I'm writing my first Symfony app and and I need authenticate users over LDAP/AD, but I run out of documentation...
I found many solutions for use LdapClient, but it tagged as deprecated. So, i check for use the new one Ldap class as recommended, but I not found documentation for use it. The documentation of Ldap component for the current version (3.1) suggest to use LdapClient yet! It isn't updated yet?
I don't know how to do: must we create an adapter for add a Ldap service? If so, how to proceed?
Any help will be appreciated, thanks!
Check out this cookbook article for configuring LDAP authentication using the builtin Symfony component:
http://symfony.com/doc/current/cookbook/security/ldap.html
I also have a bundle I maintain that includes LDAP authentication that works well with AD called LdapToolsBundle. It has documentation on the main page for the app/config/config.yml entries needed to configure your domain for use in the bundle, and also some details on configuring authentication in app/config/security.yml here.
The bundle above provides a LDAP service called ldap_tools.ldap_manager that can be used to query/create/modify different types AD objects.
take a look at my Blog:
https://alvinbunk.wordpress.com/2016/03/25/symfony-ad-integration/
This requires FOSUserBundle and FR3DLdapBundle, but I think if you go through all that documentation you should be able to get LDAP/AD integration with Symfony3 working.
EDIT #2
Below is a second easier solution:
https://alvinbunk.wordpress.com/2017/09/07/symfony-ldap-component-ad-authentication/
Related
I'm using CKAN with Apache and an SSO system called Cosign. Cosign works as an authenticator in Apache and ends up setting REMOTE_USER before the python code fires up. What I'm trying to do is use LDAP user lookup based on that preset REMOTE_USER. Can I do that with the CKAN ldap plugin (http://extensions.ckan.org/extension/ldap/)? Any advice greatly appreciated - I'm a Python and CKAN novice.
The short answer is that ckanext-ldap doesn't do that. What it does is provide a custom login form (username and password) that authenticates the credentials via LDAP. It then creates a session for the corresponding CKAN user, creating a user account first if required. Having it do anything else would require customisation of the extension although there are a number of options documented in its readme that alter the behaviour in small ways.
Whether ckanext-ldap would be a suitable extension to build upon to achieve what you want depends on what you want to do, which isn't clear from your question.
I'd like to run functional tests on a section of my website which requires authentication. I found a solution for Symfony 2.x here. However, this does not work for Symfony3 as this line is now deprecated:
self::$kernel->getContainer()->get('security.context')->setToken($token);
My question is, how do I go around this and make it work with Symfony3? Thank you.
In Symfony 3, the SecurityContext was split into the TokenStorage and the AuthorizationChecker. Thus, you need to use the security.token_storage service:
self::$kernel->getContainer()->get('security.token_storage')->setToken($token);
However, a simpler approach would be to switch to HTTP Basic auth in your tests and configure the logged in user as described in http://symfony.com/doc/current/cookbook/testing/http_authentication.html.
we want to integrate CAS authentication into Sonar 3.7 LTS. We want to start working with the deprecated CAS plugin, which of course doesn't work. We already compared it with the LDAP plugin from here whose Authenticator interestingly implements the deprecated interface LoginPasswordAuthenticator. One of the main differences is that the CAS Authenticator plugin implements Authenticator. So we altered the CAS Plugin that it implements LoginPasswordAuthenticator instead.
Now comes the clue:
In both cases, the authenticator implementing Authenticator or LoginPasswordAuthenticator, the username passed to it is null. The authentication against the CAS server works like a charm, the plugin knows the username, but Sonar asks the plugin, if it knows the user with the name null. The effect is that when we click on login we get redirected to CAS, fill in the login form and get redirected back to Sonar, still not authenticated to Sonar itself.
We also considered using container authentication but are not sure if that works with Sonar.
Now the question(s):
Has someone got the CAS plugin working with Sonar 3.7? If yes, how and can you provide the sources/solution/plugin?
Is there another way besides the suggested ones above?
One additional note: We want to use Sonar in our existing Tomcat 7, so using Sonar 4 is a way we do not really want to go because the Sonar team decided to stop war support. If anything else fails though, using it is a pain-in-the-ass-but-acceptable solution.
Thanks for your help.
Try this fork: https://github.com/jerzykrlk/sonar-cas.
I restored the behaviour of the original plugin - it should work with Sonar 3.7. It is unofficial at the moment, and will require a manual build. But maybe it will become an official plugin at some point, again.
Thanks to #psqita we got the CAS plugin for Sonar up and running with Saml 1.1. Business requirements said that no anonymous access shall be allowed. Sadly, setting forceAuthentication to true sent us into an endless loop of painful redirecting between CAS and Sonar. So we figured out that Sonar alters its behavior drastically in a way that it ignores all authentication plugins.
Our solution: As of business requirement we could not allow anonymous access. So we implemented another Filter that redirects conditionally to CAS. Authentication and stuff is still done by the plugin. Sadly, we still do not know why there was this endless loop in the first place but now it doesn't happen anymore. Well that's IT I think...
Thank you for your support and happy holidays.
I'm trying to get omniauth-saml configured, but I'm not entirely sure what I need to put in app_id and app_secret for this configuration.
I'm using this gem: https://github.com/PracticallyGreen/omniauth-saml
If I leave those fields blank, of course I get:
Received wrong number of arguments. [nil, nil]
The documentation within the gitlab.yml file links to more documentation about gitlab and omniauth, but that document no longer exists (redirects to old README).
Any assistance would be appreciated, thanks!
https://github.com/gitlabhq/gitlab-public-wiki/wiki/Working-Custom-Omniauth-Provider-Configurations#working-cas-configuration
The working CAS configuration shows you how you skip using the standard configuration and just pass the options directly to the provider using devise.rb. That's how I would configure omniauth-saml as well.
I was able to get SAML working with Gitlab 6.2.4, but it is not the most elegant solution. I am using Okta as the IdP, but I believe the configuration is sufficiently generic and could be applied to any SAML IdP.
Added omniauth-saml to the Gemfile and ran bundle
bundle install --without development test postgres --path vendor/bundle --no-deployment
Created GITLAB/config/initializers/omniauth.rb
Devise.setup do |config|
config.omniauth :saml,
idp_cert_fingerprint: "your IdP certificate fingerprint",
idp_sso_target_url: "your IdP SAML end point"
end
Modified GITLAB/app/controllers/omniauth_callbacks_controller.rb (added this following the definition for ldap)
def saml
handle_omniauth
end
I had to manually add the callback for SAML as I was getting the same error as the original poster when I tried to properly define SAML as a provider in gitlab.yml. This is the only way I could get Gitlab to start and authenticate via SAML. This feels very hacky, so there is probably a more elegant way to implement this; however, I could not find an example anywhere.
https://github.com/gitlabhq/gitlab-public-wiki/wiki/Custom-omniauth-provider-configurations#working-saml-configuration
I managed to get it to work, so I documented the procedure on the GitLab wiki.
EDIT: It seems like SAML is now supported officially. No Single Logout yet, though… This seems to be an omniauth limitation.
Using a provided username, password, and domain name, how can I retrieve a boolean value indicating if a user has successfully authenticated with a primary domain controller? Authentication should be performed using the Kerberos protocol for windows domain controllers. Thanks in advance, Dan
There's a free implementation of a windows-only JAAS login module and of an SSO Negotiate (Kerberos/NTLM) authenticator: Waffle.
You need to either write your own or use third party Authentication Module for that. When I was doing this, there was nothing available from JDK, so I used this tool. Note that it's GPL, but you can learn from there. You will have to create conf. file describing your authentication module and feed it into your JVM with java.security.auth.login.config property (e.g. using -D, or either way). In case of Tagish it looks something like this:
NTLogin
{
com.tagish.auth.win32.NTSystemLogin required returnNames=true returnSIDs=false defaultDomain="domain";
};
Another thing you will need is to specify kerberos configuration file via java.security.krb5.conf property. I don't have the details of this file handy, but you can easily find it on the net -- google about for krb5.conf. Settings in this file will have to match your windows domain and other windows specific settings.
It's a bit tricky to configure, but for me it worked very well, pretty robust.