我一直在将这个 Userprovider 与 Symfony 一起使用,它扩展了原始的 LdapUserProvider 并且只添加了一些角色,具体取决于用户所在的 ActiveDirectory 组。它工作正常,但由于 Symfony 4.4Symfony\Component\Security\Core\User\LdapUserProvider已被弃用,Symfony\Component\Ldap\Security\LdapUserProvider应该改用。
src/Security/LdapUserProvider.php
namespace App\Security;
use Symfony\Component\Ldap\Entry;
use Symfony\Component\Security\Core\User\LdapUserProvider as SymfonyLdapUserProvider;
#use Symfony\Component\Ldap\Security\LdapUserProvider as SymfonyLdapUserProvider;
use Symfony\Component\Security\Core\User\User;
class LdapUserProvider extends SymfonyLdapUserProvider
{
private static $roles = [
'ROLE_MANAGEMENT' => [
'name' => 'Verwaltung',
'groups' => [
'CN=Verwaltung,OU=Personen,DC=example,DC=com',
],
],
'ROLE_SC' => [
'name' => 'IT',
'groups' => [
'CN=IT-MA,OU=Gruppen,DC=example,DC=com',
],
],
'ROLE_DOMAINADMIN' => [
'name' => 'Domain Admin',
'groups' => [
'CN=Domain Admins,CN=Users,DC=example,DC=com',
],
],
// some more roles ...
];
protected function loadUser($username, Entry $entry)
{
$roles = ['ROLE_USER'];
if ($entry->hasAttribute('memberOf')) {
$roles = array_merge($roles, $this->getRolesFromGroups($entry->getAttribute('memberOf')));
}
$dn = $entry->getAttribute('distinguishedName')[0];
$elements = explode(',', $dn);
$basePath = array_slice($elements, ($_ENV['ADLDAP_BASEDN_DEPTH']*-1));
$_SESSION['currentUser']['baseDn'] = implode(',', $basePath);
return new User($username, null, $roles);
}
private function getRolesFromGroups(array $userGroups)
{
$roles = [];
foreach ($this::$roles as $key => $role) {
foreach ($role['groups'] as $group) {
if (in_array($group, $userGroups)) {
$roles[] = $key;
break;
}
}
}
return $roles;
}
public function supportsClass($class)
{
$test = User::class === $class || is_subclass_of($class, User::class);
dump($test);
return $test;
}
}
但是,当我替换为时Symfony\Component\Security\Core\User\LdapUserProvider,Symfony\Component\Ldap\Security\LdapUserProvider出现以下异常:
用户“Symfony\Component\Security\Core\User\User”没有用户提供程序。您的用户提供程序的“supportsClass()”方法不应该为这个类名返回 true 吗?
有趣的是:我测试了它的返回值,function supportsClass($class)它返回了true。
我发现了一些像这样的问题:
但他们处理我没有的自定义用户实体。如果不是来自我的 UserProvider,谁能给我一个提示这个错误来自哪里?
Symfony 的版本是 4.4.29。其他相关文件的摘录:
配置/服务.yaml
Symfony\Component\Ldap\Ldap:
arguments: ['@Symfony\Component\Ldap\Adapter\ExtLdap\Adapter']
Symfony\Component\Ldap\Adapter\ExtLdap\Adapter:
arguments:
- host: '%env(ADLDAP_HOST)%'
port: '%env(ADLDAP_PORT)%'
options:
protocol_version: 3
referrals: false
配置/包/security.yaml
security:
providers:
ad:
ldap:
service: Symfony\Component\Ldap\Ldap
base_dn: '%env(ADLDAP_BASEDN)%'
search_dn: '%env(ADLDAP_USERDN)%'
search_password: '%env(ADLDAP_PASSWORD)%'
default_roles: ROLE_USER
uid_key: 'samaccountname'
extra_fields: ['distinguishedName']
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
anonymous: ~
form_login_ldap:
service: Symfony\Component\Ldap\Ldap
login_path: login
check_path: login
dn_string: '%env(ADLDAP_BASEDN)%'
query_string: '(samaccountname={username})'
logout:
path: /logout
target: login
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: ROLE_USER }