search

Adldap2 / Adldap2-Laravel

LDAP Authentication & Management for Laravel
MIT License
911 stars 184 forks source link

Unable to auth user with a NoDatabaseUserProvider #664

Open MoiseScalzo opened 5 years ago

MoiseScalzo commented 5 years ago

Description:

I'm trying to login with email address (as userprincipalename) and password in a NoDatabaseUserProvider configuration but the Auth::attempt() return always false. On the other hand, Adldap::auth()->attempt($request->userprincipalname, $request->password, $bindAsUser = true); it return true and also Adldap::search()->findBy('userprincipalname', $username) works correctly. So, where I'm wrong? :( thank you in advance

config/auth.php

'providers' => [
        'users' => [
            'driver' => 'ldap',
        ],
    ],
'guards' => [
        'web' => [
            'driver'   => 'session',
            'provider' => 'users',
        ],

        'api' => [
            'driver'   => 'token',
            'provider' => 'users',
        ],
    ],

config/ldap_auth.php

'provider'    => Adldap\Laravel\Auth\NoDatabaseUserProvider::class,
'model'       => App\User::class,
'rules'       => [
        Adldap\Laravel\Validation\Rules\DenyTrashed::class,
],
'scopes'     => [
     Adldap\Laravel\Scopes\UpnScope::class,
],
'usernames' => [ 
       'ldap' => [
            'discover'     => 'userprincipalname',
            'authenticate' => 'password',
        ],
        'eloquent' => 'username',
         'windows' => [
            'discover' => 'samaccountname',
            'key' => 'AUTH_USER',
        ],
],

App\Http\Controllers\Auth\LoginController

public static function username()
    {
        return 'userprincipalname';
    }

protected function login(Request $request)
    {
        $credentials = [
            'userprincipalname'    => $request->userprincipalname,
            'password'             => $request->password
        ];

        if (Auth::attempt($credentials)) {
            // not working           
        }
        if ( Adldap::auth()->attempt($request->userprincipalname, $request->password, $bindAsUser = true)) {
             // it works
         }
    }

login.blade.php

<input id="username" type="email" class="form-control{{ $errors->has('email') ? ' is-invalid' : '' }}" name="userprincipalname" value="{{ old('username') }}" required autofocus />
<input id="password" type="password" class="form-control{{ $errors->has('password') ? ' is-invalid' : '' }}" name="password" required>
MoiseScalzo commented 5 years ago

UPDATE: maybe I've solved changing this:

'ldap' => [
'discover' => 'userprincipalename',
'authenticate' => 'password'
]

to this:

'ldap' => [
            'discover'     => 'userprincipalname',
            'authenticate' => 'userprincipalname',
        ],

can you confirm that is the right way?

stevebauman commented 5 years ago

Hi @MoiseScalzo,

This is definitely the right way when using ActiveDirectory. The authenticate value is what to use as the users username when calling ldap_bind() on your configured LDAP connection. Setting it to password won't work.

For example, in ActiveDirectory, a users Distinguished Name or User Principal Name can be used as a username to bind to ActiveDirectory servers:

// Using UPN:
$userPrincipalName = 'jdoe@acme.org';

ldap_bind($conn, $userPrincipalName, 'secret-password');

// Using DN:
$dn = 'cn=John Doe,ou=Users,dc=acme,dc=org';

ldap_bind($conn, $dn, 'secret-password');

So you can actually use either distinguishedname or userprincipalname as the value for the authenticate option. They will both work.

I hope I made it more understandable!

Are you able to successfully login now?

MoiseScalzo commented 5 years ago

Hi, @stevebauman thank you very much for the clarification. Now login works correctly. Thanks