bhLDAPAuthPlugin - 4.0.2

LDAP authentication plugin for symfony

You are currently browsing
the website for symfony 1

Visit the Symfony2 website


« Back to the Plugins Home

Signin


Forgot your password?
Create an account

Tools

Stats

advanced search
Information Readme Dependencies Releases Changelog Contribute
Show source

bhLDAPAuthPlugin

bhLDAPAuthPlugin allows you to use users and groups from an LDAP directory (Only Microsoft Active Directory® for now but you're welcome to add others) for your symfony app's authentication and authorization.

Revision

$Id: README 19144 2009-06-10 21:18:42Z Nathan.Vonnahme $

$HeadURL: http://svn.symfony-project.com/plugins/bhLDAPAuthPlugin/branches/1.2_Doctrine/README $

What it does

bhLDAPAuthPlugin does:

  • give your app a web login form similar to sfGuard's
  • let you allow parts of your app to users based on their membership in AD groups
  • work with Apache on Windows (XAMPP rocks; you will need the Devel package) or Linux (probably also other Unix family OSes including Mac OS X).

It does NOT:

  • provide single sign on/seamless authentication/NTLM/GSSAPI. For that, you can try some of these alternatives. I would start by trying (again) to get symfony to run on IIS (Windows).
  • currently work with LDAP servers other than Microsoft Active Directory®
  • necessarily keep your app from transmitting AD passwords over the network in plain text (use HTTPS for the login!)
  • suck as much as having Yet Another user/group database to maintain

Requirements

  • sfGuardPlugin. Why reinvent the wheel?
  • Your PHP must have OpenLDAP support enabled
  • Microsoft Active Directory®
  • sfSslRequirementPlugin is a good idea but not strictly required (see "enable SSL" below).

Installation

NOTE: Make sure your PHP includes OpenSSL and OpenLDAP support (see phpinfo()) (note, for XAMPP, this blog post was instrumental.)

Using symfony plugin install

For production use, you can install the plugins the standard way:

Install the sfGuardPlugin

./symfony plugin:install sfGuardPlugin

Install the bhLDAPAuthPlugin

./symfony plugin:install bhLDAPAuthPlugin

Or, stay up-to-date with svn:externals

For development (potentially for production too, depending on your circumstances) I recommend using svn:externals on your plugins directory to stay in sync with the latest developments. Run this command to edit the svn:externals property on your plugin directory

svn propedit svn:externals ./plugins

And here are the correct URLs for downloading the latest from each plugin's symfony 1.1 branch:

bhLDAPAuthPlugin/     http://svn.symfony-project.com/plugins/bhLDAPAuthPlugin/branches/1.1/
sfGuardPlugin/        http://svn.symfony-project.com/plugins/sfGuardPlugin/branches/1.1/
sfSslRequirementPlugin/ http://svn.symfony-project.com/plugins/sfSslRequirementPlugin/branches/1.1/

Configuration

1. Configure LDAPAuth.yml

Edit the domain values in your project's config/LDAPAuth.yml (you can start by copying plugins/bhLDAPAuthPlugin/config/LDAPAuth.yml to config/LDAPAuth.yml, as an example)

# base for all users and groups
account_suffix      :  "@mydomain"     
base_dn             :  "DC=mydomain,DC=mycompany,DC=com"

# An array of domain controllers. Specify multiple controllers if you 
# would like the class to balance the LDAP queries amongst multiple servers
domain_controllers:
  - 10.41.16.2
  - 10.41.16.3

2. Rebuild your model.

This adds the Propel object models for tables that sfGuardPlugin needs to your database, even though we won't be using most of them.

symfony propel-build-model
symfony propel-build-sql

Update you database tables by starting from scratch (it will delete all the existing tables, then re-create them):

symfony propel-insert-sql

or, you can just create the new tables by using the generated SQL statements in data/sql/plugins.sfGuardAuth.lib.model.schema.sql

With MySQL, that would be like this:

mysql -uroot -ppassword database < data/sql/plugins.sfGuardPlugin.lib.model.schema.sql

(Don't load the default sfGuardPlugin fixtures)

3. Clear your cache

symfony cc

4. Enable "Remember Me" (optional)

Optionally enable the "Remember Me" filter in apps/frontend/config/filters.yml (great for Intranet apps)

remember_me:
  class: sfGuardRememberMeFilter

security: ~

5. Edit your application's config files

a. settings.yml

Enable the module sfGuardAuth under .settings in apps/frontend/config/settings.yml

all:
  .settings:
    enabled_modules: [..., sfGuardAuth, bhLDAPAuth]

Change the default login and secure modules under .actions in apps/frontend/config/settings.yml

login_module:           bhLDAPAuth
login_action:           signin

secure_module:          sfGuardAuth
secure_action:          secure

b. app.yml

Tell sfGuard to use the password checker in bhLDAPAuth in apps/frontend/config/app.yml.

all:
  sf_guard_plugin:
check_password_callable:   [bhLDAP, checkPassword]

c. myUser class

Change the parent class to bhLDAPAuthSecurityUser in apps/frontend/lib/myUser.class.php

class myUser extends bhLDAPAuthSecurityUser
{
}

6. Apply security to some modules or the whole app

Secure some modules or your entire application in apps/frontend/config/security.yml. Read more about security in chapter 6 of the symfony book.

To require users to log in to access any module of the application,

default:
  is_secure: on

Or, to secure the article module but not the entire app, edit apps/frontend/modules/article/config/security.yml

default:
  is_secure: on

At this point your application (or certain modules) is restricted to users who can supply valid AD credentials.

7. enable SSL protection of login form

You don't want your AD credentials flying around the network in clear text, right?

a. Install the sfSslRequirementPlugin into your project's plugin dir (or use the svn:externals method, above).

./symfony plugin:install sfSslRequirementPlugin

b. Complete the installation (editing filters.yml and clearing cache) according to sfSslRequirementPlugin's README

c. The bhLDAPAuthPlugin security.yml file already turns SSL on for the signin and login action.

d. You're done. Now, if you try to access a secure page, you will be redirected to the login page.

Authorization: Granting different permissions to different LDAP groups

Imagine your application is a blog, with articles and comments, and you want the following access scheme:

  • users in the HumanResources Active Directory group can post and edit articles
  • users in the IntranetUsers group can add comments or update their own comments

Now that you have bhLDAPAuth configured, it's easy!

a. Edit the groupMappings section of config/LDAPAuth.yml:

    groupMappings:
      #  These settings map symfony credentials to AD groups.
      #  The credentials are applied to actions based on your app's config/security.yml file
      #  See chapter 6 (Inside the Controller Layer) of the book for more about credentials
      reader :
        - IntranetUsers
        - HumanResources
      editor  :
        - HumanResources

b. Edit the security.yml file in each of your modules' config directory to limit the actions to users with the appropriate credentials.

For articles, edit apps/myapp/modules/article/config/security.yml, adding a section for each of your article module's actions:

view:
  credentials: reader

list:
  credentials: reader

create:
  credentials: editor

edit:
  credentials: editor

update:
  credentials: editor

For comments, edit apps/myapp/modules/comment/config/security.yml:

view:
  credentials: reader

list:
  credentials: reader

create:
  credentials: reader

edit:
  credentials: reader

update:
  credentials: reader

Thanks

This is all on the shoulders of giants. Besides symfony and sfGuardPlugin, it includes code from the adLDAP PHP library.

Authors

  • Nathan Vonnahme (nathan dot vonnahme at banner health dot com)
  • Todd McNeill ( todd dot mcneill at pmi group dot com )
  • Sam Wilson ( swilson at kahn code labs dot net )

TODO

  • make it also work with non-AD LDAP servers

Changelog

1.0

  • nathan: out of "alpha", releases for symfony 1.0, 1.1, 1.2 and 1.2 with Doctrine.

0.2, 0.3, 0.4, 0.5

  • nathan: doc tweaks (grrr)

0.1

  • nathan: initial release