Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Login does not work with new authenticator System #20

Open
matthiashamacher opened this issue Aug 18, 2022 · 3 comments
Open

Login does not work with new authenticator System #20

matthiashamacher opened this issue Aug 18, 2022 · 3 comments

Comments

@matthiashamacher
Copy link

With the new Symfony authenticator system it is no longer possible to login via LDAP (https://pimcore.com/docs/pimcore/current/Development_Documentation/Development_Tools_and_Details/Security_Authentication/Authenticator_Based_Security.html)

The problem is that

  1. The event "pimcore.admin.login.credentials" is no longer used therefore the listener only triggers on the "pimcore.admin.login.failed" event
  2. When the user does not exist an exception is thrown and the "pimcore.admin.login.failed" is never reached. This happens in the UserBadge (https://github.com/pimcore/pimcore/blob/11.x/bundles/AdminBundle/Security/Authenticator/AdminLoginAuthenticator.php#L78)

I tried to work around that by changing the user provider to a chained user provider with a normal pimcore user provider and a new ldap user provider, unfortunately, this leads to an error in the AdminAbstractAuthenticator as the LDAP User Provider returns LDAPUser which has no getUser function.

My current solution is to have a cronjob running that adds new and deletes old admin users each night, so the User Badge gets a user and then the pimcore.admin.login.failed Event is triggered which authenticates the user with the ldap
@MLukman
Copy link

MLukman commented Nov 4, 2022
edited
Loading

I've created a simple authenticator class for Pimcore 10.5 and above @ https://gist.github.com/MLukman/cd8671e505e202f8753fd4ae7c296f71

How to use:

  1. Install and setup PimcoreLdapBundle first (obviously)

  2. Register this class as a service inside config/services.yaml:

    services:
    App\Service\LdapAdminAuthenticator:
        calls:
        - setLdapService: ['@?Alep\LdapBundle\Service\Ldap']

  3. Add this class full name to the top of custom_authenticators inside config/packages/security.yaml:

    custom_authenticators:
- App\Service\LdapAdminAuthenticator
- Pimcore\Bundle\AdminBundle\Security\Authenticator\AdminLoginAuthenticator
- Pimcore\Bundle\AdminBundle\Security\Authenticator\AdminTokenAuthenticator
- Pimcore\Bundle\AdminBundle\Security\Authenticator\AdminSessionAuthenticator

@snmabaur
Copy link

Hi

thank you, this one works well.... unfortunately it works no only with LDAP authentication and not anymore with an existing user in pimcore without LDAP credentials...

Is there a way to have both login methods?
Thanks

@MLukman
Copy link

MLukman commented Jan 12, 2023
edited
Loading

Hi

thank you, this one works well.... unfortunately it works no only with LDAP authentication and not anymore with an existing user in pimcore without LDAP credentials...

Is there a way to have both login methods? Thanks

Yes, if your LDAP logins have a specific format then you can put the regex pattern for the LDAP logins inside the LDAP_LOGINS_REGEX constant.

Or you can specify the list of the Pimcore user logins/groups in the exclude_rules options of this bundle configuration (refer this repository's README)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@MLukman @matthiashamacher @snmabaur