Merge pull request #4 from mapbender/feature/upgrade-to-mapbender4

Refactored LdapBundle to work with Mapbender v4.0

Author: Phocacius

CHANGELOG.md

@@ -1,3 +1,6 @@
+## v2.0.0
+* Refactored LdapBundle to work with Mapbender v4.0
+
 ## v1.1.4
 * Add toString() function for LdapUser: Fixes storage of LDAP username in database
 

Component/LdapClient.php

@@ -7,9 +7,6 @@
 use Symfony\Component\DependencyInjection\Loader\YamlFileLoader;
 use Symfony\Component\HttpKernel\Bundle\Bundle;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
-use Mapbender\LDAPBundle\DependencyInjection\Factory\MapbenderLDAPLoginFactory;
-
-
 
 class MapbenderLDAPBundle extends Bundle
 {
@@ -20,13 +17,5 @@ public function build(ContainerBuilder $container)
         $loader = new YamlFileLoader($container, $configLocator);
         $loader->load('services.yml');
         $container->addResource(new FileResource($configLocator->locate('services.yml')));
-
-        $extension = $container->getExtension('security');
-        $extension->addSecurityListenerFactory(new MapbenderLDAPLoginFactory());
-    }
-
-    public function getContainerExtension()
-    {
-        return null;
     }
 }

DependencyInjection/Factory/MapbenderLDAPLoginFactory.php

@@ -9,6 +9,99 @@ Install Mapbender LDAP via Composer:
 ```sh
 composer require mapbender/ldapbundle
 ```
+Register the bundle in bundles.php:
+
+```php
+Mapbender\LDAPBundle\MapbenderLDAPBundle::class => ['all' => true],
+```
+
+Enable the LDAP extension for php.
+
+### 2. Configuration
+
+In the `security.yml` add the ldap- and chain-provider, some firewall configuration and a password hasher for the LdapUser:
+
+```yml
+...
+
+providers:
+  main:
+    entity:
+      class: FOM\UserBundle\Entity\User
+      property: username
+  ldap_provider:
+    id: 'mapbender.ldap.user_provider'
+  all_users:
+    chain:
+      providers: ['main', 'ldap_provider']
+...
+
+firewalls:
+
+  ...
+
+  secured_area:
+    pattern: ^/
+    entry_point: form_login
+    provider: all_users
+    custom_authenticators:
+      - 'mapbender.ldap.authenticator'
+    form_login:
+      check_path: /user/login/check
+      login_path: /user/login
+      enable_csrf: true
+    form_login_ldap:
+      check_path: /user/login/check
+      login_path: /user/login
+      enable_csrf: true
+    logout:
+      path: /user/logout
+      target: /
+
+...
+
+password_hashers:
+  FOM\UserBundle\Entity\User: sha512
+  Mapbender\LDAPBundle\Security\LdapUser: auto
+
+...
+```
+
+Add your LDAP server settings at the bottom of the `parameters.yml`:
+
+```yml
+ldap.host: ldap.example.com
+ldap.port: 389
+ldap.version: 3
+ldap.encryption: none # <ssl|tls|none>
+ldap.bind.dn: [email protected]
+ldap.bind.pwd: passwort
+
+ldap.user.baseDn: cn=users,dc=example,dc=com
+ldap.user.query: (&(sAMAccountName={username})(objectClass=user))
+ldap.user.adminQuery: (objectClass=user)
+ldap.user.id: sAMAccountName
+ldap.user.commonName: cn
+ldap.user.groupKey: memberOf
+
+ldap.group.baseDn: ou=groups,dc=example,dc=com
+ldap.group.query: (&(distinguishedName={groupname})(objectClass=group))
+ldap.group.adminQuery: (objectClass=group)
+ldap.group.id: sAMAccountName
+ldap.group.commonName: cn
+ldap.group.defaultRoles: [ROLE_USER] # this should be ROLE_USER in most cases
+```
+
+---
+### Follow these instructions if you use Mapbender v3.3.5 or older:
+
+### 1. Installation
+
+Install Mapbender LDAP via Composer:
+
+```sh
+composer require mapbender/ldapbundle:v1.1.4
+```
 Register the bundle in AppKernel.php:
 
 ```php

Exceptions/MissconfiguredLDAPClientException.php

@@ -1,57 +1,66 @@
-parameters:
-    # Alias to values Mapbender ACL assignment machinery evaluates
-    ## for fom.ldap_user_identities_provider
-    ldap_user_base_dn: '%ldap.user.baseDN%'
-    ldap_user_name_attribute: '%ldap.user.nameAttribute%'
-    ldap_user_filter: '%ldap.user.adminFilter%'
-    ## for fom.ldap_client
-    ldap_host: '%ldap.host%'
-    ldap_port: '%ldap.port%'
-    ldap_version: '%ldap.version%'
-    ldap_bind_dn: '%ldap.bind.dn%'
-    ldap_bind_pwd: '%ldap.bind.pwd%'
+services:
+    Symfony\Component\Ldap\Ldap:
+        arguments: ['@Symfony\Component\Ldap\Adapter\ExtLdap\Adapter']
+        tags:
+            - ldap
 
-# Fix bad parameter case baseDN (expected) vs baseDn (from bad example config in README.md)
-# parameter names are now case sensitive
-    ldap.user.baseDN: '%ldap.user.baseDn%'
-    ldap.group.baseDN: '%ldap.group.baseDn%'
-    ldap.group.id: cn
-    ldap.group.role_prefix: ROLE_GROUP_
+    Symfony\Component\Ldap\Adapter\ExtLdap\Adapter:
+        arguments:
+            - host: '%ldap.host%'
+            - port: '%ldap.port%'
+            - encryption: '%ldap.encryption'
+            - options:
+                  protocol_version: '%ldap.version'
+                  referrals: false
 
-services:
-    ldapClient:
-        class: Mapbender\LDAPBundle\Component\LdapClient
+    mapbender.ldap.client:
+        class: Mapbender\LDAPBundle\Security\LdapClient
         arguments:
-        - '%ldap.host%' #Address to LDAPServer
-        - '%ldap.port%' #Port where LDAPServer is listening
-        - '%ldap.version%' #LDAP Protocol version
-        - '%ldap.useSSL%'           # SSL #Use SSL
-        - '%ldap.useTLS%'      # TLS 'Use TLS
+        - '%ldap.host%'
+        - '%ldap.port%'
+        - '%ldap.version%'
+        - '%ldap.encryption%'
         - '%ldap.bind.dn%'
         - '%ldap.bind.pwd%'
-    LDAPUserProvider:
-        class: Mapbender\LDAPBundle\Security\Provider\LDAPUserProvider
+
+    mapbender.ldap.user_provider:
+        class: Mapbender\LDAPBundle\Security\LdapUserProvider
         arguments:
-        - '@ldapClient'
-        - '@mbldap.group_identities_provider'
-        - '%ldap.user.baseDN%'
+        - '@mapbender.ldap.client'
+        - '%ldap.user.baseDn%'
         - '%ldap.user.query%'
-        - [ROLE_USER]
-    mbldap.group_identities_provider:
-        class: Mapbender\LDAPBundle\Security\Provider\LDAPGroupProvider
-        arguments:
-        - '@fom.ldap_client'
-        - '%ldap.group.baseDN%'
-        - '%ldap.group.id%'
-        - '%ldap.group.adminFilter%'
+        - '%ldap.user.groupKey%'
+        - '%ldap.group.baseDn%'
         - '%ldap.group.query%'
-        - '%ldap.group.role_prefix%'
-    fom.ldap_client:
-        alias: ldapClient
-    fom.identities.provider:
-        class: Mapbender\LDAPBundle\Security\Provider\LDAPIdentitiesProvider
+        - '%ldap.group.id%'
+        - '%ldap.group.defaultRoles%'
+
+    mapbender.ldap.authenticator:
+        class: Mapbender\LDAPBundle\Security\MapbenderLdapAuthenticator
+        arguments:
+            - '@security.authenticator.form_login.secured_area'
+            - '@mapbender.ldap.client'
+            - '%ldap.user.baseDn%'
+            - '%ldap.user.query%'
+
+    ldap.security.subject_domain.user:
+        class: Mapbender\LDAPBundle\Security\Permission\SubjectDomainLdapUser
+        tags:
+            - fom.security.subject_domain
+        arguments:
+            - '@mapbender.ldap.client'
+            - '%ldap.user.baseDn%'
+            - '%ldap.user.adminQuery%'
+            - '%ldap.user.id%'
+            - '%ldap.user.commonName%'
+
+    ldap.security.subject_domain.group:
+        class: Mapbender\LDAPBundle\Security\Permission\SubjectDomainLdapGroup
+        tags:
+            - fom.security.subject_domain
         arguments:
-            - '@doctrine'
-            - '@fom.ldap_user_identities_provider'
-            - '@mbldap.group_identities_provider'
-            - '%fom.user_entity%'
+            - '@mapbender.ldap.client'
+            - '%ldap.group.baseDn%'
+            - '%ldap.group.adminQuery%'
+            - '%ldap.group.id%'
+            - '%ldap.group.commonName%'