Package Data | |
---|---|
Maintainer Username: | minkbear |
Package Create Date: | 2016-01-19 |
Package Last Update: | 2016-11-23 |
Home Page: | |
Language: | PHP |
License: | MIT |
Last Refreshed: | 2024-11-22 15:03:17 |
Package Statistics | |
---|---|
Total Downloads: | 177 |
Monthly Downloads: | 3 |
Daily Downloads: | 0 |
Total Stars: | 0 |
Total Watchers: | 2 |
Total Forks: | 1 |
Total Open Issues: | 0 |
Adldap2 - Laravel allows easy configuration, access, and management to active directory utilizing the root Adldap2 Repository.
It includes:
Adldap\Contracts\AdldapInterface
) for dependency injection through Laravel's IoCAdldap\Laravel\Facades\Adldap
) for easily retrieving the Adldap instance from the IoCInsert Adldap2-Laravel into your composer.json
file:
"adldap2/adldap2-laravel": "2.0.*",
Then run composer update
.
Once finished, insert the service provider in your config/app.php
file:
Adldap\Laravel\AdldapServiceProvider::class,
Then insert the facade:
'Adldap' => Adldap\Laravel\Facades\Adldap::class
Publish the configuration file by running:
php artisan vendor:publish --tag="adldap"
Now you're all set!
You can perform all methods on Adldap through its facade like so:
// Finding a user.
$user = Adldap::getProvider('default')->search()->users()->find('john doe');
// Searching for a user.
$search = Adldap::getProvider('default')->search()->where('cn', '=', 'John Doe')->get();
// Authenticating.
if (Adldap::getProvider('default')->auth()->attempt($username, $password)) {
// Passed!
}
Or you can inject the Adldap contract:
use Adldap\Contracts\AdldapInterface;
class UserController extends Controller
{
/**
* @var Adldap
*/
protected $adldap;
/**
* Constructor.
*
* @param AdldapInterface $adldap
*/
public function __construct(AdldapInterface $adldap)
{
$this->adldap = $adldap;
}
/**
* Displays the all LDAP users.
*
* @return \Illuminate\View\View
*/
public function index()
{
$users = $this->adldap->getProvider('default')->search()->users()->get();
return view('users.index', compact('users'));
}
}
To see more usage in detail, please visit the Adldap2 Repository;
The Adldap Laravel auth driver allows you to seamlessly authenticate active directory users, as well as have a local database record of the user. This allows you to easily attach information to the users as you would a regular laravel application.
Note: The Adldap auth driver actually extends from and utilizes Laravel's eloquent auth driver.
Insert the AdldapAuthServiceProvider
into your config/app.php
file:
Adldap\Laravel\AdldapAuthServiceProvider::class,
Publish the auth configuration:
php artisan vendor:publish --tag="adldap"
Change the auth driver in config/auth.php
to adldap
:
/*
|--------------------------------------------------------------------------
| Default Authentication Driver
|--------------------------------------------------------------------------
|
| This option controls the authentication driver that will be utilized.
| This driver manages the retrieval and authentication of the users
| attempting to get access to protected areas of your application.
|
| Supported: "database", "eloquent"
|
*/
'driver' => 'adldap',
Insert the AdldapAuthServiceProvider
into your config/app.php
file:
Adldap\Laravel\AdldapAuthServiceProvider::class,
Publish the auth configuration:
php artisan vendor:publish --tag="adldap"
Open your config/auth.php
configuration file and change the following:
Change the provider
entry inside the web
authentication guard:
/*
|--------------------------------------------------------------------------
| Authentication Guards
|--------------------------------------------------------------------------
|
| Next, you may define every authentication guard for your application.
| Of course, a great default configuration has been defined for you
| here which uses session storage and the Eloquent user provider.
|
| All authentication drivers have a user provider. This defines how the
| users are actually retrieved out of your database or other storage
| mechanisms used by this application to persist your user's data.
|
| Supported: "session", "token"
|
*/
'guards' => [
'web' => [
'driver' => 'session',
'provider' => 'adldap',
],
'api' => [
'driver' => 'token',
'provider' => 'users',
],
],
Now add the adldap
provider to your providers
array:
/*
|--------------------------------------------------------------------------
| User Providers
|--------------------------------------------------------------------------
|
| All authentication drivers have a user provider. This defines how the
| users are actually retrieved out of your database or other storage
| mechanisms used by this application to persist your user's data.
|
| If you have multiple user tables or models you may configure multiple
| sources which represent each model / table. These sources may then
| be assigned to any extra authentication guards you have defined.
|
| Supported: "database", "eloquent"
|
*/
'providers' => [
'adldap' => [
'driver' => 'adldap',
'model' => App\User::class,
],
'users' => [
'driver' => 'eloquent',
'model' => App\User::class,
],
// 'users' => [
// 'driver' => 'database',
// 'table' => 'users',
// ],
],
Inside your config/adldap_auth.php
file there is a configuration option named username_attribute
. The key of the
array indicates the input name of your login form, and the value indicates the LDAP attribute that this references.
This option just allows you to set your input name to however you see fit, and allow different ways of logging in a user.
In your login form, change the username form input name to your configured input name.
By default this is set to email
:
<input type="text" name="email" />
<input type="password" name="password" />
You'll also need to add the following to your AuthController if you're not overriding the default postLogin method.
protected $username = 'email';
If you'd like to use the users samaccountname
to login instead, just change your input name and auth configuration:
<input type="text" name="username" />
<input type="password" name="password" />
Note: If you're using the
username
input field, make sure you have theusername
field inside your users database table as well. By default, laravel's migrations use the
Inside config/adldap_auth.php
'username_attribute' => ['username' => 'samaccountname'],
Note: The actual authentication is done with the
login_attribute
inside yourconfig/adldap_auth.php
file.
Login a user regularly using Auth::attempt($credentials);
. Using Auth::user()
when a user is logged in
will return your configured App\User
model in config/auth.php
.
Inside your config/adldap_auth.php
file there is a configuration option named sync_attributes
. This is an array
of attributes where the key is the User
model attribute, and the value is the active directory users attribute.
By default, the User
models name
attribute is synchronized to the AD users cn
attribute. This means, upon login,
the users name
attribute on Laravel User
Model will be set to the active directory common name (cn
) attribute, then saved.
Feel free to add more attributes here, however be sure that your users
database table contains the key you've entered.
Note: This feature was introduced in
v1.3.8
.
If you're looking to synchronize an attribute from an Adldap model that contains an array or an object, you can use a callback to return a specific value to your Laravel model's attribute. For example:
'sync_attributes' => [
'name' => 'App\Handlers\LdapAttributeHandler@name',
],
The LdapAttributeHandler
class:
namespace App\Handlers;
use Adldap\Models\User;
class LdapAttributeHandler
{
/**
* Returns the common name of the AD User.
*
* @param User $user
*
* @return string
*/
public function name(User $user)
{
return $user->getAccountName();
}
}
Note: Attribute handlers are constructed using the
app()
helper. This means you can type-hint any application dependencies you may need in the handlers constructor.
Note: Before we begin, enabling this option will perform a single query on your AD server for a logged in user per request. Eloquent already does this for authentication, however this could lead to slightly longer load times (depending on your AD server and network speed of course).
Inside your config/adldap_auth.php
file there is a configuration option named bind_user_to_model
. Setting this to
true sets the adldapUser
property on your configured auth User model to the Adldap User model. For example:
if (Auth::attempt($credentials)) {
$user = Auth::user();
var_dump($user); // Returns instance of App\User;
var_dump($user->adldapUser); // Returns instance of Adldap\Models\User;
// Retrieving the authenticated LDAP users groups
$groups = $user->adldapUser->getGroups();
}
You must insert the trait Adldap\Laravel\Traits\AdldapUserModelTrait
onto your configured auth User model, OR
Add the public property adldapUser
to your model.
<?php
// app/User.php
namespace App;
use Adldap\Laravel\Traits\AdldapUserModelTrait;
use Illuminate\Auth\Authenticatable;
use Illuminate\Database\Eloquent\Model;
use Illuminate\Auth\Passwords\CanResetPassword;
use Illuminate\Contracts\Auth\Authenticatable as AuthenticatableContract;
use Illuminate\Contracts\Auth\CanResetPassword as CanResetPasswordContract;
class User extends Model implements AuthenticatableContract, CanResetPasswordContract
{
use Authenticatable, CanResetPassword, AdldapUserModelTrait; // Insert trait here
/**
* The database table used by the model.
*
* @var string
*/
protected $table = 'users';
/**
* The attributes that are mass assignable.
*
* @var array
*/
protected $fillable = ['name', 'email', 'password'];
/**
* The attributes excluded from the model's JSON form.
*
* @var array
*/
protected $hidden = ['password', 'remember_token'];
}
Note: This feature was introduced in
v1.3.9
. You'll will need to re-publish the Adldap Auth configuration file to receive this option.
The login fallback option allows you to login as a local database user using the Eloquent authentication driver if active directory authentication fails. This option would be handy in environments where:
To enable it, simply set the option to true in your adldap_auth.php
configuration file:
'login_fallback' => false, // Set to true.
Note: This feature was introduced in
v1.4.3
. You will need to re-publish the Adldap Auth configuration file to receive this option.
Requirements: This feature assumes that you have enabled
Windows Authentication
in IIS, or have enabled it in some other means with Apache. Adldap does not set this up for you. To enable Windows Authentication, visit: https://www.iis.net/configreference/system.webserver/security/authentication/windowsauthentication/providers/add
SSO authentication allows you to authenticate your users by the pre-populated $_SERVER['AUTH_USER']
(or $_SERVER['REMOTE_USER
])
that is filled when users visit your site when SSO is enabled on your server. This is configurable in your adldap_auth.php
configuration file.
To use the middleware, insert it on your middleware stack:
protected $middlewareGroups = [
'web' => [
Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
Middleware\VerifyCsrfToken::class,
\Adldap\Laravel\Middleware\WindowsAuthenticate::class, // Inserted here.
],
];
Now when you visit your site, a user account will be created (if one doesn't exist already) with a random 16 character string password and then automatically logged in. Neat huh?
Note: This feature was introduced in
v1.4.6
. You will need to re-publish the Adldap Auth configuration file to receive this option.
Inside of your config/adldap_auth.php
configuration, you can now insert a raw LDAP filter to specify which users are allowed to authenticate.
This filter persists to the Windows Authentication Middleware as well.
For example, to allow only users to that contain an email address to login, insert the filter: (mail=*)
:
/*
|--------------------------------------------------------------------------
| Limitation Filter
|--------------------------------------------------------------------------
|
| The limitation filter allows you to enter a raw filter to only allow
| specific users / groups / ous to authenticate.
|
| This should be a standard LDAP filter.
|
*/
'limitation_filter' => '(mail=*)',
For another example, here's how you can limit users logging in that are apart of a specific group:
Note: This will also allow nested group users to login as well.
'limitation_filter' => '(memberof:1.2.840.113556.1.4.1941:=CN=MyGroup,DC=example,DC=com)',
Note: This feature was introduced in
v2.0.0
.
To swap connections on the fly, set your configurations default connection and try re-authenticating the user:
$auth = false;
if (Auth::attempt($credentials)) {
$auth = true; // Logged in successfully
} else {
// Login failed, swap and try other connection.
Config::set('adldap_auth.connection', 'other-connection');
if (Auth::attempt($credentials)) {
$auth = true; // Passed logging in with other connection.
}
}
if ($auth === true) {
return $this->handleUserWasAuthenticated($request, $throttles);
}
return 'Login incorrect!';