Add a LDAP identifier? about authentication HOT 13 CLOSED

@Theaxiom it's not the duty of the identifier to create any records, this is totally out of the scope of this lib. Read this https://en.wikipedia.org/wiki/Separation_of_concerns to get an idea why. Also we intentionally did not include yet another dependency, we just want to get the user and the code we have does this well without adding a whole vendor lib.

However, if you want to create a whole LDAP plugin around that lib we would appreciate that. :)

from authentication.

PR is open. Sorry for the delay 😔

from authentication.

I too don't uave any experience with LDAP. Having adapter for it would be surely nice.

from authentication.

I'll ask the author of the plugin if he would like to contribute to this project. :)

from authentication.

I've slightly updated my old code I've started 1-2 month ago and pushed it to https://github.com/cakephp/authentication/tree/ldap-identifier

@ceeram and @cleptric use LDAP at work and said they can review and complete the work on this. Thanks guys. 👍

from authentication.

I was able login against a LDAP Server: http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/
That said, I'm not happy at all with the current implementation.
The handling of the ldap result is pretty fragile. The config array is also getting pretty big.
We should also add a new OrmTrait, which can handle the db lookup for the TokenIdentifier and the LdapIdentifier.

from authentication.

Hmm, on a second thought, I'm not quite sure if we want to lookup anything in the db while using the LdapIdentifier. I have to adjust the return of the identify method and create an entity on the fly, then.

from authentication.

@cleptric as I understand LDAP it should provide all the info for the user already. You log in using LDAP, done. Sure you could link it with an account inside your local application but that is out of scope of the identifier - IMO. If somebody wants to do that he can link the accounts after login / registration or extend the identifier.

Also I've seen you're overriding $_defaultConfig. Please note that we're not using the MergeVarTrait that would merge the arrays of defined properties. So you're completely overriding the defaults.

We should also add a new OrmTrait, which can handle the db lookup for the TokenIdentifier and the LdapIdentifier.

This sounds like a two-stage process for me. Identify it by one system then against another. I'm not sure if we want this to be a core functionality of the implementation. I don't mind doing that, but then you'll hard code these identifiers against the Cake ORM. We could also allow the user to pass callbacks for before and after event like handling via config to modify things in the identifiers. I would like to hear more opinions on that that from the other developers. :)

from authentication.

@burzum LDAP doesn't provide you with any user data, if you're not searching for it. A ldap_bind is basically all is needed to authenticate a user against a LDAP server (I learned that yesterday 😉). If the bind is successful, you get true else false. So I dropped all the search code and the result juggling.
You're right about that an ORM lookup isn't necessary. If the LdapIdentifier would do an ORM lookup, I just don't wanted to copy the code from the TokenIdentifier. This was the idea behind adding a trait.

from authentication.

@cleptric it can contain data. See https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol#Directory_structure I think this case should be handled as well besides the ORM lookup.

We need to find a way to make the ORM lookup somehow optional and work with other ORMs as well. We've tried to keep this lib so far as open as possible to other implementations. I'm open for ideas on how to make this possible.

from authentication.

@burzum Sorry, I was pointing to php ldap_bind() only returns bool, not LDAP in general 😄

from authentication.

That LDAP plugin, while it works, is definitely missing quite a lot. It doesn't even have the option of creating associated user rows upon successful login, etc. If I get the time, I would like to bring this into an identifier: https://github.com/ldaptools/ldaptools

I also love the syntax of this library: http://www.phpldaptools.com/

+1 it has tests and uses travis-ci: https://travis-ci.org/ldaptools/ldaptools/jobs/200512275

from authentication.

@burzum I understand what you are saying, and yes I do intend to create an LDAP plugin around that lib when and if I get the time. Right now I am using QueenCityCodeFactory, however it does raise some concerns but works in the meantime. :)

from authentication.