dongliang1654 2019-03-15 14:20
浏览 105
已采纳

Symfony 3.4覆盖内置LdapUserProvider中的单个方法

I'm trying to grant roles to a user according to their LDAP dn when they log in through the LDAP. To do that, I'd like to override the loadUser method from Symfony\Component\Security\Core\User\LdapUserProvider, but I don't really know how to proceed as, if I understand correctly (I'm quite new at using Symfony :p), it's not a service, but part of one? So, is there a way to override that method easily, or do I need to redefine the whole Ldap service?

What I've tried is:

// app/config/services.yml
[...]
Symfony\Component\Ldap\Ldap:
    arguments: ['@Symfony\Component\Ldap\Adapter\ExtLdap\Adapter']
Symfony\Component\Security\Core\User\LdapUserProvider:
    class: AppBundle\Services\LdapUserProvider
Symfony\Component\Ldap\Adapter\ExtLdap\Adapter:
    arguments:
        - host: '%ldap_host%'
          port: '%ldap_port%'
// src/Services/LdapUserProvider.php
namespace AppBundle\Services;

use Symfony\Component\Ldap\Entry;

class LdapUserProvider extends \Symfony\Component\Security\Core\User\LdapUserProvider {
    protected function loadUser($username, Entry $entry)
    {
        $password = null;

        if (null !== $this->passwordAttribute) {
            $password = $this->getAttributeValue($entry, $this->passwordAttribute);
        }

        return new User($username, $password, array('ROLE_TEST'));
    }
}

But of course it doesn't work and I don't get the ROLE_TEST role.

Thanks by advance!

  • 写回答

1条回答 默认 最新

  • donglan6777 2019-03-15 14:51
    关注

    You can use this tutorial:

    https://medium.com/@devstan/extended-ldap-with-symfony-3-30be6f1a36b1

    and you should create a LdapUser class that implements UserInterface

    1.LDAP user provider

    <?php
    namespace YourAppBundle\Security\User;
    use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
    use Symfony\Component\Security\Core\User\UserInterface;
    use Symfony\Component\Ldap\Entry;
    use Symfony\Component\Security\Core\User\LdapUserProvider as BaseLdapUserProvider;
    class LdapUserProvider extends BaseLdapUserProvider
    {
        /**
         * {@inheritdoc}
         */
        public function refreshUser(UserInterface $user)
        {
            if (!$user instanceof LdapUser) {
                throw new UnsupportedUserException(sprintf('Instances of "%s" are not supported.', get_class($user)));
            }
            return new LdapUser($user->getUsername(), null, $user->getRoles(), $user->getLdapEntry());
        }
        /**
         * {@inheritdoc}
         */
        public function supportsClass($class)
        {
            return $class === 'YourAppBundle\Security\User\LdapUser';
        }
        /**
         * {@inheritdoc}
         */
        protected function loadUser($username, Entry $entry)
        {
            $user = parent::loadUser($username, $entry);
            return new LdapUser($username, $user->getPassword(), $user->getRoles(), $entry);
        }
    }
    

    2.LDAP user

        <?php
        namespace YourAppBundle\Security\User;
        use Symfony\Component\Security\Core\User\UserInterface;
        use Symfony\Component\Ldap\Entry;
        class LdapUser implements UserInterface
        {
            const LDAP_KEY_DISPLAY_NAME = 'displayName';
            const LDAP_KEY_MAIL = 'mail';
            protected $username;
            protected $password;
            protected $roles;
            protected $ldapEntry;
            protected $displayName;
            protected $eMail;
            public function __construct($username, $password, array $roles, Entry $ldapEntry)
            {
                if ('' === $username || null === $username) {
                    throw new \InvalidArgumentException('The username cannot be empty.');
                }
                $this->username    = $username;
                $this->password    = $password;
                $this->roles       = $roles;
                $this->ldapEntry   = $ldapEntry;
                $this->displayName = $this->extractSingleValueByKeyFromEntry(
                    $ldapEntry,
                    self::LDAP_KEY_DISPLAY_NAME,
                    $username
                );
                $this->eMail       = $this->extractSingleValueByKeyFromEntry($ldapEntry, self::LDAP_KEY_MAIL);
            }
            public function __toString()
            {
                return (string) $this->getUsername();
            }
            public function getDisplayName()
            {
                return $this->displayName;
            }
            /**
             * @return Entry
             */
            public function getLdapEntry()
            {
                return $this->ldapEntry;
            }
            /**
             * {@inheritdoc}
             */
            public function getRoles()
            {
                return $this->roles;
            }
            /**
             * {@inheritdoc}
             */
            public function getPassword()
            {
                return $this->password;
            }
            /**
             * {@inheritdoc}
             */
            public function getSalt()
            {
            }
            /**
             * {@inheritdoc}
             */
            public function getUsername()
            {
                return $this->username;
            }
            /**
             * {@inheritdoc}
             */
            public function eraseCredentials()
            {
            }
            /**
             * Extracts single value from entry's array value by key.
             *
             * @param Entry       $entry        Ldap entry
             * @param string      $key          Key
             * @param null|string $defaultValue Default value
             *
             * @return string|null
             */
            protected function extractSingleValueByKeyFromEntry(Entry $entry, $key, $defaultValue = null)
            {
                $value = $this->extractFromLdapEntry($entry, $key, $defaultValue);
                return is_array($value) && isset($value[0]) ? $value[0] : $defaultValue;
            }
            /**
             * Extracts value from entry by key.
             *
             * @param Entry  $entry        Ldap entry
             * @param string $key          Key
             * @param mixed  $defaultValue Default value
             *
             * @return array|mixed
             */
            protected function extractFromLdapEntry(Entry $entry, $key, $defaultValue = null)
            {
                if (!$entry->hasAttribute($key)) {
                    return $defaultValue;
                }
                return $entry->getAttribute($key);
            }
        }
    

    3.Services.yml

    we need to define our newly created ldap user provider service

        services:
    
            ...
        app.ldap:
                class: Symfony\Component\Ldap\Ldap
                factory: ['Symfony\Component\Ldap\Ldap', 'create']
                arguments:
                    - 'ext_ldap'
                    - host: '%ldap_host%'
        app.ext_ldap_user_provider:
                    class: YourAppBundle\Security\User\LdapUserProvider
                    arguments:
                        - '@app.ldap'               # LDAP component instance
                        - '%ldap_base_dn%'          # Base dn
                        - '%ldap_search_dn%'        # Search dn
                        - '%ldap_search_password%'  # Search user password
                        - ['ROLE_SUPER_ADMIN']      # Roles
                        - '%ldap_uid_key%'          # LDAP uid key
                        - '%ldap_filter%'           # filter
    

    4.Security.yml

    Here is just an example usage of our provider — the “/ui” will be secured with LDAP.

    security:
         encoders:
    
         ...
         YourAppBundle\Security\User\LdapUser:
                algorithm: bcrypt
                cost: 12
         providers:
    
         ...
            ldap_users:
                id: app.ext_ldap_user_provider
    ...
         firewalls:
             frontend:
                anonymous: ~
                provider: ldap_users
                form_login_ldap:
                    service: app.ldap
                    dn_string: '%ldap_dn_string%'
                    login_path: front-login
                    check_path: front-login
                    default_target_path: /ui
                logout:
                    path: front-logout
                    target: front-login
         access_control:
    
            ...
            - { path: ^/ui/logout, roles: IS_AUTHENTICATED_ANONYMOUSLY }
            - { path: ^/ui/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
            - { path: ^/ui, roles: IS_AUTHENTICATED_FULLY }
    
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥30 微信小程序请求失败,网页能正常带锁访问
  • ¥15 对语音信号进行变调时,间接改变时序从而实现语音变速,进而将变调与变速同时实现、参数合成法换为波形合成法
  • ¥30 德飞莱51单片机实现C4炸弹
  • ¥50 CrossLink-LIF-MD6000 型 FPGA 的 CMOS 转 MIPI D-PHY IP 核功能使用异常
  • ¥15 proteus控制16x16LED点阵显示屏的设计
  • ¥30 求会做山景bp1048b2程序的。做直播声卡用
  • ¥15 求数学建模论文问题指导
  • ¥15 51单片机与数码管实现电子琴
  • ¥15 h3.6m 人类行为预测论文复现
  • ¥50 wordpress项目注册报失败刷新后其实是成功状态,请求排查原因