|
1
|
|
|
<?php |
|
2
|
|
|
|
|
3
|
|
|
namespace Kaliop\IdentityManagementBundle\Adapter\LDAP; |
|
4
|
|
|
|
|
5
|
|
|
use Psr\Log\LoggerInterface; |
|
6
|
|
|
use Symfony\Component\Ldap\LdapClientInterface; |
|
7
|
|
|
use Symfony\Component\Ldap\Exception\ConnectionException; |
|
8
|
|
|
use Kaliop\IdentityManagementBundle\Adapter\ClientInterface; |
|
9
|
|
|
use Symfony\Component\Security\Core\Exception\BadCredentialsException; |
|
10
|
|
|
use Symfony\Component\Security\Core\Exception\AuthenticationServiceException; |
|
11
|
|
|
|
|
12
|
|
|
/** |
|
13
|
|
|
* A 'generic' LDAP Client, driven by configuration. |
|
14
|
|
|
* It should suffice for most cases. |
|
15
|
|
|
* It relies on the Symfony LDAP Component. |
|
16
|
|
|
*/ |
|
17
|
|
|
class Client implements ClientInterface |
|
18
|
|
|
{ |
|
19
|
|
|
protected $ldap; |
|
20
|
|
|
protected $logger; |
|
21
|
|
|
protected $settings; |
|
22
|
|
|
|
|
23
|
|
|
/** |
|
24
|
|
|
* @param LdapClientInterface|LdapClientInterface[] $ldap |
|
25
|
|
|
* @param array $settings |
|
26
|
|
|
* |
|
27
|
|
|
* @todo document the settings |
|
28
|
|
|
*/ |
|
29
|
|
|
public function __construct($ldap, array $settings) |
|
30
|
|
|
{ |
|
31
|
|
|
$this->ldap = $ldap; |
|
32
|
|
|
$this->settings = $settings; |
|
33
|
|
|
} |
|
34
|
|
|
|
|
35
|
|
|
/** |
|
36
|
|
|
* @param LoggerInterface $logger |
|
37
|
|
|
*/ |
|
38
|
|
|
public function setLogger(LoggerInterface $logger) |
|
39
|
|
|
{ |
|
40
|
|
|
$this->logger = $logger; |
|
41
|
|
|
} |
|
42
|
|
|
|
|
43
|
|
|
/** |
|
44
|
|
|
* @param string $username |
|
45
|
|
|
* @param string $password |
|
46
|
|
|
* @return RemoteUser |
|
47
|
|
|
* @throws BadCredentialsException|AuthenticationServiceException |
|
48
|
|
|
*/ |
|
49
|
|
|
public function authenticateUser($username, $password) |
|
50
|
|
|
{ |
|
51
|
|
|
if ($this->logger) $this->logger->info("Looking up remote user: '$username'"); |
|
52
|
|
|
|
|
53
|
|
|
$ldaps = is_array($this->ldap) ? array_values($this->ldap) : array($this->ldap); |
|
54
|
|
|
$i = 0; |
|
55
|
|
|
|
|
56
|
|
|
while (true) { |
|
57
|
|
|
|
|
58
|
|
|
$ldap = $ldaps[$i]; |
|
59
|
|
|
$i++; |
|
60
|
|
|
|
|
61
|
|
|
try { |
|
62
|
|
|
$ldap->bind($this->settings['search_dn'], $this->settings['search_password']); |
|
63
|
|
|
$username = $ldap->escape($username, '', LDAP_ESCAPE_FILTER); |
|
64
|
|
|
$query = str_replace('{username}', $username, $this->settings['filter']); |
|
65
|
|
|
if (isset($this->settings['attributes']) && count($this->settings['attributes'])) { |
|
66
|
|
|
$search = $ldap->find($this->settings['base_dn'], $query, $this->settings['attributes']); |
|
67
|
|
|
} else { |
|
68
|
|
|
$search = $ldap->find($this->settings['base_dn'], $query); |
|
69
|
|
|
} |
|
70
|
|
|
|
|
71
|
|
|
} catch (ConnectionException $e) { |
|
|
|
|
|
|
72
|
|
|
if ($this->logger) $this->logger->error(sprintf('Connection error "%s"', $e->getMessage())); |
|
73
|
|
|
|
|
74
|
|
|
if ($i < count($ldaps)) { |
|
75
|
|
|
if ($this->logger) $this->logger->error("Connecting to ldap server $i"); |
|
76
|
|
|
continue; |
|
77
|
|
|
} |
|
78
|
|
|
|
|
79
|
|
|
/// @todo shall we log an error ? |
|
80
|
|
|
throw new AuthenticationServiceException(sprintf('Connection error "%s"', $e->getMessage()), 0, $e); |
|
81
|
|
|
} catch (\Exception $e) { |
|
82
|
|
|
if ($this->logger) $this->logger->error(sprintf('Unexpected error "%s"', $e->getMessage())); |
|
83
|
|
|
|
|
84
|
|
|
throw new AuthenticationServiceException(sprintf('Internal error "%s"', $e->getMessage()), 0, $e); |
|
85
|
|
|
} |
|
86
|
|
|
|
|
87
|
|
|
if (!$search) { |
|
88
|
|
|
if ($this->logger) $this->logger->info("User not found"); |
|
89
|
|
|
|
|
90
|
|
|
throw new BadCredentialsException(sprintf('User "%s" not found.', $username)); |
|
91
|
|
|
} |
|
92
|
|
|
|
|
93
|
|
|
if ($search['count'] > 1) { |
|
94
|
|
|
if ($this->logger) $this->logger->warning('More than one ldap account found for ' . $username); |
|
95
|
|
|
|
|
96
|
|
|
throw new AuthenticationServiceException('More than one user found'); |
|
97
|
|
|
} |
|
98
|
|
|
|
|
99
|
|
|
// always carry out this check, as the data is needed to log in |
|
100
|
|
|
if (!isset($this->settings['ldap_login_attribute']) || !isset($search[0][$this->settings['ldap_login_attribute']][0])) { |
|
101
|
|
|
if ($this->logger) $this->logger->info("Authentication failed for user: '$username', missing attribute used to log in to ldap: " . @$this->settings['ldap_login_attribute']); |
|
102
|
|
|
|
|
103
|
|
|
throw new AuthenticationServiceException('Invalid user profile: missing ldap attribute needed for log-in'); |
|
104
|
|
|
} |
|
105
|
|
|
|
|
106
|
|
|
try { |
|
107
|
|
|
$this->validateLdapResults($search[0]); |
|
108
|
|
|
} catch (\Exception $e) { |
|
109
|
|
|
if ($this->logger) $this->logger->warning("Invalid user profile for user: '$username': ".$e->getMessage()); |
|
110
|
|
|
|
|
111
|
|
|
throw new AuthenticationServiceException('Invalid user profile: '.$e->getMessage()); |
|
112
|
|
|
} |
|
113
|
|
|
|
|
114
|
|
|
if ($this->logger) $this->logger->info("Remote user found, attempting authentication for user: '$username'"); |
|
115
|
|
|
|
|
116
|
|
|
try { |
|
117
|
|
|
$ldap->bind($search[0][$this->settings['ldap_login_attribute']][0], $password); |
|
118
|
|
|
} catch (ConnectionException $e) { |
|
|
|
|
|
|
119
|
|
|
if ($this->logger) $this->logger->info("Authentication failed for user: '$username', bind failed: ".$e->getMessage()); |
|
120
|
|
|
throw new BadCredentialsException('The presented password is invalid.'); |
|
121
|
|
|
} catch (\Exception $e) { |
|
122
|
|
|
if ($this->logger) $this->logger->info("Authentication failed for user: '$username', unexpected ldap error: ".$e->getMessage()); |
|
123
|
|
|
throw new AuthenticationServiceException('Unexpected exception: '.$e->getMessage()); |
|
124
|
|
|
} |
|
125
|
|
|
|
|
126
|
|
|
if ($this->logger) $this->logger->info("Authentication succeeded for user: '$username'"); |
|
127
|
|
|
|
|
128
|
|
|
// allow ldap to give us back the actual login field to be used in eZ. It might be different because of dashes, spaces, case... |
|
129
|
|
|
if (isset($this->settings['login_attribute']) && isset($search[0][$this->settings['login_attribute']][0])) { |
|
130
|
|
|
if ($username != $search[0][$this->settings['login_attribute']][0]) { |
|
131
|
|
|
if ($this->logger) $this->logger->info("Renamed user '$username' to '{$search[0][$this->settings['login_attribute']][0]}'"); |
|
132
|
|
|
|
|
133
|
|
|
$username = $search[0][$this->settings['login_attribute']][0]; |
|
134
|
|
|
} |
|
135
|
|
|
} |
|
136
|
|
|
|
|
137
|
|
|
return new RemoteUser($search[0], $this->settings['email_attribute'], $username, $password); |
|
138
|
|
|
} |
|
139
|
|
|
} |
|
140
|
|
|
|
|
141
|
|
|
/** |
|
142
|
|
|
* To be overridden in subclasses. Validates the ldap results so that later user creation/update shall not fail |
|
143
|
|
|
* @param array $data |
|
144
|
|
|
* @return null |
|
145
|
|
|
* @throw \Exception |
|
146
|
|
|
*/ |
|
147
|
|
|
protected function validateLdapResults(array $data) |
|
|
|
|
|
|
148
|
|
|
{ |
|
149
|
|
|
} |
|
150
|
|
|
} |
|
151
|
|
|
|
kaliop-uk /
ezidentitymanagementbundle
Loading history...
Scrutinizer analyzes your
composer.json/composer.lockfile if available to determine the classes, and functions that are defined by your dependencies.It seems like the listed class was neither found in your dependencies, nor was it found in the analyzed files in your repository. If you are using some other form of dependency management, you might want to disable this analysis.