So i have Symfony 4 app which should allow login via LDAP and based on your groups modify some of the values in this ldap directory.
The Login itselfs, and mapping from Ldap Groups to ROLE_ works perfectly.
The idea was that only the currently logedin user does a modification. Not a hidden Directory Admin.
For this i would need to $ldap->bind() with the user credentials each time a loged in user wants to modify the directory.
But for this i would need the password. The only way i could think of, would be to save the password in the session - but form a security standpoint this would be a very very bad idea.
Is there any other way? Like store the already binded connection somehow?
As far as I see in the Symfony security component - the UserProvider only refreshes the user from sesison - without calling ldap again.
The LdapBindAuthenticationProvider only uses the ->bind() call with the given credentials and catches an exception if password doesnt match.
But the connection itself is a simple fire & forget.
Related
I am trying to use the following:
1) form_login_ldap just for user authentification
2) A custom UserProvider for retrieving user roles from a MySQL database
Everything seems to work fine: I am able to login, the roles are used etc.
As soon as I change the roles in the database, isEqualTo() kicks in - the user is redirected to the login page. There the browser hangs in an endless loop. After using tcpdump I realized that form_login_ldap is trying to authenticate the user without a password.
I think I am generally missing the point how the password will be handled in this scenario. My UserProvider can't retrieve an (encrypted) password as he is querying MySQL and the user is authenticated using LDAP.
If the "refreshUser function of my UserProvider returns a new user object with the new roles, the password seems to be lost.
If within the UserProvider i just modify the array of roles for the user, the web application does not recognize that and old roles apply (I guess the session must be updated?).
How are form_login_ldap and my UserProvider supposed to interact? How do I make sure that upon "refreshUser" the password is still available?
What am I missing for my general picture?
I'm trying to avoid two or more login with the same user at a time using FOSUserBundle in Symfony 2.4, I don't know how to access to info related to authenticated users and how to logout if the user who recently logged in are previously authenticated.
What am I missing?
[edit]
Reading your question again i am not sure what you want. The answer i wrote below keeps the latest login alive and logs the older logins off
[/edit]
a user that is logged in has
a) started a session on the web server
b) identified his self by entering a correct username and password combination.
That knowing we know also that a user that is logged-in has a variable in stored in the session (probably user_id).
Now if you want to logout other sessions (with same user_id) if a users logs-in in another session, you do have a problem since sessions are not made to share information with other sessions.
The solution could be to add a column in your database 'users' table that can hold a random hash. Then if a user logs-in you need to save a new hash in the database and also you need to save the hash into the session.
Then secondary you have to compare the session hash with the database hash for every new request. If the two are different and the user is still logged-in than you have to log the user out.
I think you can let this work with following event-listeners (but i never tried to accomplish this):
security.interactive_login
kernel.request
I have successfully set up the FOSUserBundle and the FR3D LDAP bundle to allow my company users to login to the web app with their own login.
From now, if someone logins, they will have the default role, which is ROLE_USER.
However, I only want a specific role to be allowed (in this case it's ROLE_CONSULT, which I created).
What I am doing to allow users at this moment is:
Ask the user to login to the web app
They get the "You have no right to access this web page"
They tell me he connected
I change the user's role to "ROLE_CONSULT" with a form I created within the admin panel.
What I want to do is:
I select the user from the LDAP list
Change the user role (which is not on the database yet, but will be as soon as I change the role)
The user logins successfully
I already developed the 1 and 2 points, but as the "salt" is empty on the database, it doesn't allow the user to connect as it must believe the password isn't correct.
Any idea how I can make it work by telling Symfony2 it is the first login, it will automatically ONLY check the entered password at my LDAP configuration ?
Thanks.
Alright, that was easy.
I just forgot to put the "DN" to the database.
Now it's working.
I'm wondering how to programmatically log a user out, using Forms based authentication.
Online users:
ADMIN
User1
User2
User3
If I'm the admin, how can I boot User2 out of the system? FormsAuthentication.Signout() would sign out/delete the cookie from the current user (Admin), which would be quite pointless.
Otherwise, I could put a flag in the database - on the next visit, an action filter would force them to the sign out page and make them log out. But that seems like a hack.
Current built in functionality doesn't allow you to signout non current sure, so you can go with your option with flag in the database. Or as another possible way - to store this flag for the user in the some global storage like HttpContext.Current.Cache and then check it on each user request. But in that case if you have using Remember Me functionality this might not work, as this storage will be flushed with Application restart.
In my application I can change user permissions and roles in backend.
When a user is logged in and I remove a role of the user, the user can still access content which he actually is not permitted to access anymore, because he is missing the role. The changes take effect only when the user reauthenticates himself with logout/login.
So my question is, can I access the session of a logged in user (not me)? I know I can access my own session and destroy it which forces me to login again. But I want to get the session of any user who is logged in. Is this possible? I could not find any resources about that.
I use PdoSessionStorage with symfony2.1 and fosuserbundle.
Make your user class implement Symfony\Component\Security\Core\User\EquatableInterface.
If you return false from the isEqualTo() method, the user will be reauthenticated. Use that method to compare only those properties that when changed should force reauthentication — roles in your case.
You can get around this issue by following an approach similar to what I did:
When user logs in, store all permissions in session along with a checksum of those permissions.
Store the same checksum in a database, or on disk, against that user ID
Whenever the user makes a request, verify that the checksum on disk matches the one in session for that user. If it is different, reload the permissions into the user's session
When you change the permissions, update the checksum in the database (or on disk) that is stored against that user. This will trigger a resync on their next request.