Symfony多个Ldap提供程序
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Symfony多个Ldap提供程序相关的知识,希望对你有一定的参考价值。
我无法使用服务和安全配置(Symfony 3.3)针对多个ldap库验证用户。
我正在使用Ldap symfony组件并为两个不同的主机创建2个ldap配置服务。
services.yml:
ldap1:
class: Symfony\Component\Ldap\Ldap
arguments: ['@ldap_adapter1']
ldap_adapter1:
class: Symfony\Component\Ldap\Adapter\ExtLdap\Adapter
arguments:
- host: serldap.abc.fr
port: 389
options:
protocol_version: 3
referrals: false
ldap2:
class: Symfony\Component\Ldap\Ldap
arguments: ['@ldap_adapter2']
ldap_adapter2:
class: Symfony\Component\Ldap\Adapter\ExtLdap\Adapter
arguments:
- host: ldap.xyz.fr
port: 389
options:
protocol_version: 3
referrals: false
security.yml:
security:
providers:
chain_provider:
chain:
providers: [ldap_1, ldap_2]
ldap_1:
ldap:
service: ldap1
base_dn: ou=abcaccount,dc=abc,dc=fr
search_dn: uid=a1,ou=abcaccount,dc=abc,dc=fr
search_password: pass1
default_roles: ROLE_USER
uid_key: uid
ldap_2:
ldap:
service: ldap2
base_dn: ou=xyzaccount,dc=xyz,dc=fr
search_dn: uid=a2,ou=xyzaccount,dc=xyz,dc=fr
search_password: pass2
default_roles: ROLE_USER
uid_key: uid
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/
anonymous: ~
provider: chain_provider
form_login_ldap:
login_path: login
check_path: login
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: ROLE_USER }
如果我在form_login_ldap下添加dn_string。 I,E:
dn_string: 'uid={username},ou=xyzaccount,dc=xyz,dc=fr'
这样可行,问题是这只能配置一个Ldap。没有这一行我得到以下错误:
php.DEBUG:警告:ldap_bind():无法绑定到服务器:无效的DN语法
2个问题:
- 有没有办法在保持简单的同时验证用户对2个ldap库?
- 如果他们可以选择通过登录表单进行验证的库,那会更好,这会通过某种输入传递吗?
EG
dn_string: 'uid={username},ou={chosenOUInForm},dc={chosenDC1InForm},dc={chosenDC2InForm}'
提前致谢。
答案
我设法通过将request_matcher参数添加到安全性来使其工作:
security:
providers:
chain_provider:
chain:
providers: [ldap_1, ldap_2]
ldap_1:
ldap:
service: ldap1
base_dn: ou=abcaccount,dc=abc,dc=fr
search_dn: ~
search_password: ~
default_roles: ROLE_USER
uid_key: uid
ldap_2:
ldap:
service: ldap2
base_dn: ou=xyzaccount,dc=xyz,dc=fr
search_dn: ~
search_password: ~
default_roles: ROLE_USER
uid_key: uid
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
base:
pattern: ^/
request_matcher: app.base_firewall_matcher
anonymous: ~
form_login_ldap:
service: ldap1 # this doesn't matter for the base firewall as it is never passed with no check_path
login_path: login
one:
pattern: ^/
request_matcher: app.first_firewall_matcher
anonymous: ~
provider: ldap_1
form_login_ldap:
service: ldap1
login_path: login
check_path: login_1_check
dn_string: 'uid={username},ou=abcaccount,dc=abc,dc=fr'
two:
pattern: ^/
request_matcher: app.second_firewall_matcher
anonymous: ~
provider: ldap_2
form_login_ldap:
service: ldap2
login_path: login
check_path: login_2_check
dn_string: 'uid={username},ou=xyzaccount,dc=xyz,dc=fr'
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: ROLE_USER }
表单页面(登录路径返回的twig页面)将有一个按钮将表单提交到login_1_check,一个按钮将表单提交到login_2_check:
<form action="{{ path('login_1_check') }}" method="post">
<input type="text" id="username" name="_username"/>
<input type="password" id="password" name="_password" />
<button type="submit">login to LDAP 1</button>
<button type="submit" formaction="{{ path('login_2_check') }}">login to LDAP 2</button>
</form>以上是关于Symfony多个Ldap提供程序的主要内容,如果未能解决你的问题,请参考以下文章
特定 url 的多个身份验证提供程序 - Spring Boot Security
Spring Boot Security ldap auth针对多个独立的AD域