Active Directory and sAMAccountName

[Xeyos88]

Hi, I'm trying to use the bundle for authentication through Active Directory, but I have some difficulty using sAMAccaountName for authentication. You could give me a configuration example. With or without anonymous bind, it is not important.

[ChadSikorra]

If you want to force the sAMAccountName for authentication you could change the bind_format of your connection:

# app/config/config.yaml

ldap_tools:
    domains:
        example:
            domain_name: example.local
            username: foo
            password: secret
            # Force it to use the sAMAccountName, double '%' to escape symfony params...
            bind_format: "example\\%%username%%"

At least I think that should work fine.

[Xeyos88]

With the \ character in the bind_format I have an error of invalid YAML. I'll do some tests. If I continue to make mistakes I will post my configuration to ask for help.

[ChadSikorra]

Sorry about that, need double backslash to escape it in YAML. Just corrected my example.

[Xeyos88]

Works perfectly thx, it also works with anonymous bindings, username and password parameters are superfluous.

[ChadSikorra]

Could you please give some more details on what you're talking about? It should not accept an anonymous bind on login.

[Xeyos88]

This is my configuration, without username and password parameters, and works.

domains:
        example:
            bind_format: "domain\\%%username%%"
            domain_name: host
            base_dn: "OU=Example,DC=test,DC=ex,DC=ex,DC=com"
            servers: ["server_ip"]

[ChadSikorra]

What does your Symfony security config look like? I cannot replicate that using the same config on a Symfony app on my test domain. I've also double-checked a few spots in the code and cannot think how the logic could go wrong. Though obviously it's possible I overlooked something.

[ChadSikorra]

Any update on this @Xeyos88 ? I'd need the security config to help you any further. The only things I can think of is a possible issue in access_control, or you're chaining user providers and possibly fall through to a separate authentication provider unrelated to the LDAP one. There's a lot of factors that could cause something like this to go wrong.

The LdapTools authentication mechanism prohibits anonymous binds unless explicitly told not to:

https://github.com/ldaptools/ldaptools/blob/master/src/LdapTools/Operation/Handler/AuthenticationOperationHandler.php#L74 https://github.com/ldaptools/ldaptools/blob/master/src/LdapTools/Operation/AuthenticationOperation.php#L190

[Xeyos88]

sorry for delay. My security config

security:
    hide_user_not_found: false

    encoders:
        AppBundle\Entity\User: plaintext

    role_hierarchy:
        ROLE_ADMIN: [ROLE_USER, ROLE_MODERATOR]
        ROLE_SUPER_ADMIN: ROLE_ADMIN
        ROLE_MODERATOR: ROLE_USER

    providers:

        fos_userbundle:
            id: fos_user.user_provider.username

        in_memory:
            memory: ~

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        main:
            pattern: ^/
            form_login:
                csrf_token_generator: security.csrf.token_manager
                provider: fos_userbundle
                login_path: homepage
                check_path: fos_user_security_check
            guard:
                authenticators:
                    - ldap_tools.security.ldap_guard_authenticator
            logout: true
            anonymous: true
    access_control:
        - { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY }

[ChadSikorra]

Your access control list is allowing basically anything. I think you'd want to use:

        - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/, roles: ROLE_USER }

Assuming you want to login protect the whole site anyway. Also, are you only expecting to load users from FOSUserBundle, but still always authenticate them with LDAP? Or are you trying to mix it so authentication can occur with FOSUserBundle or LDAP?

[Xeyos88]

Authentication is done by LDAP and then user data loaded from FOSUserBundle table.

[ChadSikorra]

Then I think you'd want to chain your user provider and get rid of the form_login section. Your providers and firewall section would look like:

    providers:
        chain_provider:
            chain:
                providers: [fos_userbundle, ldap]
        ldap:
            id: ldap_tools.security.user.ldap_user_provider
        fos_userbundle:
            id: fos_user.user_provider.username

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        main:
            pattern: ^/
            provider: chain_provider
            guard:
                authenticators:
                    - ldap_tools.security.ldap_guard_authenticator
            logout: ~
            anonymous: ~

You'd still need to make the above changes I mentioned to your access_control section.

[Xeyos88]

I try this configuration for automatic creation of users in DB after login, but doesn't works (with listener class, as in the guide).