0

I'm trying to auth API and BackOffice users of a Symfony 3 app whith a combination of 3 bundles : LdaptoolsBundle, LexikJwtAuthBundle and fosUserBundle.

Here is my configuration:

config.yml //config.yml

lexik_jwt_authentication:
    private_key_path: %jwt_private_key_path%
    public_key_path:  %jwt_public_key_path%
    pass_phrase:      %jwt_key_pass_phrase%
    token_ttl:        %jwt_token_ttl%

ldap_tools:
    domains:
        company:
        domain_name: ad.company.com
        username: user
        password: password
        servers: ['xxx.xxx.xxx']
        base_dn: 'OU=users, DC=domain'

    security:
        default_role: ROLE_USER

security.yml //security.yml

encoders:
    LdapTools\Bundle\LdapToolsBundle\Security\User\LdapUser: plaintext
    FOS\UserBundle\Model\UserInterface: bcrypt

role_hierarchy:
    ROLE_ADMIN:       ROLE_USER
    ROLE_SUPER_ADMIN: ROLE_ADMIN

providers:
    chain_provider:
        chain:
            providers: [ fos_userbundle, ldap ]
    fos_userbundle:
        id: fos_user.user_provider.username
    ldap:
        id: ldap_tools.security.user.ldap_user_provider

firewalls:
    dev:
        pattern: ^/(_(profiler|wdt)|css|images|js)/
        security: false

    api_login:
        pattern:  ^/api/login
        stateless: true
        anonymous: true
        form_login:
            check_path: /api/login_check
            require_previous_session: false
            username_parameter: username
            password_parameter: password
            success_handler: lexik_jwt_authentication.handler.authentication_success
            failure_handler: lexik_jwt_authentication.handler.authentication_failure
        guard:
            authenticators:
                - ldap_tools.security.ldap_guard_authenticator

    api_secure:
        pattern:   ^/api
        stateless: true
        lexik_jwt:
            authorization_header:
                enabled: true
                prefix:  Bearer
            query_parameter:
                enabled: true
                name:    bearer
        guard:
            authenticators:
                - lexik_jwt_authentication.jwt_token_authenticator
    main:
        anonymous: ~
        provider: chain_provider
        form_login:
            login_path: fos_user_security_login
            check_path: fos_user_security_check
            use_forward: true
        pattern: ^/
        logout: ~
        guard:
            authenticators:
                - ldap_tools.security.ldap_guard_authenticator

    login:
        pattern: ^/login$
        anonymous: ~

access_control:

   - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
   - { path: ^/api/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
   - { path: ^/api, roles: IS_AUTHENTICATED_FULLY }
   - { path: ^/, roles: ROLE_USER }

When attempt to login via the login form , everything is OK, I'm authenticate by the Ldap. But when i try to login via the api, only the fosUserBundle Provide is used. No access to Ldap

Hre's the stack trace:

[1] Symfony\Component\Debug\Exception\ContextErrorException: Warning: hash_equals(): Expected known_string to be a string, null given
at n/a
    in /var/www/myapp/vendor/symfony/symfony/src/Symfony/Component/Security/Core/Encoder/BasePasswordEncoder.php line 84

at Symfony\Component\Security\Core\Encoder\BasePasswordEncoder->comparePasswords(null, 'MyPass')
    in /var/www/myapp/vendor/symfony/symfony/src/Symfony/Component/Security/Core/Encoder/PlaintextPasswordEncoder.php line 59

at Symfony\Component\Security\Core\Encoder\PlaintextPasswordEncoder->isPasswordValid(null, 'MyPass', null)
    in /var/www/myapp/vendor/symfony/symfony/src/Symfony/Component/Security/Core/Authentication/Provider/DaoAuthenticationProvider.php line 66

at Symfony\Component\Security\Core\Authentication\Provider\DaoAuthenticationProvider->checkAuthentication(object(LdapUser), object(UsernamePasswordToken))
    in /var/www/myapp/vendor/symfony/symfony/src/Symfony/Component/Security/Core/Authentication/Provider/UserAuthenticationProvider.php line 86

at Symfony\Component\Security\Core\Authentication\Provider\UserAuthenticationProvider->authenticate(object(UsernamePasswordToken))
    in /var/www/myapp/var/cache/dev/classes.php line 5294

at Symfony\Component\Security\Core\Authentication\AuthenticationProviderManager->authenticate(object(UsernamePasswordToken))
    in /var/www/myapp/vendor/symfony/symfony/src/Symfony/Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php line 93

at Symfony\Component\Security\Http\Firewall\UsernamePasswordFormAuthenticationListener->attemptAuthentication(object(Request))
    in /var/www/myapp/vendor/symfony/symfony/src/Symfony/Component/Security/Http/Firewall/AbstractAuthenticationListener.php line 146

at Symfony\Component\Security\Http\Firewall\AbstractAuthenticationListener->handle(object(GetResponseEvent))
    in /var/www/myapp/var/cache/dev/classes.php line 5209

at Symfony\Component\Security\Http\Firewall->onKernelRequest(object(GetResponseEvent), 'kernel.request', object(TraceableEventDispatcher))
    in  line 

at call_user_func(array(object(Firewall), 'onKernelRequest'), object(GetResponseEvent), 'kernel.request', object(TraceableEventDispatcher))
    in /var/www/myapp/vendor/symfony/symfony/src/Symfony/Component/EventDispatcher/Debug/WrappedListener.php line 106

at Symfony\Component\EventDispatcher\Debug\WrappedListener->__invoke(object(GetResponseEvent), 'kernel.request', object(ContainerAwareEventDispatcher))
    in  line 

at call_user_func(object(WrappedListener), object(GetResponseEvent), 'kernel.request', object(ContainerAwareEventDispatcher))
    in /var/www/myapp/var/cache/dev/classes.php line 3240

at Symfony\Component\EventDispatcher\EventDispatcher->doDispatch(array(object(WrappedListener), object(WrappedListener), object(WrappedListener), object(WrappedListener), object(WrappedListener), object(WrappedListener), object(WrappedListener), object(WrappedListener), object(WrappedListener), object(WrappedListener), object(WrappedListener)), 'kernel.request', object(GetResponseEvent))
    in /var/www/myapp/var/cache/dev/classes.php line 3155

at Symfony\Component\EventDispatcher\EventDispatcher->dispatch('kernel.request', object(GetResponseEvent))
    in /var/www/myapp/vendor/symfony/symfony/src/Symfony/Component/EventDispatcher/Debug/TraceableEventDispatcher.php line 136

at Symfony\Component\EventDispatcher\Debug\TraceableEventDispatcher->dispatch('kernel.request', object(GetResponseEvent))
    in /var/www/myapp/var/cache/dev/classes.php line 4883

at Symfony\Component\HttpKernel\HttpKernel->handleRaw(object(Request), 1)
    in /var/www/myapp/var/cache/dev/classes.php line 4853

at Symfony\Component\HttpKernel\HttpKernel->handle(object(Request), 1, true)
    in /var/www/myapp/vendor/symfony/symfony/src/Symfony/Component/HttpKernel/Kernel.php line 168

at Symfony\Component\HttpKernel\Kernel->handle(object(Request))
    in /var/www/myapp/web/app_dev.php line 28

Someone can help ?

Thanks

user3282502
  • 13
  • 1
  • 5
  • You don't have the LDAP guard authenticator defined on either API firewall, but you do on the main firewall. Or am I not understanding how the flow works here? – ChadSikorra Dec 05 '16 at 16:00
  • Thanks for reply. – user3282502 Dec 06 '16 at 09:06
  • I'have added the LDAP guard authenticator in the api_secure firewall. The api call is a Post Request to then route login_check. I have an error "Warning: hash_equals(): Expected known_string to be a string, null given" – user3282502 Dec 06 '16 at 09:20
  • Where is that being triggered from? Could you post the rest of the stack trace? – ChadSikorra Dec 06 '16 at 14:52
  • Thanks for your help ChadSikorra !. I've just updated my question with the stack trace and some changes in secuity.yml – user3282502 Dec 07 '16 at 15:20
  • Ok, so the problem is that it loaded the user from LDAP, but the returned user from that user provider (`LdapUser`) will not have a password set on it. So when it attempts to compare passwords it fails. Offhand I'm not sure if the best way around this. – ChadSikorra Dec 07 '16 at 16:30

0 Answers0