For JWT, I'm using lexik/jwt-authentication-bundle. For LDAP, I'm using ldaptools/ldaptools-bundle.
Both can be installed via Composer:
composer req lexik/jwt-authentication-bundle ldaptools/ldaptools-bundle
Follow the instructions for configuring both packages as normal:
- JWT: Configuration
- LDAP: Getting started
After that, you can add the LDAP guard to the login firewall in your config/packages/security.yaml file:
security:
# ...
firewalls:
login:
pattern: ^/api/login
stateless: true
anonymous: true
form_login:
check_path: /api/login_check
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
require_previous_session: false
guard:
authenticators:
- ldap_tools.security.ldap_guard_authenticatorMake sure that both packages are using the same names for the username and password parameters.
For JWT, in config/packages/security.yaml:
security:
# ...
firewalls:
login:
form_login:
username_path: my_username
password_path: my_password
And for LDAP, in config/packages/ldaptools.yaml:
ldap_tools:
security:
guard:
username_parameter: my_username
password_parameter: my_passwordI ran into some problems when using the json_login authentication instead of the form_login method used above.
The LDAP Guard Authenticator provided by LDAP Tools can not read the credentials from a JSON encoded POST content.
I created a JsonLdapGuardAuthenticator class that extends the original
LdapGuardAuthenticator of the LDAP Tools. This class overrides the getRequestParameter method to pull parameters out
of the JSON POST content.
I copied the service defintion of the original LdapGuardAuthenticator.
To prevent my JWT requests from being redirected to a (non-existing) login form, I had to use some handlers from the
JWT package instead of the default ones from the LDAP package.
In config/services.yaml:
services:
App\Authentication\Ldap\JsonLdapGuardAuthenticator:
arguments:
- '%security.authentication.hide_user_not_found%'
- '@ldap_tools.security.user.ldap_user_checker'
- '@ldap_tools.ldap_manager'
- '@lexik_jwt_authentication.security.guard.jwt_token_authenticator' # Instead of '@ldap_tools.security.authentication.form_entry_point'
- '@event_dispatcher'
- '@lexik_jwt_authentication.handler.authentication_success' # Instead of '@ldap_tools.security.auth_success_handler'
- '@lexik_jwt_authentication.handler.authentication_failure' # Instead of '@ldap_tools.security.auth_failure_handler'
- '%ldap_tools.security.guard.options%'
- '@ldap_tools.security.user.ldap_user_provider'Then the new class can be used as a guard in the config/packages/security.yaml file:
security:
# ...
firewalls:
login:
# ...
guard:
authenticators:
- App\Authentication\Ldap\JsonLdapGuardAuthenticator