0

Question

Currently looking for how other people handled the validate password function when they need to authenticate with the userprincipalname instead of the Edvlerblog\Adldap2 validatePassword function which uses samaccountname.

Please provide feedback in the comments if you are struggling with anything specific so we can update the documentation.

Current Implementation

For app/common/model/LoginForm

getUser

The Edvlerblog\Adldap2 getUser() function works, and even caches the queryLdapUserObject, allowing you to fetch any of the AD attributes.

protected function getUser()
{
    if ($this->_user === null) {
        $this->_user = \Edvlerblog\Adldap2\model\UserDbLdap::findByUsername($this->username);
    }

    return $this->_user;
}

validatePassword()

Currently, the following validatePassword function does not work for me because in my instance AD must authenticate against the userprincipalname instead of the samaccount name. 

public function validatePassword($attribute, $params)
{
    if (!$this->hasErrors()) {
        $user = $this->getUser();
        if (!$user || !$user->validatePassword($this->password)) {
            $this->addError($attribute, 'Incorrect username or password.');
        }
    }
}
Jairus
  • 816
  • 8
  • 27

1 Answers1

0

A solution

Here is one workaround thanks to the Edvlerblog\Adldap2 who recently released 3.0.5 addressing a couple issues and providing some examples in his readme docs.

Please note the addition of findByAttribute(), allowing the following:

 $this->_user = \Edvlerblog\Adldap2\model\UserDbLdap::findByUsername($this->username);

validatePassword() w/ userprincipalname

Update your login model: common\models\LoginForm.php

public function validatePassword($attribute, $params)
{
    if (!$this->hasErrors()) {
        $user = $this->getUser();
        if (!$user) {
            $this->addError('username', 'Incorrect username.');
        } else {
            // Note: queryLdapUserObject is a cached object, 
            // so the ldap fetch does not get called :-).
            $userprincipalname = $this->_user->queryLdapUserObject()->getAttribute('userprincipalname');
            $auth = Yii::$app->ad->auth()->attempt($userprincipalname[0], $this->password);
            if (!$auth) {
                $this->addError('password', 'Incorrect password.');
            }
        }
    }
}

getUser() w/userprincipalname

    /**
     * Finds user by [[username]]
     *
     * @return User|null
     */
    protected function getUser()
    {
        if ($this->_user === null) {
            $this->_user = \Edvlerblog\Adldap2\model\UserDbLdap::findByUsername($this->username);
        }

        return $this->_user;
    }

Yii2 ldap Component Configuration

Reference: https://github.com/Adldap2/Adldap2/blob/master/docs/configuration.md

Config in your frontend\config\main:

'components' => [
        'log' => [... ],
        'authManager' => [... ],
        'ad' => [
            'class' => 'Edvlerblog\Adldap2\Adldap2Wrapper',
            'providers' => [
                'default' => [
                    'autoconnect' => true,
                    'config' => [
                        'domain_controllers' => ['your.ldap.domain.com'],
                        'base_dn'            => "OU=XXX,OU=XXX,DC=ccccccc,DC=xxxx,DC=com",
                        'admin_username'     => "your_username",
                        'admin_password'     => "your_password",
                        'port'               => 389,
                    ],
                ],

            ],

        ],
    ],
Community
  • 1
  • 1
Jairus
  • 816
  • 8
  • 27