Personalize role mapping

[matracine]

With my open Ldap schema, group mapping is not done with the "memberof" attribute in the user object. The mapping is done like that :

• objectClass posixAccount : uid=username, gidNumber=main group
• objectClass posixGroup : cn=groupname, gidNumber=group number, memberUid[]=uids of members. In fact, role mapping can rely on others conditions than groups, so, could you please extract the roles extraction in a protected method of the LdapUserProvider, so everybody could derivate the class to implement their own Role mapping. I could provide the class for role to group mapping with the posix ldap schema.

[matracine]

Having also a protected method to retrieve the defaults options would be great. This would permit to set the default search filter in the class.

[DerManoMann]

If there are multiple standard ways (I assume memerof and posixGroup are standard schemes) wouldn't it be better to have a RoleResolverInterface and custom implementations that can be used? I suppose in more complex scenarios additional LDAP queries might be necessary too, right?

[matracine]

I think you're right. I'm a pretty newby in Silex/Symfony developpement so I didn't know this interface. I will take a look at it. I'm an old school developper so derivation is more natural for me ;)

[matracine]

Again I think you're right, but just for fun, I've pushed a branch new_methods in my repo. It's quite simple and works perfectly. https://github.com/matracine/ldap-auth-service-provider/tree/new_methods/src/Security/Core/User

[DerManoMann]

Looks reasonable. The interface doesn't exist - its something I made up, but by doing that all that is required would be to pass in a custom implementation in the config rather than extending code.

Say,

interface RoleResolverInterface {
    public function getRoles(array $data);
}

and then there would be another config option:

   'roleResolver' => ' 'Radebatz\\Silex\\LdapAuth\\Security\\Core\\User\\LdapMemberOfRoleResolver',

and the user provider would do:

$roleResolverClass = $this->options['roleResolver'];
$roleResolver = new $roleResolverClass();
$roles = $roleResolver->getRoles($userData);

The advantange, IMO, is that it would even allow to use multiple resolver (chain them) and other custom processing.

Let me think a little more about, tho...

[matracine]

Hello, After thinkng and testing around, I think you're right about the RoleResolver. But I think also that it is necessary to have specialized LDap(Posix|whatElse)?User, Ldap(Posix|whatElse)?Group, Ldap(Posix|whatElse)?UserProvider, and Ldap(Posix|whatElse)?RoleResolver that mask the inner structure of the ldap and could be overriden easily. For that, in the contructors, a getDefaultOptions() call is necessary to overide options in specialized classes.