I am trying to get Laravel 5.4 to authenticate users using LDAP instead of the traditional database method.
There is a library for that already, Adldap2/Adldap2-Laravel. The problem is that this library:
- connects first the the LDAP server as an admin user
- then searches for the user that wants to log into my app
- checks that the password is correct
- stores the data associated to that user in the “local” Laravel database
- reconnects to the LDAP as the admin user
This doesn’t work in my case, because there are no admins in the LDAP server that I ̶w̶a̶n̶t̶ have to connect to; only usernames allowed to use the app, with no roles.
As seen in an already existing issue, I modified the LoginController
class with the follwoing code (for testing purposes I am trying to connect to the server provided in this web page: Online LDAP Test Server).
protected function attemptLogin(Request $request) { $conn_settings = config('adldap.connections')[config('adldap_auth.connection')]['connection_settings']; $credentials = $request->only(config('adldap_auth.usernames.eloquent'), 'password'); $user_format = env('ADLDAP_USER_FORMAT', 'uid=%s,' . $conn_settings['base_dn']); $userdn = sprintf($user_format, $credentials[config('adldap_auth.usernames.eloquent')]); $pass = $credentials['password']; if(Adldap::auth()->attempt($userdn, $pass, $bindAsUser = true)) { return true; } return false; }
The problem that I have now is that, once logged in with the correct credentials, I am sent back to the login form. When the credentials are wrong, I get the corresponding error message.
My configuration files, just in case:
.env:
ADLDAP_CONTROLLERS=ldap.forumsys.com ADLDAP_BASEDN=dc=example,dc=com ADLDAP_USER_FORMAT=uid=%s,dc=example,dc=com
adldap_auth.php:
[ 'connection' => env('ADLDAP_CONNECTION', 'default'), 'provider' => AdldapLaravelAuthDatabaseUserProvider::class, 'resolver' => AdldapLaravelAuthResolver::class, 'importer' => AdldapLaravelAuthImporter::class, 'rules' => [ AdldapLaravelValidationRulesDenyTrashed::class, // AdldapLaravelValidationRulesOnlyImported::class, ], 'scopes' => [ AdldapLaravelScopesUpnScope::class, ], 'usernames' => [ 'ldap' => 'uid', 'eloquent' => 'username', ], 'login_fallback' => env('ADLDAP_LOGIN_FALLBACK', false), 'password_sync' => env('ADLDAP_PASSWORD_SYNC', true), 'windows_auth_attribute' => ['samaccountname' => 'AUTH_USER'], 'sync_attributes' => [ 'username' => 'uid', 'name' => 'cn', ], ];
adldap.php:
return [ 'connections' => [ 'default' => [ 'auto_connect' => false, 'connection' => AdldapConnectionsLdap::class, 'schema' => AdldapSchemasActiveDirectory::class, 'connection_settings' => [ 'account_prefix' => env('ADLDAP_ACCOUNT_PREFIX', ''), 'account_suffix' => env('ADLDAP_ACCOUNT_SUFFIX', ''), 'domain_controllers' => explode(' ', env('ADLDAP_CONTROLLERS', 'corp-dc1.corp.acme.org corp-dc2.corp.acme.org')), 'port' => env('ADLDAP_PORT', 389), 'timeout' => env('ADLDAP_TIMEOUT', 5), 'base_dn' => env('ADLDAP_BASEDN', 'dc=corp,dc=acme,dc=org'), 'admin_account_suffix' => env('ADLDAP_ADMIN_ACCOUNT_SUFFIX', ''), 'admin_username' => env('ADLDAP_ADMIN_USERNAME', ''), 'admin_password' => env('ADLDAP_ADMIN_PASSWORD', ''), 'follow_referrals' => true, 'use_ssl' => false, 'use_tls' => false, ], ], ], ]
Advertisement
Answer
In case anyone stumbles upon this question, I found a way to achieve what I wanted. The step-by-step guide is here: Howto: adminless LDAP authentification in Laravel.
Basically, before returning true
in LoginController::attemptLogin()
, the Guard
has to be used to save an AppUser
in the database.