bhLDAPAuthPlugin - 5.0.1

LDAP authentication plugin for symfony

You are currently browsing
the website for symfony 1

Visit the Symfony2 website

« Back to the Plugins Home


Forgot your password?
Create an account



advanced search
Information Readme Dependencies Releases Changelog Contribute
Show source


bhLDAPAuthPlugin allows you to use users and groups from an LDAP directory (Microsoft Active Directory® and possibly others) for your symfony app's authentication and authorization.

This version supports Symfony 1.4 with Doctrine.


$Id: README 29351 2010-05-04 23:24:33Z Nathan.Vonnahme $

$HeadURL: $

What it does

bhLDAPAuthPlugin does:

  • give your app a web login form similar to sfGuard's, with LDAP password authentication
  • let you authorize parts of your app to users based on their membership in LDAP groups
  • work with Apache on Windows (XAMPP rocks; you will need the Devel package) or Linux (probably also other Unix family OSes including Mac OS X).
  • work with Microsoft Active Directory® and possibly other LDAP servers.

It does NOT:

  • provide single sign on/seamless authentication/NTLM/GSSAPI. For that, you can try some of these alternatives. I would try to run symfony on IIS, or try Likewise.
  • necessarily keep your app from transmitting AD passwords over the network in plain text (use HTTPS for the login; instructions below!)
  • suck as much as having Yet Another user/group database to maintain


  • sfDoctrineGuardPlugin. Why reinvent the wheel?
  • Your PHP must have OpenLDAP support enabled
  • Microsoft Active Directory® (again, it might work with other LDAP servers)
  • sfSslRequirementPlugin is a good idea but not strictly required (see "enable SSL" below).


NOTE: Make sure your PHP includes OpenSSL and OpenLDAP support (see phpinfo()) (note, for XAMPP, this blog post was instrumental.)

Using symfony plugin install

For production use, you can install the plugins the standard way:

Install the sfDoctrineGuardPlugin

./symfony plugin:install sfDoctrineGuardPlugin

Install the bhLDAPAuthPlugin

./symfony plugin:install bhLDAPAuthPlugin

Or, stay up-to-date with svn:externals

For development (potentially for production too, depending on your circumstances) I recommend using svn:externals on your plugins directory to stay in sync with the latest developments. Run this command to edit the svn:externals property on your plugin directory

svn propedit svn:externals ./plugins

And here are the correct URLs for downloading the latest from each plugin's symfony 1.4 (or compatible) branch:

$ svn propget svn:externals plugins/


1. Configure LDAPAuth.yml

Edit the domain values in your project's config/LDAPAuth.yml (you can start by copying plugins/bhLDAPAuthPlugin/config/LDAPAuth.yml to config/LDAPAuth.yml, as an example)

# base for all users and groups
account_suffix      :  "@mydomain"     
base_dn             :  "DC=mydomain,DC=mycompany,DC=com"

# An array of domain controllers. Specify multiple controllers if you 
# would like the class to balance the LDAP queries amongst multiple servers

2. Activate the plugins

Turn on the plugins in config/ProjectConfiguration.class.php

    class ProjectConfiguration extends sfProjectConfiguration
      public function setup()

3. Rebuild your model.

This adds the Propel object models for tables that sfDoctrineGuardPlugin needs to your database, even though we won't be using most of them.

./symfony  doctrine:build --model --sql

Update you database tables by starting from scratch (it will delete all the existing tables, then re-create them):

./symfony doctrine:insert-sql

or, you can create the new tables manually using the generated SQL statements that have been appended to data/sql/schema.sql.

(Don't load the default sfDoctrineGuardPlugin fixtures)

4. Clear your cache

symfony cc

5. Enable "Remember Me" (optional)

Optionally enable the "Remember Me" filter above the security filter in apps/frontend/config/filters.yml

  class: sfGuardRememberMeFilter

security: ~

6. Edit your application's config files

a. settings.yml

Enable the sfGuardAuth and bhLDAPAuth modules under .settings in apps/frontend/config/settings.yml

    enabled_modules: [default, ..., sfGuardAuth, bhLDAPAuth]

NOTE: at this time, it's also necessary to turn off CSRF protection here. I think it is because we mix the bhLDAPAuth module's forms with the forms from sfGuardAuth. Any help or patches are appreciated!

    csrf_secret:            false

Change the default login and secure modules under all:``.actions in apps/frontend/config/settings.yml

login_module:           bhLDAPAuth
login_action:           signin

secure_module:          sfGuardAuth
secure_action:          secure

b. app.yml

Tell sfDoctrineGuard to use the password checker in bhLDAPAuth in apps/frontend/config/app.yml, and set routes:register false so the bhLDAP routes will override.

check_password_callable:   [bhLDAP, checkPassword]
routes_register: false

c. myUser class

Change the parent class to bhLDAPAuthSecurityUser in apps/frontend/lib/myUser.class.php

class myUser extends bhLDAPAuthSecurityUser

7. Apply security to some modules or the whole app

Secure some modules or your entire application in apps/frontend/config/security.yml. Read more about security in chapter 6 of the symfony book.

To require users to log in to access any module of the application,

# don't secure login or error pages or you'll make a loop.
  is_secure: off
  require_ssl: true

  is_secure: off
  require_ssl: false

  is_secure: off
  require_ssl: false

# require authnz for everything else
  is_secure: on

Or, to secure the article module but not the entire app, edit apps/frontend/modules/article/config/security.yml

  is_secure: on

At this point your application (or certain modules) is restricted to users who can supply valid AD credentials.

8. enable SSL protection of login form

You don't want your AD credentials flying around the network in clear text, right?

a. Install the sfSslRequirementPlugin into your project's plugin dir (or use the svn:externals method, above).

./symfony plugin:install sfSslRequirementPlugin

b. Complete the installation (editing filters.yml and clearing cache) according to sfSslRequirementPlugin's README

c. The bhLDAPAuthPlugin security.yml file already turns SSL on for the signin and login action.

d. You're done. Now, if you try to access a secure page, you will be redirected to the login page.

Authorization: Granting different permissions to different LDAP groups

Imagine your application is a blog, with articles and comments, and you want the following access scheme:

  • users in the HumanResources Active Directory group can post and edit articles
  • users in the IntranetUsers group can add comments or update their own comments

Now that you have bhLDAPAuth configured, it's easy!

a. Edit the groupMappings section of config/LDAPAuth.yml:

      #  These settings map symfony credentials to AD groups.
      #  The credentials are applied to actions based on your app's config/security.yml file
      #  See chapter 6 (Inside the Controller Layer) of the book for more about credentials
      reader :
        - IntranetUsers
        - HumanResources
      editor  :
        - HumanResources

b. Edit the security.yml file in each of your modules' config directory to limit the actions to users with the appropriate credentials.

For articles, edit apps/myapp/modules/article/config/security.yml, adding a section for each of your article module's actions:

  credentials: reader

  credentials: reader

  credentials: editor

  credentials: editor

  credentials: editor

For comments, edit apps/myapp/modules/comment/config/security.yml:

  credentials: reader

  credentials: reader

  credentials: reader

  credentials: reader

  credentials: reader


This is all on the shoulders of giants. Besides symfony and sfDoctrineGuardPlugin, it includes code from the adLDAP PHP library.


  • Nathan Vonnahme (nathan dot vonnahme at banner health dot com)
  • Todd McNeill ( todd dot mcneill at pmi group dot com )
  • Sam Wilson ( swilson at kahn code labs dot net )


  • test and document non-AD LDAP servers



  • nathan: release for symfony 1.4 with Doctrine.

1.0 - 4.0

  • nathan: out of "alpha", releases for symfony 1.0, 1.1, 1.2 and 1.2 with Doctrine.

0.2, 0.3, 0.4, 0.5

  • nathan: doc tweaks (grrr)


  • nathan: initial release