Develop Reference

Symfony 6: Check DB Entity when LDAP login fails or succeeds

I'm banging my head on the keyboard for a while now trying to solve something that should be simple but for some reason it has not been.
Here is the scenario. A user will use a form on my website to login (username/pwd). And the following workflow should work:
Try to authenticate the user on the LDAP server:
1.1. If it passes:
1.1.1. Check if there is an user with the same username on our database;
1.1.1.1. If it has, load some data and log in the user;
1.1.1.2. If it has not, throws a failed login.
1.2. If it fails:
1.2.1. Check if there is an user with the same username on our database;
1.2.1.1. If it exists
1.2.1.1.1 Check if the pwd match the save one, if it matches, log the user
1.2.1.2. If it has not, throws a failed login.
So basically, I'm trying to authenticate the user on the LDAP server, and if that fails, I want to try to authenticate locally.
I tried configuring multiple User Providers, using a chain provider, but it does not work. If the first UserProvider fails, it never hits the second one.
# config/security.yaml
security:
providers:
# base local provider
app_user_provider:
entity:
class: App\Entity\User\User
property: username
# LDAP provider
my_ldap:
ldap:
service: Symfony\Component\Ldap\Ldap
base_dn: '%env(resolve:LDAP_BASEDN)%'
search_dn: '%env(resolve:LDAP_SEARCHDN)%'
search_password: '%env(resolve:LDAP_SEARCHPWD)%'
default_roles: ROLE_USER
extra_fields: '%env(resolve:LDAP_EXTRAFIELDS)%'
uid_key: uid
filter: null
# chain
all_users:
chain:
providers: ['my_ldap', 'app_user_provider']
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
lazy: true
provider: all_users
form_login_ldap:
enable_csrf: true
default_target_path: app_homepage
login_path: app_login
check_path: app_login
service: Symfony\Component\Ldap\Ldap
username_parameter: username
password_parameter: password
dn_string: '%env(resolve:LDAP_BASEDN)%'
query_string: '%env(resolve:LDAP_QUERYSTR)%'
search_dn: '%env(resolve:LDAP_SEARCHDN)%'
search_password: '%env(resolve:LDAP_SEARCHPWD)%'
What am I missing? I found a couple of answers here (like Symfony 5: ldap authentication with custom user entity) but it uses the old Authenticator Guard that does not exists.

LDAP and Symfony : Could not complete search with dn

I try to pass my application to Symfony. I have a problem with authentication.
With PHP, I used this code to check connection to active directory
$ldap_host = "%MY AD HOST%";
$ldap_dn = cn=srv_ldap,ou=Service,ou=Applicatifs,ou=Utilisateurs,ou=DomaineInterne,dc=mydomain,dc=pri";
$ldap_usr_dom = '#mydomain.pri';
$ldap = ldap_connect($ldap_host);
ldap_set_option($ldap,LDAP_OPT_PROTOCOL_VERSION,3);
ldap_set_option($ldap,LDAP_OPT_REFERRALS,1);
// verify user and password
if($bind = #ldap_bind($ldap, $user.$ldap_usr_dom, $password)) {
With Symfony, I used the Symfony Component Ldap :
config\services.yaml
[...]
Symfony\Component\Ldap\Ldap:
arguments: ['#Symfony\Component\Ldap\Adapter\ExtLdap\Adapter']
Symfony\Component\Ldap\Adapter\ExtLdap\Adapter:
arguments:
- host: %MY AD HOST%
port: 389
#encryption: tls
options:
protocol_version: 3
referrals: false
config\packages\security.yaml
...
[...]
providers:
ad_ldap:
ldap:
service: Symfony\Component\Ldap\Ldap
base_dn: cn=srv_ldap,ou=Service,ou=Applicatifs,ou=Utilisateurs,ou=DomaineInterne,dc=mydomain,dc=pri
default_roles: ROLE_USER
uid_key: sAMAccountName
firewalls:
main:
pattern: ^/
anonymous: true
lazy: true
form_login_ldap:
provider: ad_ldap
service: Symfony\Component\Ldap\Ldap
dn_string: 'sAMAccountName={username}#mydomain.pri'
check_path: security_login
login_path: security_login
csrf_token_generator: security.csrf.token_manager
default_target_path: blog_index
I have an error LdapException with the message :
Could not complete search with dn "cn=srv_ldap,ou=Service,ou=Applicatifs,ou=Utilisateurs,ou=DomaineInterne,dc=mydomain,dc=pri", query "(sAMAccountName=jane_admin)" and filters "*". LDAP error was [1] Operations error.
I try to replace "dn_string: 'sAMAccountName={username}#mydomain.pri'" with different things, but I still have this message...

Symfony- Authenticating against LDAPserver

I am trying to authenticate my users against an LDAP servr.
security:
providers:
my_ldap:
ldap:
service: Symfony\Component\Ldap\Ldap
base_dn: 'DC=maxcrc,DC=com'
search_dn: 'CN=manager,DC=maxcrc,DC=com'
search_password: 'secret'
default_roles: ROLE_USER
...
firewalls:
# disables authentication for assets and the profiler, adapt it according to your needs
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
anonymous: ~
form_login_ldap:
#http_basic_ldap:
login_path: login
check_path: login
service: Symfony\Component\Ldap\Ldap
dn_string: 'maxcrc\{username}'
my services.yml:
...
Symfony\Component\Ldap\Ldap:
arguments: ['#Symfony\Component\Ldap\Adapter\ExtLdap\Adapter']
Symfony\Component\Ldap\Adapter\ExtLdap\Adapter:
arguments:
- host: localhost
port: 389
#encryption: tls
options:
protocol_version: 3
referrals: false`
It seems to perfectly follow symfony intructions.. I can bind to my server,, however I get invalid credentials error whenever I submit my form!!
Please assist accordingly!!

You are missing the uid_key in your ldap definition:
security:
providers:
my_ldap:
ldap:
service: Symfony\Component\Ldap\Ldap
base_dn: 'DC=maxcrc,DC=com'
search_dn: 'CN=manager,DC=maxcrc,DC=com'
search_password: 'secret'
default_roles: ROLE_USER
uid_key: 'samaccountname'
Apart from that, I have these settings:
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
anonymous: ~
form_login_ldap:
service: Symfony\Component\Ldap\Ldap
login_path: login
check_path: login
dn_string: '%env(ADLDAP_BASEDN)%'
query_string: '(samaccountname={username})'
logout:
path: /logout
target: login
Relevant would be the dn_string and the query_string. Not sure if all that is nessecary, this is my first time using symfony.
ADLDAP_BASEDN is defined in my .env file as:
ADLDAP_BASEDN=DC=blah,DC=example,DC=com
edit
Sorry, I misread your question, somehow I thought you authenticate against an Active Directory. With openldap the uid key should be uid, which is most probably the default. But your dn_string looks wrong to me, and maybe query_string is needed as well. I'll edit the answer accordingly tomorrow when I'm not on my phone.

Symfony 4 + API Plantform +LexikJWTAuthenticationBundle Bad Credential

Good afternoon. Please i'm using LexikJWTAuthenticationBundle in a symfony 4 api project. I'm using UserProvider for Doctrine.
After Configure Doctrine User Provider, I've install and configure LexikJWTAuthenticationBundle. But when i tried to athentificate using Postman on the url http://localhost:8000/api/login_check whith this JSON {"username":"ak",
"password":"ak"} I've this error: {
"code": 401,
"message": "Bad credentials"
}.
See below my Security.yaml config file. I've read forums to tried to solve this issue but i've not yet found the solution. Can you please help me?
security:
encoders:
App\Entity\Utilisateur:
algorithm: bcrypt
providers:
#in_memory: { memory: ~ }
our_db_provider:
entity:
class: App\Entity\Utilisateur
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
login:
pattern: ^/api/login
stateless: true
anonymous: true
json_login:
check_path: /api/login_check
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
api:
pattern: ^/api
stateless: true
guard:
authenticators:
- lexik_jwt_authentication.jwt_token_authenticator
main:
pattern: ^/
user_checker: App\Security\UtilisateurChecker
anonymous: true
provider: our_db_provider
access_control:
- { path: ^/api/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api, roles: IS_AUTHENTICATED_FULLY }

Have you missed a piece of configuration during installation? I dont see the lexik one:
lexik_jwt_authentication:
secret_key: '%kernel.project_dir%/config/jwt/private.pem' # required for token creation
public_key: '%kernel.project_dir%/config/jwt/public.pem' # required for token verification
pass_phrase: 'your_secret_passphrase' # required for token creation, usage of an environment variable is recommended
token_ttl: 3600

Good morning All. I've found the solution of my problem. In fact, i was typing a bad User Password.
To solve this article, i've used this article https://numa-bord.com/miniblog/symfony-4-les-base-dune-gestion-des-utilisateurs-inscription-connexion-droits-dacces/
I've created au database user by using create user command implemented in the article.
After i have been connected with this previous created user sucessfully. ApiPlatform generate a web tocken for me.
Thank you very much

Symfony4 Two authentification methods in security

I want two authentications methods in my application.
One for the entity User, and other (admin) with a plaintext.
Very simple.
Thus, when I configure security.yaml, I specify the providers:
security:
providers:
user:
entity:
class: App\Entity\User
property: username
in_memory:
memory:
users:
admin:
password: admin
roles: 'ROLE_ADMIN'
encoders:
App\Entity\User: bcrypt
Symfony\Component\Security\Core\User\User: plaintext
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
admin:
provider: in_memory
pattern: ^/admin/
guard:
provider: in_memory
form_login:
login_path: admin_login
check_path: admin_login
logout:
path: /admin/logout
target: /
default:
provider: user
anonymous: ~
guard:
provider: user
form_login:
login_path: login
check_path: login
default_target_path: login_redirect
use_referer: true
logout:
path: /logout
target: /
access_control:
- { path: ^/admin/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin, roles: ROLE_ADMIN }
- { path: ^/dashboard, roles: ROLE_USER }
And return the error:
In GuardAuthenticationFactory.php line 121:
Because you have multiple guard configurators, you need to set the "guard.e
ntry_point" key to one of your configurators ()
Then, if I have to set the guard.entry_point, I need do something like this:
admin:
entry_point: app.form_admin_authenticator
main:
entry_point: app.form_user_authenticator
And therefore, if I undestard, I need to configure a Authentication Listener like this: https://symfony.com/doc/current/components/security/authentication.html
(btw, this particular help page is very ambiguous and incomplete)
Is it necessary? It seems too complex for my purpose

I ran into this particular error. My situation might be a little different, but I had a similar need to authenticate using different authentication strategies depending on the entry point to the application.
One thing your config doesn't include is a reference to any Guard Authenticator objects. See this documentation for an intro to what role those objects play, and how to define them. Symfony's Security package is pretty complicated, and I found that using Guard Authenticators made the process a lot simpler for my use case.
Here is an example of a security.yaml config referencing two different authenticators. The entry_point configuration tells Symfony which one to try first, because in my particular case, Symfony otherwise wouldn't know which authentication strategy to apply first to an incoming request.
security:
providers:
user:
id: App\My\UserProviderClass
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
anonymous: ~
logout:
path: app_logout
guard:
entry_point: App\My\MainAuthenticator
authenticators:
- App\My\MainAuthenticator
- App\My\OtherAuthenticator
Custom Guard Authenticators contain a method called supports. This method takes the incoming request as its only argument, and returns true or false based on whether the given authenticator should be applied to the incoming request. A common practice might be to check the request's Symfony route name (as defined by the controller) or perhaps something like the full URI for the request. For example:
/**
* Does the authenticator support the given Request?
*
* If this returns false, the authenticator will be skipped.
*
* #param Request $request
*
* #return bool
*/
public function supports(Request $request): bool
{
$matchesMyRoute = 'some_route_name' ===
$request->attributes->get('_route');
$matchesMyUri = '/path/to/secured/resource' ===
$request->getUri();
return $matchesMyRoute || $matchesMyUri;
}
You can imagine that if multiple Guard Authenticators exist in the same application, it's likely the case that one would only want them to apply to a request of a certain type, whether the differentiation is based on the kind of auth applied (eg. a header with an API key vs. a stateful session cookie), whether the difference is more about the specific route being hit, or perhaps a combination of factors.
In this case, telling Symfony which Guard Authenticator to try first may be important for your security strategy, or may have performance ramifications. For example, if you had two authenticators, and one had to hit the database to verify a stateful session, but another could verify the request's authentication statelessly, eg. by verifying a JWT's signature, you'd probably want to make the JWT authenticator run first, because it might not need to make a round trip to the database to authenticate the request.
See this article for a deeper explanation: https://symfonycasts.com/screencast/symfony-security/entry-point