无法在 Symfony 3 的 Active Directory 中授权
Can not authorize in Active Directory in Symfony 3
我尝试让我的 symfony 使用 Active Directory 进行授权。我遵循了这个文档:http://symfony.com/blog/new-in-symfony-2-8-ldap-component 但没有成功。
表单提交后没有真正的变化,我保持匿名。
我尝试向 Ldap 组件添加一些日志输出,我发现 ldap->bind 从未被触发。尽管 LdapClient 中的构造函数、用户和授权提供程序以及工厂被触发。
不知道是不是我的SecurityController有问题?
如有任何想法,我们将不胜感激。
我制作了一个简单的 php 脚本来测试我的设置,它工作正常:
$ldapserver = 'server.ip.address';
$ldapuser = '_user_for_search_sAMAccountname';
$ldappass = '_user_pass';
$ldapconn = ldap_connect($ldapserver);
if($ldapconn) {
$ldapbind = ldap_bind($ldapconn, $ldapuser, $ldappass);
if ($ldapbind) echo "LDAP bind successful...\n";
}
这是我的 symfony 文件(我使用 symfony 3.0.3):
app/config/services.yml:
services:
app.ldap:
class: Symfony\Component\Ldap\LdapClient
arguments: [ "server.ip.address" ]
app/config/security.yml:
security:
role_hierarchy:
ROLE_ADMIN: [ROLE_USER]
providers:
app_users:
ldap:
service: app.ldap
base_dn: ou=staff,dc=ldap,dc=server,dc=com
search_dn: _user_for_search_sAMAccountname
search_password: _user_pass
filter: "(sAMAccountName={username})"
default_roles: ROLE_USER
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
provider: app_users
pattern: ^/
logout:
path: /logout
target: /
form_login_ldap:
service: app.ldap
dn_string: "{username}" # !!! differs from default but no luck
check_path: /login_check
login_path: /login
security: true
anonymous: true
access_control:
- { path: /login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: /user, roles: ROLE_USER }
- { path: /.*, roles: IS_AUTHENTICATED_ANONYMOUSLY }
app/config/routing.yml
login:
path: /login
defaults: { _controller: R61IP4BillBundle:Security:login }
login_check:
path: /login_check
logout:
path: /logout
user:
path: /user
defaults: { _controller: R61IP4BillBundle:Default:user }
SecurityController.php:
class SecurityController extends Controller
{
public function loginAction(Request $request)
{
$authenticationUtils = $this->get('security.authentication_utils');
$error = $authenticationUtils->getLastAuthenticationError();
return $this->render(
'R61IP4BillBundle:Security:login.html.twig',
array(
'error' => $error,
)
);
}
}
login.html.twig:
{% if error %}
<div>{{ error.messageKey|trans(error.messageData, 'security') }}</div>
{% endif %}
<form action="{{ path('login') }}" method="post">
<label for="username">Username:</label>
<input type="text" id="username" name="_username" />
<label for="password">Password:</label>
<input type="password" id="password" name="_password" />
{#
If you want to control the URL the user
is redirected to on success (more details below)
<input type="hidden" name="_target_path" value="/account" />
#}
<button type="submit">login</button>
</form>
这是dev.log。首先,Symfony 将我从安全 url 重定向到登录表单,然后提交表单。
[2016-03-16 16:23:26] request.INFO: Matched route "user". {"route_parameters":{"_controller":"R61\IP4BillBundle\Controller\DefaultController::userAction","_route":"user"},"request_uri":"http://ip4bill.r61.net.hosting.r61.net/app_dev.php/user"} []
[2016-03-16 16:23:26] security.INFO: Populated the TokenStorage with an anonymous Token. [] []
[2016-03-16 16:23:26] security.DEBUG: Access denied, the user is not fully authenticated; redirecting to authentication entry point. {"exception":"[object] (Symfony\Component\Security\Core\Exception\AccessDeniedException(code: 403): Access Denied. at /http/ip4bill/site/ip4bill/vendor/symfony/symfony/src/Symfony/Component/Security/Http/Firewall/AccessListener.php:70)"} []
[2016-03-16 16:23:26] security.DEBUG: Calling Authentication entry point. [] []
[2016-03-16 16:23:26] request.INFO: Matched route "login". {"route_parameters":{"_controller":"R61\IP4BillBundle\Controller\SecurityController::loginAction","_route":"login"},"request_uri":"http://ip4bill.r61.net.hosting.r61.net/app_dev.php/login"} []
[2016-03-16 16:23:26] security.INFO: Populated the TokenStorage with an anonymous Token. [] []
[2016-03-16 16:23:26] request.INFO: Matched route "_wdt". {"route_parameters":{"_controller":"web_profiler.controller.profiler:toolbarAction","token":"722104","_route":"_wdt"},"request_uri":"http://ip4bill.r61.net.hosting.r61.net/app_dev.php/_wdt/722104"} []
[2016-03-16 16:23:31] request.INFO: Matched route "login". {"route_parameters":{"_controller":"R61\IP4BillBundle\Controller\SecurityController::loginAction","_route":"login"},"request_uri":"http://ip4bill.r61.net.hosting.r61.net/app_dev.php/login"} []
[2016-03-16 16:23:31] security.INFO: Populated the TokenStorage with an anonymous Token. [] []
[2016-03-16 16:23:31] request.INFO: Matched route "_wdt". {"route_parameters":{"_controller":"web_profiler.controller.profiler:toolbarAction","token":"22d08e","_route":"_wdt"},"request_uri":"http://ip4bill.r61.net.hosting.r61.net/app_dev.php/_wdt/22d08e"} []
您的表单使用的路径不正确。您应该使用 path('login_check').
而不是 path('login')
因此,从未针对 Ldap 服务器检查凭据是正常的。
我尝试让我的 symfony 使用 Active Directory 进行授权。我遵循了这个文档:http://symfony.com/blog/new-in-symfony-2-8-ldap-component 但没有成功。
表单提交后没有真正的变化,我保持匿名。
我尝试向 Ldap 组件添加一些日志输出,我发现 ldap->bind 从未被触发。尽管 LdapClient 中的构造函数、用户和授权提供程序以及工厂被触发。
不知道是不是我的SecurityController有问题?
如有任何想法,我们将不胜感激。
我制作了一个简单的 php 脚本来测试我的设置,它工作正常:
$ldapserver = 'server.ip.address';
$ldapuser = '_user_for_search_sAMAccountname';
$ldappass = '_user_pass';
$ldapconn = ldap_connect($ldapserver);
if($ldapconn) {
$ldapbind = ldap_bind($ldapconn, $ldapuser, $ldappass);
if ($ldapbind) echo "LDAP bind successful...\n";
}
这是我的 symfony 文件(我使用 symfony 3.0.3):
app/config/services.yml:
services:
app.ldap:
class: Symfony\Component\Ldap\LdapClient
arguments: [ "server.ip.address" ]
app/config/security.yml:
security:
role_hierarchy:
ROLE_ADMIN: [ROLE_USER]
providers:
app_users:
ldap:
service: app.ldap
base_dn: ou=staff,dc=ldap,dc=server,dc=com
search_dn: _user_for_search_sAMAccountname
search_password: _user_pass
filter: "(sAMAccountName={username})"
default_roles: ROLE_USER
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
provider: app_users
pattern: ^/
logout:
path: /logout
target: /
form_login_ldap:
service: app.ldap
dn_string: "{username}" # !!! differs from default but no luck
check_path: /login_check
login_path: /login
security: true
anonymous: true
access_control:
- { path: /login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: /user, roles: ROLE_USER }
- { path: /.*, roles: IS_AUTHENTICATED_ANONYMOUSLY }
app/config/routing.yml
login:
path: /login
defaults: { _controller: R61IP4BillBundle:Security:login }
login_check:
path: /login_check
logout:
path: /logout
user:
path: /user
defaults: { _controller: R61IP4BillBundle:Default:user }
SecurityController.php:
class SecurityController extends Controller
{
public function loginAction(Request $request)
{
$authenticationUtils = $this->get('security.authentication_utils');
$error = $authenticationUtils->getLastAuthenticationError();
return $this->render(
'R61IP4BillBundle:Security:login.html.twig',
array(
'error' => $error,
)
);
}
}
login.html.twig:
{% if error %}
<div>{{ error.messageKey|trans(error.messageData, 'security') }}</div>
{% endif %}
<form action="{{ path('login') }}" method="post">
<label for="username">Username:</label>
<input type="text" id="username" name="_username" />
<label for="password">Password:</label>
<input type="password" id="password" name="_password" />
{#
If you want to control the URL the user
is redirected to on success (more details below)
<input type="hidden" name="_target_path" value="/account" />
#}
<button type="submit">login</button>
</form>
这是dev.log。首先,Symfony 将我从安全 url 重定向到登录表单,然后提交表单。
[2016-03-16 16:23:26] request.INFO: Matched route "user". {"route_parameters":{"_controller":"R61\IP4BillBundle\Controller\DefaultController::userAction","_route":"user"},"request_uri":"http://ip4bill.r61.net.hosting.r61.net/app_dev.php/user"} []
[2016-03-16 16:23:26] security.INFO: Populated the TokenStorage with an anonymous Token. [] []
[2016-03-16 16:23:26] security.DEBUG: Access denied, the user is not fully authenticated; redirecting to authentication entry point. {"exception":"[object] (Symfony\Component\Security\Core\Exception\AccessDeniedException(code: 403): Access Denied. at /http/ip4bill/site/ip4bill/vendor/symfony/symfony/src/Symfony/Component/Security/Http/Firewall/AccessListener.php:70)"} []
[2016-03-16 16:23:26] security.DEBUG: Calling Authentication entry point. [] []
[2016-03-16 16:23:26] request.INFO: Matched route "login". {"route_parameters":{"_controller":"R61\IP4BillBundle\Controller\SecurityController::loginAction","_route":"login"},"request_uri":"http://ip4bill.r61.net.hosting.r61.net/app_dev.php/login"} []
[2016-03-16 16:23:26] security.INFO: Populated the TokenStorage with an anonymous Token. [] []
[2016-03-16 16:23:26] request.INFO: Matched route "_wdt". {"route_parameters":{"_controller":"web_profiler.controller.profiler:toolbarAction","token":"722104","_route":"_wdt"},"request_uri":"http://ip4bill.r61.net.hosting.r61.net/app_dev.php/_wdt/722104"} []
[2016-03-16 16:23:31] request.INFO: Matched route "login". {"route_parameters":{"_controller":"R61\IP4BillBundle\Controller\SecurityController::loginAction","_route":"login"},"request_uri":"http://ip4bill.r61.net.hosting.r61.net/app_dev.php/login"} []
[2016-03-16 16:23:31] security.INFO: Populated the TokenStorage with an anonymous Token. [] []
[2016-03-16 16:23:31] request.INFO: Matched route "_wdt". {"route_parameters":{"_controller":"web_profiler.controller.profiler:toolbarAction","token":"22d08e","_route":"_wdt"},"request_uri":"http://ip4bill.r61.net.hosting.r61.net/app_dev.php/_wdt/22d08e"} []
您的表单使用的路径不正确。您应该使用 path('login_check').
path('login')
因此,从未针对 Ldap 服务器检查凭据是正常的。