Skip to content

[Ldap] Fixing the behaviour of getting LDAP Attributes #41527

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 26, 2021
Merged

[Ldap] Fixing the behaviour of getting LDAP Attributes #41527

merged 1 commit into from
Aug 26, 2021

Conversation

mr-sven
Copy link
Contributor

@mr-sven mr-sven commented Jun 3, 2021
edited
Loading

Q A
Branch? 5.4
Bug fix? yes
New feature? no
Deprecations? no
Tickets n/a
License MIT
Doc PR todo?

Some of the attributes in LDAP are not shipped via filter = *, they have to be requested. Example the memberOf attribute using the OpenLDAP docker demo rroemhild/docker-test-openldap. The memberOf attribute is an overlay and only available on request.

ldapsearch example without requesting memberOf:

$ ldapsearch -H ldap://localhost:10389 -b dc=planetexpress,dc=com -D "cn=admin,dc=planetexpress,dc=com" -w GoodNewsEveryone "(&(objectClass=inetOrgPerson)(uid=fry))"

dn: cn=Philip J. Fry,ou=people,dc=planetexpress,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Philip J. Fry
sn: Fry
description: Human
displayName: Fry
employeeType: Delivery boy
givenName: Philip
jpegPhoto:: ....
mail: fry@planetexpress.com
ou: Delivering Crew
uid: fry
userPassword:: ....

ldapsearch example with requesting memberOf:

ldapsearch -H ldap://localhost:10389 -b dc=planetexpress,dc=com -D "cn=admin,dc=planetexpress,dc=com" -w GoodNewsEveryone "(&(objectClass=inetOrgPerson)(uid=fry))" "*" "memberOf"

dn: cn=Philip J. Fry,ou=people,dc=planetexpress,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Philip J. Fry
sn: Fry
description: Human
displayName: Fry
employeeType: Delivery boy
givenName: Philip
jpegPhoto:: ....
mail: fry@planetexpress.com
ou: Delivering Crew
uid: fry
userPassword:: ....
memberOf: cn=ship_crew,ou=people,dc=planetexpress,dc=com

@mr-sven mr-sven requested review from chalasr and wouterj as code owners June 3, 2021 08:08
@carsonbot
Copy link

Hey!

I see that this is your first PR. That is great! Welcome!

Symfony has a contribution guide which I suggest you to read.

In short:

  • Always add tests
  • Keep backward compatibility (see https://symfony.com/bc).
  • Bug fixes must be submitted against the lowest maintained branch where they apply (see https://symfony.com/releases)
  • Features and deprecations must be submitted against the 5.4 branch.

Review the GitHub status checks of your pull request and try to solve the reported issues. If some tests are failing, try to see if they are failing because of this change.

When two Symfony core team members approve this change, it will be merged and you will become an official Symfony contributor!
If this PR is merged in a lower version branch, it will be merged up to all maintained branches within a few days.

I am going to sit back now and wait for the reviews.

Cheers!

Carsonbot

@nicolas-grekas
Copy link
Member

Shouldn't this PR target a lower branch, eg 4.4?
Can this be tested somehow?

@mr-sven
Copy link
Contributor Author

mr-sven commented Jun 3, 2021

Here the snippents from my config. Without the modification the memberOf will fail.

It took me half a day of researching because the documentation is missing the service tag for the ldap service.

# /config/packages/security.yaml
security:
    enable_authenticator_manager: true

    providers:
        provider_ldap:
            ldap:
                service: Symfony\Component\Ldap\Ldap
                base_dn: dc=planetexpress,dc=com
                search_dn: cn=admin,dc=planetexpress,dc=com
                search_password: GoodNewsEveryone
                default_roles: ROLE_USER
                uid_key: uid
                extra_fields: ['givenName','sn','mail','memberOf']

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        main:
            lazy: true

            form_login_ldap:
                service: Symfony\Component\Ldap\Ldap
                enable_csrf: true
                login_path: login
                check_path: login
                dn_string: dc=planetexpress,dc=com
                query_string: '(&(uid={username}))'
                search_dn: cn=admin,dc=planetexpress,dc=com
                search_password: GoodNewsEveryone

            logout:
                path: logout

    access_control:
        - { path: ^/login, roles: IS_ANONYMOUS }
        - { path: ^/, roles: ROLE_USER }
# /config/services.yaml
services:
    Symfony\Component\Ldap\Ldap:
        arguments: ['@Symfony\Component\Ldap\Adapter\ExtLdap\Adapter']
        # the documentation is missing the service tag
        tags: ['ldap']
    Symfony\Component\Ldap\Adapter\ExtLdap\Adapter:
        arguments:
            -   host: localhost
                port: 10386
                #encryption: tls
                options:
                    protocol_version: 3
                    referrals: false

@OskarStark
Copy link
Contributor

This should target 🎯 4.4 and can you please add a testcase to avoid further regression?

@derrabus derrabus added this to the 4.4 milestone Jun 5, 2021
fabpot
fabpot approved these changes Aug 26, 2021
View reviewed changes
Copy link
Member

@fabpot fabpot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM as a new feature.

@fabpot fabpot modified the milestones: 4.4, 5.4 Aug 26, 2021
@fabpot
Copy link
Member

fabpot commented Aug 26, 2021

Thank you @mr-sven.

@fabpot fabpot force-pushed the fix/ldap_attributes branch from 3d2ced7 to d75b475 Compare August 26, 2021 06:38
@fabpot fabpot mentioned this pull request Aug 26, 2021
Closed
@fabpot fabpot merged commit 42197de into symfony:5.4 Aug 26, 2021
@mr-sven mr-sven deleted the fix/ldap_attributes branch August 31, 2021 06:36
This was referenced Nov 5, 2021
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fabpot fabpot fabpot approved these changes

@chalasr chalasr Awaiting requested review from chalasr chalasr is a code owner

@wouterj wouterj Awaiting requested review from wouterj

Assignees
No one assigned
Labels
Bug Ldap Status: Reviewed
Projects
None yet
Milestone
5.4
Development

Successfully merging this pull request may close these issues.
6 participants
@mr-sven @carsonbot @nicolas-grekas @OskarStark @fabpot @derrabus