# |
May 17th 2021, 11:57 |
kushan |
as you could see when a user enters usernam/password, it first check in the app's db for a matching user. If it cannot find a matching user, then look for LDAP |
# |
May 17th 2021, 11:57 |
kushan |
2. ldap |
# |
May 17th 2021, 11:56 |
kushan |
1. password |
# |
May 17th 2021, 11:56 |
kushan |
there are 2 ways |
# |
May 17th 2021, 11:56 |
slackebot |
LDAP_OPT_NETWORK_TIMEOUT => 5, ], ]); return $service; }``` @ndm The above might explain how i'm authenticating users |
# |
May 17th 2021, 11:56 |
slackebot |
$service->loadIdentifier('CustomLdap', [ 'fields' => ['username' => 'username', 'password' => 'password'], 'host' => Configure::readOrFail('LdapHost'), 'bindDN' => function ($username) use ($baseDN) { return "cn=$username,$baseDN"; }, 'baseDN' => $baseDN, 'ldap' => 'CustomExtensionAdapter', 'options' => [ LDAP_OPT_PROTOCOL_VERSION => 3, |
# |
May 17th 2021, 11:56 |
slackebot |
'fields' => $formAuthFields, 'loginUrl' => '/', ]); // Load identifiers $service->loadIdentifier('Authentication.Password', [ 'fields' => $formAuthFields, 'resolver' => [ 'className' => 'CustomOrm', 'customerId' => Router::getRequest()->getAttribute('customer')->id ], ]); // add LDAP identifier $baseDN = Configure::readOrFail('LdapBaseDN'); |
# |
May 17th 2021, 11:56 |
slackebot |
$service->setConfig([ 'unauthenticatedRedirect' => '/', 'queryParam' => 'redirect', ]); $formAuthFields = [ IdentifierInterface::CREDENTIAL_USERNAME => 'email', IdentifierInterface::CREDENTIAL_PASSWORD => 'password', ]; // Load the authenticators. Session should be first. $service->loadAuthenticator('Authentication.Session'); $service->loadAuthenticator('Authentication.Form', [ |
# |
May 17th 2021, 11:56 |
kushan |
```/** * Returns a service provider instance. * * @param \Psr\Http\Message\ServerRequestInterface $request Request * @return \Authentication\AuthenticationServiceInterface */ public function getAuthenticationService(ServerRequestInterface $request): AuthenticationServiceInterface { $service = new AuthenticationService(); // Define where users should be redirected to when they are not authenticated |
# |
May 17th 2021, 11:54 |
ndm |
I'm not quite sure I understand, do you _not_ have any matching users in your DB, or are you just not able to query them (for example because you have no unique value by which you could identify them)? |
# |
May 17th 2021, 11:51 |
kushan |
when I authenticate via LDAP, I don't check for any matching username in the DB. The reason I wanted to create a new entity is that I cannot find a way to authorize Ldap users without mapping data returned via LDAP auth to a User entity. |
# |
May 17th 2021, 11:49 |
ndm |
ps, you better pass the customer as an option to the identifier config, then you can remove the hard router depdendency. |
# |
May 17th 2021, 11:48 |
ndm |
I see. And do you have matching users in your database that you could identify by the username, or by information returned from the LDAP search? |
# |
May 17th 2021, 11:48 |
kushan |
the namespace of the above class is App\Identifier |
# |
May 17th 2021, 11:46 |
slackebot |
in_array($result[0]['employeetype'][0], EMPLOYEE_TYPE) ? USER_ROLE_ADMIN : false ]), 'customer_id' => Router::getRequest()->getAttribute('customer')->id ]); } } catch (ErrorException $e) { $this->_handleLdapError($e->getMessage()); } $this->_ldap->unbind(); return null; }``` |
# |
May 17th 2021, 11:46 |
slackebot |
= $this->_ldap->bind($config['bindDN']($username), $password); if ($ldapBind === true) { $filter = "(cn={$username})"; $result = $this->_ldap->search($config['baseDN'], $filter); $this->_ldap->unbind(); return new ArrayObject([ $config['fields'][self::CREDENTIAL_USERNAME] => $username, 'user_role' => new ArrayObject([ 'role' => |
# |
May 17th 2021, 11:46 |
kushan |
@ndm yes, but I extended Authentication\Identifier\LdapIdentifier class. In my CustomLdapIdentifier::_bindUser() ```/** * Try to bind the given user to the LDAP server * * @param string $username The username * @param string $password The password * * @return ArrayAccess|null */ protected function _bindUser(string $username, string $password): ?ArrayAccess { $config = $this->getConfig(); try { $ldapBind |
# |
May 17th 2021, 11:43 |
ndm |
@kushan Where does the LDAP identifier get all that information from? `customer_id`, `user_role` (a nested array)? Usually it returns an array object with just one field, the username. |
# |
May 17th 2021, 11:00 |
slackebot |
$user->get('user_role')['role']] //$user->get('user_role')['role'] is 'admin' in this case, and the 'admin is existed already'` `],` `}` `return $user->setAuthorization($auth);` `}` `]));` `}` |
# |
May 17th 2021, 11:00 |
slackebot |
\Authentication\Identity) {` `$Users = TableRegistry::_getTableLocator_()->get('Users');` `$user = $Users->newEntity(` `[` `'name' => 'test',` `'email' => 'test@test.com',` `'customer_id' => $user->get('customer_id'),` `'user_role_id' => 3,` `'user_role' => ['role' => |
# |
May 17th 2021, 11:00 |
slackebot |
My code... `public function middleware(MiddlewareQueue $middlewareQueue): MiddlewareQueue` `{` `$middlewareQueue` `// few other middleware before auth` `->add(new AuthenticationMiddleware($this))` `->add(new AuthorizationMiddleware($this, [` `// 'requireAuthorizationCheck' => false,` `'identityDecorator' => function ($auth, $user) {` `// for users authenticated via LDAP` `if ($user instanceof |
# |
May 17th 2021, 11:00 |
slackebot |
working as I cannot create and new user entity due to one of the DB rules set. I have Users and UserRoles models. In the UserRoles the 'role' filed is unique. If I tried to create a new entity to match the Users model using the data returned via LDAP auth, it throws an error as the role field is unique. I'm using the Authorization middleware similar to what's explained here https://book.cakephp.org/authorization/2/en/middleware.html |
# |
May 17th 2021, 11:00 |
kushan |
Hi, could someone help me with CakePHP authorisation issue please... I've been adding the new Authentication and Authorization plugins to an existing CakePHP 4.x application. I'm using Password and Ldap authentication at the moment, and the authentication with both methods is working. Also, the authorisation, when authenticated via the password, is working. However, the authorisation when authenticated via LDAP is not |
# |
May 17th 2021, 10:59 |
paolo.bragagni |
some 'bake for dummies' somewhere? |
# |
May 17th 2021, 10:58 |
paolo.bragagni |
cant understand how to bake my own actions and views in cake4 :( |
# |
May 17th 2021, 09:30 |
dereuromark |
I see. As said before best to use automated approach as much as possible, and add on top what is missing then. Or provide pr to also allow automating that. |
# |
May 17th 2021, 08:45 |
kevinfrom |
Plugin `A` might have an `AHelper` used in a plugin `B` template |
# |
May 17th 2021, 08:45 |
kevinfrom |
I agree - but the problem is that some Theme plugins have View helpers used in different places. The hope was to avoid creating a ThemeView in every time to type this |
# |
May 17th 2021, 08:42 |
dereuromark |
Helpers should never be configured in the templates imo. Thats what the tool write into appview class for. |
# |
May 17th 2021, 08:40 |
neon1024 |
PHP Storm :point_up: |
# |
May 17th 2021, 08:39 |
slackebot |
<neon1024> |
# |
May 17th 2021, 08:38 |
neon1024 |
Yes |
# |
May 17th 2021, 08:38 |
kevinfrom |
But does your IDE suggest methods when writing `$this->HelperName` then? |
# |
May 17th 2021, 08:36 |
neon1024 |
If you use @dereuromark IdeHelper plugin, it can generate all these for you automatically |
# |
May 17th 2021, 08:36 |
neon1024 |
`@var \Example\HelperName $HelperName` |
# |
May 17th 2021, 08:36 |
neon1024 |
@kevinfrom I tend to just use `$HelperName` |
# |
May 17th 2021, 08:03 |
kevinfrom |
A techical question - in a template, is it possible to define that my AppView uses a Helper? My problem is, that I'm not able to update the AppView class. ```/**``` |
# |
May 17th 2021, 06:20 |
paolo.bragagni |
2. Where can I modify the actions code build from bake? |
# |
May 17th 2021, 06:19 |
paolo.bragagni |
1. How can I build a 'stand alone' theme that is independent from the application? I'd like that all my (future) applications will have my own actions. |
# |
May 17th 2021, 06:18 |
paolo.bragagni |
Hi, I read here https://book.cakephp.org/bake/2/en/development.html#bake-events thet if I want to add new action to my theme, I had to modify my src/Application . It's true? |
# |
May 15th 2021, 20:10 |
kevin.pfeifer |
yup, that was the issue ,:) |