{"id":529,"date":"2015-08-13T18:52:13","date_gmt":"2015-08-13T17:52:13","guid":{"rendered":"http:\/\/louis.hatier.me\/blog\/?p=529"},"modified":"2018-08-31T14:46:24","modified_gmt":"2018-08-31T13:46:24","slug":"symfony2-gerer-lidentification-utilisateur-ldap","status":"publish","type":"post","link":"https:\/\/louis.hatier.me\/blog\/symfony2-gerer-lidentification-utilisateur-ldap\/","title":{"rendered":"Symfony2 : g\u00e9rer l’identification utilisateur LDAP"},"content":{"rendered":"

\"Logo<\/a>Il est possible avec Symfony2 d\u2019authentifier l\u2019utilisateur LDAP.
\nPour cela il faut cr\u00e9er une premi\u00e8re classe UserProvider<\/code> qui sera le fournisseur d\u2019utilisateur, et une seconde classe User<\/code> qui sera notre utilisateur.
\nCette article d\u00e9taill\u00e9 en explique le fonctionnement : http:\/\/symfony.com\/fr\/doc\/current\/cookbook\/security\/custom_provider.html<\/a><\/p>\n

<\/p>\n

Tout d\u2019abord, on va renseigner dans le fichier app\/config\/security.yml<\/code> la fa\u00e7on dont on va authentifi\u00e9 l\u2019utilisateur.<\/p>\n

security:\r\n    providers:\r\n        ldap:\r\n            id: user_provider\r\n\r\n    firewalls:\r\n        secured_area:\r\n            pattern: ^\/\r\n            remote_user:\r\n                provider: ldap\r\n<\/code><\/pre>\n
On va retrouver la clef \u00ab\u00a0user_provider\u00a0\u00bb dans notre fichier de d\u00e9claration des services app\/config\/services.yml<\/code><\/p>\n
services:\r\n    ad:\r\n        class: AppBundleUtilsAd\r\n        arguments: [\"%ad_host%\", \"%ad_user%\", \"%ad_password%\"]\r\n    user_provider:\r\n        class: AppBundleSecurityUserProvider\r\n        calls:\r\n            - [setAd, [\"@ad\"]]\r\n<\/code><\/pre>\n
Le service \u00ab\u00a0ad\u00a0\u00bb est une classe qui me permet d\u2019aller chercher les informations utilisateur dans l\u2019Active Directory (nom, pr\u00e9nom, description etc.), c\u2019est pourquoi je l\u2019injecte dans ma classe UserProvider<\/code>.<\/p>\n
Voici le contenu des classes UserProvider<\/code> et User<\/code> :<\/p>\n
namespace AppBundle\\Security;\r\n\r\nuse AppBundle\\Utils\\Ad;\r\nuse Symfony\\Component\\Security\\Core\\Exception\\UsernameNotFoundException;\r\nuse Symfony\\Component\\Security\\Core\\Exception\\UnsupportedUserException;\r\nuse Symfony\\Component\\Security\\Core\\User\\UserProviderInterface;\r\n\r\nclass UserProvider implements UserProviderInterface\r\n{\r\n    private $ad;\r\n\r\n    \/**\r\n     * @param string $username\r\n     * @return UserInterface\r\n     * @throws UsernameNotFoundException\r\n     *\/\r\n    public function loadUserByUsername($username)\r\n    {\r\n        if ($userAd = $this->getAd()->getUserByLogin($username)) {\r\n            return new User($userAd->samaccountname, $userAd);\r\n        }\r\n\r\n        throw new UsernameNotFoundException('Utilisateur \"' . $username . '\" introuvable');\r\n    }\r\n\r\n    \/**\r\n     * @param UserInterface $user\r\n     * @return UserInterface\r\n     * @throws UnsupportedUserException\r\n     *\/\r\n    public function refreshUser(UserInterface $user)\r\n    {\r\n        if (!$user instanceof User) {\r\n            throw new UnsupportedUserException('Instance \"' . get_class($user) . '\" non support\u00e9e');\r\n        }\r\n\r\n        return $this->loadUserByUsername($user->getUsername());\r\n    }\r\n\r\n    \/**\r\n     * @param string $class\r\n     * @return bool\r\n     *\/\r\n    public function supportsClass($class)\r\n    {\r\n        return $class === 'AppBundle\\Security\\User';\r\n    }\r\n\r\n    \/**\r\n     * @param Ad $ad\r\n     * @return void\r\n     *\/\r\n    public function setAd(Ad $ad)\r\n    {\r\n        $this->ad = $ad;\r\n    }\r\n\r\n    \/**\r\n     * @return Ad $ad\r\n     *\/\r\n    public function getAd()\r\n    {\r\n        return $this->ad;\r\n    }\r\n}\r\n<\/code><\/pre>\n
namespace AppBundle\\Security;\r\n\r\nuse Symfony\\Component\\Security\\Core\\User\\UserInterface;\r\nuse Symfony\\Component\\Security\\Core\\Role\\Role;\r\nuse AppBundle\\Utils\\UserAd;\r\n\r\nclass User implements UserInterface\r\n{\r\n    private $username;\r\n    private $password;\r\n    private $roles = array();\r\n    private $nom;\r\n    private $prenom;\r\n    private $description;\r\n\r\n    \/**\r\n     * @param string $username\r\n     * @param UserAd $userAd\r\n     * @return User\r\n     *\/\r\n    public function __construct($username, UserAd $userAd)\r\n    {\r\n        $this->username = $username;\r\n        $this->nom = $userAd->sn;\r\n        $this->prenom = $userAd->givenname;\r\n        $this->description = $userAd->description;\r\n\r\n        \/\/ \u00e9tablit les r\u00f4les\r\n        $roles = array('ROLE_USER');\r\n\r\n        if ($this->getUsername() === 'jdoe') {\r\n            $roles[] = 'ROLE_SUPER_ADMIN';\r\n        }\r\n\r\n        $this->setRoles($roles);\r\n    }\r\n\r\n    \/**\r\n     * @return string\r\n     *\/\r\n    public function getUsername()\r\n    {\r\n        return $this->username;\r\n    }\r\n\r\n    \/**\r\n     * @return string\r\n     *\/\r\n    public function getPassword()\r\n    {\r\n        return $this->password;\r\n    }\r\n\r\n    \/**\r\n     * @return Role[] The user roles\r\n     *\/\r\n    public function getRoles()\r\n    {\r\n        $roles = $this->roles;\r\n\r\n        if (empty($roles)) {\r\n            $roles[] = 'ROLE_USER';\r\n        }\r\n\r\n        return array_unique($roles);\r\n    }\r\n\r\n    \/**\r\n     * @param array\r\n     * @return void\r\n     *\/\r\n    public function setRoles(array $roles)\r\n    {\r\n        $this->roles = $roles;\r\n    }\r\n\r\n    \/**\r\n     * @return void\r\n     *\/\r\n    public function getSalt()\r\n    {\r\n        return;\r\n    }\r\n\r\n    \/**\r\n     * @return void\r\n     *\/\r\n    public function eraseCredentials()\r\n    {\r\n    }\r\n\r\n    \/**\r\n     * @return string\r\n     *\/\r\n    public function getNom()\r\n    {\r\n        return $this->nom;\r\n    }\r\n\r\n    \/**\r\n     * @return string\r\n     *\/\r\n    public function getPrenom()\r\n    {\r\n        return $this->prenom;\r\n    }\r\n\r\n    \/**\r\n     * @return string\r\n     *\/\r\n    public function getDescription()\r\n    {\r\n        return $this->description;\r\n    }\r\n}\r\n<\/code><\/pre>\n
Ces deux classes doivent imp\u00e9rativement d\u00e9finir les m\u00e9thodes des interfaces UserProviderInterface<\/code> et User<\/code>.<\/p>\n
Cet exemple est \u00e0 adapt\u00e9 selon votre syst\u00e8me LDAP.<\/p>\n
Le fichier de log access.log<\/code> d’Apache affichera le login AD de la personne qui lance l’appel HTTP, cela peut vous permettre d’isoler ce champ dans un dashboard Kibana<\/a>.<\/p>\n
\"Share<\/a>