search

laminas / laminas-authentication

provides an API for authentication and includes concrete authentication adapters for common use case scenarios
https://docs.laminas.dev/laminas-authentication/
BSD 3-Clause "New" or "Revised" License
24 stars 16 forks source link

Login with Mail Address and LDAP fallback #4

Open weierophinney opened 4 years ago

weierophinney commented 4 years ago

Hello, for internal user authentication we will use LDAP Adapter and for external users the Zend DB Adapter. All external users uses the mail address as username. Also with the LDAP Adapter we will use the email address as username. We have more external than internal users.

  1. How could the login login scheme look like?
  2. LDAP as Fallback Adapter?
  3. But how can we make sense that the LDAP also uses the mail address for the login? (first LDAP search and then bind with dn?)
class AuthenticationService extends ZendAuthenticationService implements AuthenticationServiceInterface
{
    /**
     * Authentication fallback adapter
     *
     * @var AdapterInterface
     */
    private $fallbackAdapter = null;

    /**
     * @param AdapterInterface $adapter
     * @return $this
     */
    public function setFallbackAdapter(AdapterInterface $adapter)
    {
        $this->fallbackAdapter = $adapter;
        return $this;
    }

    /**
     * @return AdapterInterface
     */
    public function getFallbackAdapter()
    {
        return $this->fallbackAdapter;
    }

    /**
     * @param AdapterInterface|null $fallbackAdapter
     * @return Result
     */
    public function fallbackAuthenticate(AdapterInterface $fallbackAdapter = null)
    {
        if (!$fallbackAdapter) {
            $fallbackAdapter = $this->getFallbackAdapter();
        }

        return $fallbackAdapter->authenticate();
    }

    /**
     * @return mixed
     */
    public function getIdentity()
    {
        if ($this->hasIdentity()) {
            $user = parent::getIdentity();
        } else {
            $user = new UserEntity();
            $user->setId(0);
            $user->setUsername('Gast');
            $user->setRole('guest');
        }

        return $user;
    }

}

@heiglandreas

Originally posted by @mano87 at https://github.com/zendframework/zend-authentication/issues/31

weierophinney commented 4 years ago

Regarding your 3rd Question: You should always first bind with a known user to the LDAP, then search for the user that tries to log in with the provided information and then (re)bind to the ldap with the DN of the found user and the provided password.

That way you are

a) LDAP-compliant and b) have the possibility to use any (unique) attribute to identify a user.

I'm using that so users can use there email-address or their UID to log into the systems.

Have a look for a plain PHP-Implementation here

Originally posted by @heiglandreas at https://github.com/zendframework/zend-authentication/issues/31#issuecomment-312181076

weierophinney commented 4 years ago

From what I've seen right now in Zend\Authentication\Adapter\Ldap that's not an LDAP-Adapter but an AD-Adapter (or an adapter where all users are known to be part of one subtree) as the described way of authentication via retrieve user after a bind with a privileged user doesn't seem to be supported… Or I'm missing it ATM…

So it looks to me as there's a complete authentication-adapter missing. And that's the one you're looking for…

Originally posted by @heiglandreas at https://github.com/zendframework/zend-authentication/issues/31#issuecomment-312183409

weierophinney commented 4 years ago

I've hacked together a gist that might help you creating a solution. Take care, it's not been tested!!

Originally posted by @heiglandreas at https://github.com/zendframework/zend-authentication/issues/31#issuecomment-312191510