FR3DLdapBundle
FR3DLdapBundle copied to clipboard
Maks3w
ldap groups config example
There seems to be support to get the roles/groups from an AD. Could someone give a config.yml example?
Thanx!
Related to this #75 the modified driver->search call in develop branch could prevent the roles lookup because the needed "memberOf" is declared as ldap operational attribute and is not shown on default search.
Here an example for openldap:
Default search:
ldapsearch -LLL -x -b "ou=people,dc=test,dc=local"
dn: ou=people,dc=test,dc=local
objectClass: organizationalUnit
ou: people
dn: cn=Alexander Ko,ou=people,dc=test,dc=local
sn: Ko
givenName: Alexander
uid: ako
cn: Alexander Ko
sambaLMPassword: ****
sambaNTPassword: ****
sambaPwdLastSet: 1433795805
sambaBadPasswordCount: 0
sambaBadPasswordTime: 0
homeDirectory: /home/ako
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
gecos: Alexander Ko
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: gosaAccount
objectClass: posixAccount
objectClass: shadowAccount
objectClass: trustAccount
trustModel: fullaccess
Default search and operational attribute search:
ldapsearch -LLL -x -b "ou=people,dc=test,dc=local" "+" "*"
dn: ou=people,dc=test,dc=local
objectClass: organizationalUnit
ou: people
structuralObjectClass: organizationalUnit
entryUUID: c9aecf46-a268-1034-8d88-794a20f23102
creatorsName: cn=admin,dc=test,dc=local
createTimestamp: 20150608202920Z
entryCSN: 20150608202920.792928Z#000000#000#000000
modifiersName: cn=admin,dc=test,dc=local
modifyTimestamp: 20150608202920Z
entryDN: ou=people,dc=test,dc=local
subschemaSubentry: cn=Subschema
hasSubordinates: TRUE
dn: cn=Alexander Ko,ou=people,dc=test,dc=local
sn: Ko
givenName: Alexander
uid: akorinek
cn: Alexander Ko
structuralObjectClass: inetOrgPerson
entryUUID: cfab58dc-a269-1034-8d91-794a20f23102
creatorsName: cn=admin,dc=test,dc=local
createTimestamp: 20150608203640Z
sambaLMPassword: ****
sambaNTPassword: ****
sambaPwdLastSet: 1433795805
sambaBadPasswordCount: 0
sambaBadPasswordTime: 0
homeDirectory: /home/ako
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
gecos: Alexander Ko
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: gosaAccount
objectClass: posixAccount
objectClass: shadowAccount
objectClass: trustAccount
trustModel: fullaccess
entryCSN: 20150614183615.389884Z#000000#000#000000
modifyTimestamp: 20150614183615Z
***memberOf: cn=DASHBOARD,ou=groups,dc=test,dc=local***
modifiersName: cn=admin,dc=test,dc=local
entryDN: cn=Alexander Ko,ou=people,dc=test,dc=local
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE
To fix this in my opinion there are two options...
- Modify search call LdapManager:40 permanent to
$entries = $this->driver->search($this->params['baseDn'], $filter, array('+', '*')); - Define a config variable which will add the operational search wildcard "+" for search when it is defined/needed by user.
Pretty old topic, but for the next one looking for a solution, its fairly simple.
namespace App\Ldap;
use FR3D\LdapBundle\Driver\ZendLdapDriver;
class LdapDriver extends ZendLdapDriver
{
public function search(string $baseDn, string $filter, array $attributes = [])
{
$attributes = array_unique(array_merge($attributes, ['+', '*']));
return parent::search($baseDn, $filter, $attributes);
}
}
then use this new driver via the configuration
fr3d_ldap:
service:
ldap_driver: App\Ldap\LdapDriver
Having a config switch as @Noles suggested would be even nicer indeed.
The LDAP search result (e.g. memberof) can now be used either in your own hydrator or via the fr3d_ldap.user.attributes mapping as suggested for example here
Having that in the documentation would have saved me hours ;-)
