I have found a way to implement this feature. In WindowsAuthenticate.php file if I comment this line $this->saveModel($model); the user is not created in database. I will investigate further.

[barbuslex]

@stevebauman PR Send! ;) I'm not sure that's the right way to do but it has the merit of work.

[barbuslex]

Anyone have an idea to improving my PR #170 ?

[karakayasemi]

We should try to use Session. What is the insecurity issue on session?

[barbuslex]

@stevebauman I have see it in recent commits : https://github.com/Adldap2/Adldap2-Laravel/commit/8f565d3546c668fb91682e3f797bd622fc9697ac

When the v3.0.0 will be available ? Is it possible to get it (even in alpha/beta version) ?

[stevebauman]

Hi @barbuslex, v3.0 should be available in the coming days. Just working on documentation and more tests.

You can use the NoDatabaseProvider right now by inserting "adldap2/adldap2": "dev-master" in your composer.json file and performing a composer update.

Keep in mind you'll need to delete your adldap_auth.php config file and republish the configuration.

[barbuslex]

Thanks so much @stevebauman ;)

[stevebauman]

No problem! :)

EDIT: Also, keep in mind, after authentication, using Auth::user() will return an instance of Adldap\Models\User. Documentation is coming for this provider.

[karakayasemi]

I am trying to use new NoDatabaseUserProvider, Auth::user()->name is array instead of string. Because of that, it gives me this error: ErrorException in helpers.php line 519: htmlspecialchars() expects parameter 1 to be string, array given. When i change view caches related line Auth::user()->name as Auth::user()->name[0] it is working. Am i missing an option or is it a bug?

[stevebauman]

@karakayasemi

Am i missing an option or is it a bug?

No, this is intended. This is because it's returning an instance of `Adldap\Models\User'. Not a laravel eloquent model.

Remember, all LDAP attributes are kept inside arrays (due to AD's multi-valued nature), so accessing an attribute dynamically from an Adldap model will always result in an array. You can always use getters instead if you'd prefer:

Auth::user()->getCommonName();

// Or dynamically:

Auth::user()->cn[0];

// Or:

Auth::user()->getFirstAttribute('cn');

[karakayasemi]

Thx @stevebauman , i just used custom laravel auth views. Then i will change it.

[ozzargueyo]

Hi I'm trying to achieve what @ozza said at the beginning of this issue -> now a future enhancement. I only need Ldap Authentication for my application. I don't have a User Eloquent Model. I just need to check the ldap user credentials and store in a kind of "Auth:user()" the ldap information of that user. especially the memberof information. I read that I need a custom AuthUserProvider and a custom Guard. I tried to understand how all this work together following this https://jamesmcfadden.co.uk/custom-authentication-in-laravel-with-guards-and-user-service-providers. But again i don't have a user model, and I can't have it.

So far I could make the connection to tha ldap server and <

if (Adldap::auth()->attempt($username, $password)) {
    // $user = Auth::user(); This doesn't work give a provider not found error
   //But this does 
  // Finding a user.
   $user = Adldap::search()->users()->find('john doe');
   //How can i log in this $user. and then can make an Aut::user() . Also the  Adlapd::auth()->user() is not working.

}

}>

Hope anyone can give me a tip of how to solve this situation.

Thanks

[ozzargueyo]

I need to said that my version of Adldap2-laravel is dev-master so i can use the Adldap\Laravel\Auth\NoDatabaseUserProvider::class.

[jotaelesalinas]

@ozza @barbuslex @karakayasemi @ozzargueyo For those who only need allowed/rejected authentication from LDAP, with no user management and no admin required, this might be useful: jotaelesalinas/laravel-simple-ldap-auth.

[stevebauman]

@jotaelesalinas This already exists in Adldap2. You just need to switch the provider inside your config/adldap_auth.php file...

[jotaelesalinas]

@stevebauman Really? No admin user required to connect to LDAP? That was the only reason to write the tutorial, and I forgot to write it in the comment!

[stevebauman]

@jotaelesalinas Sorry! Misread your comment. I only read "For those who only need allowed/rejected authentication from LDAP, with no user management". Not the "and no admin required". You're correct, the other provider still requires a user account for binding prior to authentication.

That's what I get for skimming through comments too fast ;)

[jotaelesalinas]

To be honest, I added "and no admin required" after reading your comment! 😅 Sorry. BTW, thank you very much for Adldap2 and Adldap2-Laravel. They really are great libraries.

[jotaelesalinas]

Dear @anukwgl , I just followed the steps again from scratch, one by one, and it worked. Did you try from scratch or with a pre-existing Laravel installation? Should we have this conversation somewhere else, so we don't "pollute" this thread?

[rhellow]

Hello @stevebauman ! I'm using @jotaelesalinas package. I think she's using yours too. I would like to use Laravel Authentication with Windows ActiveDirectory but without Database. I installed the package. I am able to connect to my AD using the command, php artisan adldap:import. However, when I try to login, it keeps saying that my credentials are not correct. Please help me! login_ad.zip