You can enable LDAP authenticating only on configuration level.
Packeton has pre-installed Symfony LDAP component. Add the file config/packages/ldap.yaml to enable LDAP
with following content. See LDAP in Symfony Docs
parameters:
default_login_provider: 'form_login_ldap'
default_login_options:
provider: all_users
login_path: /login
use_forward: false
check_path: /login
failure_path: null
service: Symfony\Component\Ldap\Ldap
dn_string: 'uid={username},dc=example,dc=com'
services:
Symfony\Component\Ldap\Ldap:
arguments: ['@Symfony\Component\Ldap\Adapter\ExtLdap\Adapter']
tags:
- ldap
Symfony\Component\Ldap\Adapter\ExtLdap\Adapter:
arguments:
- host: ldap.forumsys.com
port: 389
security:
providers:
users_ldap:
ldap:
service: Symfony\Component\Ldap\Ldap
base_dn: dc=example,dc=com
search_dn: "cn=read-only-admin,dc=example,dc=com"
search_password: password
default_roles: ROLE_MAINTAINER
uid_key: uid
all_users:
chain:
providers: ['packagist', 'users_ldap']Here is working example where used test ldap.forumsys.com server https://www.forumsys.com/2022/05/10/online-ldap-test-server/
Using LDAP integration does not prevent you from creating user manually from CLI and assign more accessible roles.
At the same LDAP password validation will be done on LDAP server side, because CheckLdapCredentialsListener has higher priority
loading than default check listener. Therefore, if user is not enable in LDAP - it will not able login to packeton.
Packeton use Symfony Chain User Provider to lookup users.
If you want to use customer user restriction by vendors and versions, packagist user provider must load before ldap.
security:
providers:
users_ldap:
ldap:
...
all_users:
chain:
providers: ['packagist', 'users_ldap'] # Load user/roles form default packagist and if not found - use ldap user
providers: ['users_ldap', 'packagist'] # packagist users will be ignore You can use more 1 user providers:
security:
providers:
users_ldap:
ldap:
service: Symfony\Component\Ldap\Ldap
base_dn: dc=example,dc=com
search_dn: "cn=read-only-admin,dc=example,dc=com"
filter: "(&(objectclass=groupOfUniqueNames)(ou=scientists)(uniqueMember=uid={username},dc=example,dc=com))"
search_password: password
default_roles: ROLE_MAINTAINER
uid_key: uid
users_ldap_admin:
ldap:
service: Symfony\Component\Ldap\Ldap
base_dn: dc=example,dc=com
search_dn: "cn=read-only-admin,dc=example,dc=com"
filter: "(&(objectclass=groupOfUniqueNames)(ou=mathematicians)(uniqueMember=uid={username},dc=example,dc=com))"
search_password: password
default_roles: ROLE_ADMIN
uid_key: uid
all_users:
chain:
providers: ['packagist', 'users_ldap', 'users_ldap_admin']Here test example where exists two Groups (ou) that include:
- ou=mathematicians,dc=example,dc=com - assign role ROLE_ADMIN
- ou=scientists,dc=example,dc=com - assign role ROLE_MAINTAINER
By default, packeton is storage api token in database for each user. But if the user was loaded by custom external users' provider, but from the database, you will need enable JWT configuration. See JWT Configuration
You can use docker volume to share own configuration to application.
...
volumes:
- .docker:/data
- ${PWD}/ldap.yaml:/var/www/packagist/config/packages/ldap.yaml