No chaining provider and no persisted entities - auth workflow locks LDAP account about fr3dldapbundle HOT 7 CLOSED

I've to admit that branch of the code is a mistery for me.

I was following the same code of DaoAuthenticationProvider but it's truth getPassword is empty or is a hashed password so the return value won't be valid in any case.

So the question is How we can re authenticate an already logged user?

from fr3dldapbundle.

What is the return value of $token->getCredentials()?

from fr3dldapbundle.

$token->getCredentials() return the password filled by the user while the process of authentication starts (before redirect). I actually tried to replace $currentUser->getPassword() by $token->getCredentials() but no change. I my opinion the problem is deeper in the process.

When the User is authenticated, the condition ($currentUser instanceof UserInterface) is true and the User is rebind from the informations returned by the token (aka getUser() and getCredentials()). The User returned by getCredentials() is free of password (by default, it's empty because it's overrided on hydrate method on LdapManager : the password is set to blank.
I tried to set the password on the instance User in checkAuthentication but no change too. Seems when the token is re-recreated the password is lost...

from fr3dldapbundle.

Here is the solution !

Change $currentUser->getPassword() to $token->getCredentials() in LdapAuthenticationProvider, and turn off the property erase_credentials in security.yml.
The generated token keeps the password after login and the bind method is working correctly. I don't know if it's the really waited behaviour or just a bad way to resolve it.

I notice a strange thing btw, the Zend/Ldap driver is called twice, the first time is when the default connection defined in config.yml with username and password are used. The second one is when the bind method is directly called to authenticate User. In this case, I trace all the workflow to show up how it behaves : an Exception is correctly thrown (because username is filled, password is empty and AllowEmptyPassword is false) but in UserAuthenticationProvider the code below does not throw the Exception to the caller class (AuthenticationProviderManager) :

try {
      $this->userChecker->checkPreAuth($user);
      $this->checkAuthentication($user, $token);
      $this->userChecker->checkPostAuth($user);
} catch (BadCredentialsException $e) {
      if ($this->hideUserNotFoundExceptions) {
            throw new BadCredentialsException('Bad credentials', 0, $e);
      }
      throw $e;
}

I don't know why and when the Exception is catched. This issue messed up my brain !

from fr3dldapbundle.

Do you want create a PR with the fix?

About the driver called twice:
a) The first one is the user provider part. (Symfony expects to provider a user object, so you can provide a user from bd but later authenticate against ldap)
b) The second is the user authentication.

from fr3dldapbundle.

I am not sure if the fix is correct, I gonna make new tests with fresh installation and chaining providers to be sure it does not bring regression.

from fr3dldapbundle.

The change will make a BC Break with objects retrieved from BD. But this have to be fixed as you proposed.

from fr3dldapbundle.