I am trying to get Laravel 5.4 to authenticate users using LDAP instead of the traditional database method.
There is a library for that already, Adldap2/Adldap2-Laravel. The problem is that this library:
- connects first the the LDAP server as an admin user
- then searches for the user that wants to log into my app
- checks that the password is correct
- stores the data associated to that user in the “local” Laravel database
- reconnects to the LDAP as the admin user
This doesn’t work in my case, because there are no admins in the LDAP server that I ̶w̶a̶n̶t̶ have to connect to; only usernames allowed to use the app, with no roles.
As seen in an already existing issue, I modified the LoginController class with the follwoing code (for testing purposes I am trying to connect to the server provided in this web page: Online LDAP Test Server).
protected function attemptLogin(Request $request) {
$conn_settings = config('adldap.connections')[config('adldap_auth.connection')]['connection_settings'];
$credentials = $request->only(config('adldap_auth.usernames.eloquent'), 'password');
$user_format = env('ADLDAP_USER_FORMAT', 'uid=%s,' . $conn_settings['base_dn']);
$userdn = sprintf($user_format, $credentials[config('adldap_auth.usernames.eloquent')]);
$pass = $credentials['password'];
if(Adldap::auth()->attempt($userdn, $pass, $bindAsUser = true)) {
return true;
}
return false;
}
The problem that I have now is that, once logged in with the correct credentials, I am sent back to the login form. When the credentials are wrong, I get the corresponding error message.
My configuration files, just in case:
.env:
ADLDAP_CONTROLLERS=ldap.forumsys.com ADLDAP_BASEDN=dc=example,dc=com ADLDAP_USER_FORMAT=uid=%s,dc=example,dc=com
adldap_auth.php:
[
'connection' => env('ADLDAP_CONNECTION', 'default'),
'provider' => AdldapLaravelAuthDatabaseUserProvider::class,
'resolver' => AdldapLaravelAuthResolver::class,
'importer' => AdldapLaravelAuthImporter::class,
'rules' => [
AdldapLaravelValidationRulesDenyTrashed::class,
// AdldapLaravelValidationRulesOnlyImported::class,
],
'scopes' => [
AdldapLaravelScopesUpnScope::class,
],
'usernames' => [
'ldap' => 'uid',
'eloquent' => 'username',
],
'login_fallback' => env('ADLDAP_LOGIN_FALLBACK', false),
'password_sync' => env('ADLDAP_PASSWORD_SYNC', true),
'windows_auth_attribute' => ['samaccountname' => 'AUTH_USER'],
'sync_attributes' => [
'username' => 'uid',
'name' => 'cn',
],
];
adldap.php:
return [
'connections' => [
'default' => [
'auto_connect' => false,
'connection' => AdldapConnectionsLdap::class,
'schema' => AdldapSchemasActiveDirectory::class,
'connection_settings' => [
'account_prefix' => env('ADLDAP_ACCOUNT_PREFIX', ''),
'account_suffix' => env('ADLDAP_ACCOUNT_SUFFIX', ''),
'domain_controllers' => explode(' ', env('ADLDAP_CONTROLLERS', 'corp-dc1.corp.acme.org corp-dc2.corp.acme.org')),
'port' => env('ADLDAP_PORT', 389),
'timeout' => env('ADLDAP_TIMEOUT', 5),
'base_dn' => env('ADLDAP_BASEDN', 'dc=corp,dc=acme,dc=org'),
'admin_account_suffix' => env('ADLDAP_ADMIN_ACCOUNT_SUFFIX', ''),
'admin_username' => env('ADLDAP_ADMIN_USERNAME', ''),
'admin_password' => env('ADLDAP_ADMIN_PASSWORD', ''),
'follow_referrals' => true,
'use_ssl' => false,
'use_tls' => false,
],
],
],
]
Advertisement
Answer
In case anyone stumbles upon this question, I found a way to achieve what I wanted. The step-by-step guide is here: Howto: adminless LDAP authentification in Laravel.
Basically, before returning true in LoginController::attemptLogin(), the Guard has to be used to save an AppUser in the database.