From f1332693499c9be7518f8c4089bcbe982863dc31 Mon Sep 17 00:00:00 2001 From: nietonfir Date: Thu, 26 Jan 2017 02:02:41 +0100 Subject: [PATCH 1/4] Explain the query_string ldap authentication provider configuration key Refs symfony/symfony#21402 --- reference/configuration/security.rst | 12 +++++++----- security/ldap.rst | 24 ++++++++++++++++++++++++ 2 files changed, 31 insertions(+), 5 deletions(-) diff --git a/reference/configuration/security.rst b/reference/configuration/security.rst index dd9a3da6284..9ab8f760cf5 100644 --- a/reference/configuration/security.rst +++ b/reference/configuration/security.rst @@ -142,9 +142,10 @@ Each part will be explained in the next section. http_basic: provider: some_key_from_above http_basic_ldap: - provider: some_key_from_above - service: ldap - dn_string: '{username}' + provider: some_key_from_above + service: ldap + dn_string: '{username}' + query_string: ~ http_digest: provider: some_key_from_above guard: @@ -237,8 +238,9 @@ Each part will be explained in the next section. # new in Symfony 2.3 require_previous_session: true - service: ~ - dn_string: '{username}' + service: ~ + dn_string: '{username}' + query_string: ~ remember_me: token_provider: name diff --git a/security/ldap.rst b/security/ldap.rst index 29b984b93d8..214635fd8b7 100644 --- a/security/ldap.rst +++ b/security/ldap.rst @@ -270,6 +270,30 @@ For example, if your users have DN strings in the form ``uid=einstein,dc=example,dc=com``, then the ``dn_string`` will be ``uid={username},dc=example,dc=com``. +query_string +............ + +**type**: ``string`` + +This (optional) key enables the user provider to search for a user and +then use the DN found for the bind process. This is useful in environments +with multiple LDAP user providers with a different ``base_dn``. As value +a valid search string for should be used, e.g. ``uid="{username}"``. The +placeholder value will be replaced by the actual username. + +When this key is used, ``dn_string`` has to be adjusted accordingly and +should reflect a common denominator as base DN. + +Extending the previous example: If Your users have two different DN in the +form of ``dc=companyA,dc=example,dc=com`` and ``dc=companyB,dc=example,dc=com``, +then ``dn_string`` should be ``dc=example,dc=com``. In conjunction with +``uid="{username}"`` as ``query_string`` the authentication provider can +authenticate user from both DN. + +Please bear in mind, that the usernames themselves have to be unique +across both DN, as the authentication provider won't determine the +correct user for the bind process if more than one are found. + Examples are provided below, for both ``form_login_ldap`` and ``http_basic_ldap``. From ed58da8db06f88d4672af74c5e7660b12087c981 Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Thu, 26 Jan 2017 10:21:20 +0100 Subject: [PATCH 2/4] Minor reword --- security/ldap.rst | 38 ++++++++++++++++++-------------------- 1 file changed, 18 insertions(+), 20 deletions(-) diff --git a/security/ldap.rst b/security/ldap.rst index 214635fd8b7..dd32a48194f 100644 --- a/security/ldap.rst +++ b/security/ldap.rst @@ -273,26 +273,24 @@ For example, if your users have DN strings in the form query_string ............ -**type**: ``string`` - -This (optional) key enables the user provider to search for a user and -then use the DN found for the bind process. This is useful in environments -with multiple LDAP user providers with a different ``base_dn``. As value -a valid search string for should be used, e.g. ``uid="{username}"``. The -placeholder value will be replaced by the actual username. - -When this key is used, ``dn_string`` has to be adjusted accordingly and -should reflect a common denominator as base DN. - -Extending the previous example: If Your users have two different DN in the -form of ``dc=companyA,dc=example,dc=com`` and ``dc=companyB,dc=example,dc=com``, -then ``dn_string`` should be ``dc=example,dc=com``. In conjunction with -``uid="{username}"`` as ``query_string`` the authentication provider can -authenticate user from both DN. - -Please bear in mind, that the usernames themselves have to be unique -across both DN, as the authentication provider won't determine the -correct user for the bind process if more than one are found. +**type**: ``string`` **default**: ``null`` + +This (optional) key makes the user provider search for a user and then use the +found DN for the bind process. This is useful when using multiple LDAP user +providers with different ``base_dn``. The value of this option must be a valid +search string (e.g. ``uid="{username}"``). The placeholder value will be +replaced by the actual username. + +When this option is used, ``dn_string`` has to be updated accordingly. Following +the previous example, if your users have the following two DN: +``dc=companyA,dc=example,dc=com`` and ``dc=companyB,dc=example,dc=com``, then +``dn_string`` should be ``dc=example,dc=com``. If the ``query_string`` option is +``uid="{username}"``, then the authentication provider can authenticate users +from both DN. + +Bear in mind that usernames must be unique across both DN, as the authentication +provider won't be able to select the correct user for the bind process if more +than one is found. Examples are provided below, for both ``form_login_ldap`` and ``http_basic_ldap``. From 446ba381be1ceadf8c29051896548cd183169cfa Mon Sep 17 00:00:00 2001 From: Lukas Kahwe Smith Date: Thu, 26 Jan 2017 23:06:00 +0100 Subject: [PATCH 3/4] added query_string LDAP config option --- reference/configuration/security.rst | 11 ++++ security/ldap.rst | 76 +++++++++++++++++++++++++++- 2 files changed, 86 insertions(+), 1 deletion(-) diff --git a/reference/configuration/security.rst b/reference/configuration/security.rst index 9ab8f760cf5..1808971fc62 100644 --- a/reference/configuration/security.rst +++ b/reference/configuration/security.rst @@ -448,6 +448,17 @@ placeholder will be replaced with the user-provided value (his login). Depending on your LDAP server's configuration, you may need to override this value. +query_string +............ + +**type**: ``string`` **default**: ``null`` + +This is the string which will be used to query for the DN. The ``{username}`` +placeholder will be replaced with the user-provided value (his login). +Depending on your LDAP server's configuration, you will need to override +this value. This setting is only necessary if the users DN cannot be derived +statically using the `dn_string` config option. + User provider ~~~~~~~~~~~~~ diff --git a/security/ldap.rst b/security/ldap.rst index dd32a48194f..2e032cdad2e 100644 --- a/security/ldap.rst +++ b/security/ldap.rst @@ -246,7 +246,7 @@ Authenticating against an LDAP server can be done using either the form login or the HTTP Basic authentication providers. They are configured exactly as their non-LDAP counterparts, with the -addition of two configuration keys: +addition of two configuration keys and one optional key: service ....... @@ -295,6 +295,19 @@ than one is found. Examples are provided below, for both ``form_login_ldap`` and ``http_basic_ldap``. +query_string +............ + +**type**: ``string`` **default**: ``null`` + +This optional key defines the form of the query used in order to search the +DN of the user, from the username. The ``{username}`` string is replaced by +the actual username of the person trying to authenticate. + +This setting is only necessary if the users DN cannot be derived statically +using the `dn_string` config option. + + Configuration example for form login .................................... @@ -404,5 +417,66 @@ Configuration example for HTTP Basic ), ); +Configuration example for form login and query_string +..................................................... + +.. configuration-block:: + + .. code-block:: yaml + + # app/config/security.yml + security: + # ... + + firewalls: + main: + # ... + form_login_ldap: + login_path: login + check_path: login_check + # ... + service: ldap + dn_string: 'dc=example,dc=com' + query_string: '(&(uid={username})(memberOf=cn=users,ou=Services,dc=example,dc=com))' + + .. code-block:: xml + + + + + + + + + + + + + .. code-block:: php + + $container->loadFromExtension('security', array( + 'firewalls' => array( + 'main' => array( + 'form_login_ldap' => array( + 'login_path' => 'login', + 'check_path' => 'login_check', + 'service' => 'ldap', + 'dn_string' => 'dc=example,dc=com', + 'query_string' => '(&(uid={username})(memberOf=cn=users,ou=Services,dc=example,dc=com))', + // ... + ), + ), + ) + ); + .. _`RFC4515`: http://www.faqs.org/rfcs/rfc4515.html .. _`LDAP injection`: http://projects.webappsec.org/w/page/13246947/LDAP%20Injection From b82cafd2ee30715ecd735419d2617e11e0348249 Mon Sep 17 00:00:00 2001 From: Lukas Kahwe Smith Date: Fri, 27 Jan 2017 10:48:59 +0100 Subject: [PATCH 4/4] clean up --- reference/configuration/security.rst | 6 +++--- security/ldap.rst | 28 ++-------------------------- 2 files changed, 5 insertions(+), 29 deletions(-) diff --git a/reference/configuration/security.rst b/reference/configuration/security.rst index 1808971fc62..3d97b0bcec2 100644 --- a/reference/configuration/security.rst +++ b/reference/configuration/security.rst @@ -454,10 +454,10 @@ query_string **type**: ``string`` **default**: ``null`` This is the string which will be used to query for the DN. The ``{username}`` -placeholder will be replaced with the user-provided value (his login). +placeholder will be replaced with the user-provided value (their login). Depending on your LDAP server's configuration, you will need to override -this value. This setting is only necessary if the users DN cannot be derived -statically using the `dn_string` config option. +this value. This setting is only necessary if the user's DN cannot be derived +statically using the ``dn_string`` config option. User provider ~~~~~~~~~~~~~ diff --git a/security/ldap.rst b/security/ldap.rst index 2e032cdad2e..d91e977a798 100644 --- a/security/ldap.rst +++ b/security/ldap.rst @@ -295,19 +295,6 @@ than one is found. Examples are provided below, for both ``form_login_ldap`` and ``http_basic_ldap``. -query_string -............ - -**type**: ``string`` **default**: ``null`` - -This optional key defines the form of the query used in order to search the -DN of the user, from the username. The ``{username}`` string is replaced by -the actual username of the person trying to authenticate. - -This setting is only necessary if the users DN cannot be derived statically -using the `dn_string` config option. - - Configuration example for form login .................................... @@ -323,8 +310,6 @@ Configuration example for form login main: # ... form_login_ldap: - login_path: login - check_path: login_check # ... service: ldap dn_string: 'uid={username},dc=example,dc=com' @@ -342,8 +327,6 @@ Configuration example for form login @@ -356,8 +339,6 @@ Configuration example for form login 'firewalls' => array( 'main' => array( 'form_login_ldap' => array( - 'login_path' => 'login', - 'check_path' => 'login_check', 'service' => 'ldap', 'dn_string' => 'uid={username},dc=example,dc=com', // ... @@ -432,8 +413,6 @@ Configuration example for form login and query_string main: # ... form_login_ldap: - login_path: login - check_path: login_check # ... service: ldap dn_string: 'dc=example,dc=com' @@ -452,23 +431,20 @@ Configuration example for form login and query_string + query-string="(&(uid={username})(memberOf=cn=users,ou=Services,dc=example,dc=com))" /> .. code-block:: php + // app/config/security.php $container->loadFromExtension('security', array( 'firewalls' => array( 'main' => array( 'form_login_ldap' => array( - 'login_path' => 'login', - 'check_path' => 'login_check', 'service' => 'ldap', 'dn_string' => 'dc=example,dc=com', 'query_string' => '(&(uid={username})(memberOf=cn=users,ou=Services,dc=example,dc=com))',