Implement User class based on LDAP

Yii 2.0 General Discussions
1

I want to create a Yii2 Application for use in my companies intranet. I have access to the NT-username of the client with $_SERVER[‘REMOTE_USER’]. This name I can use to query the active directory for more information (full name, department, etc.). I want to create my own user class, that is populated with this information and more. I want to access it through Yii::$app->user. The code to query the active directory is available and working.

I had a look at the default implementation and I am not sure if implementing \yii\web\IdentityInterface is suitable in this case.

Can you guide me in the right direction?

2

Hi!

I had a similar project a while back…

Not sure if this is suitable for you,

but my solution was something like this:

  1. Create a MySQL user table which holds everything you want to have from the user.

  2. Authenticate against LDAP

  3. On successfull auth => write / update all needed information of the user in your MySQL DB.

  4. Use Yii "standard" build-in UserIdentity / Components…

Since everything you need is in your MySQL DB.

For me - this had following advantages:

  1. You basically only have to modify the login.

  2. You can code a "fallback" like:

If LDAP is not reachable => And current user profile is not older than XY,

authenticate against the MySQL copy of the login.

Regards

3

Thank you for your answer.

How does

work in your case?

The user shouldn’t need to do anything since he should automatically be logged-in. If (for some reason) the user does not exist in the active directory an error page should be shown.

Can you show some example code for me to better understand this?

4

Hi,

In my case I had no "autologin"…

The user still needed to authenticate at least once per week with his AD user & password to update the local "MySQL-Mirror"…

Not sure if this is suitable in bigger environments,

but on my end I had no problems so far.

I used a adLDAP class…

Read my post in this thread regarding more info:

http://www.yiiframework.com/forum/index.php/topic/61322-yii2-yii2-adldap-module/page__p__289551__hl__metacrawler__fromsearch__1#entry289551

Here is some very basic example code:




use adLDAP\adLDAP;


// CONFIGURATION

$options = [

    'account_suffix' => "@mydomain.local",

    'domain_controllers' => ["192.168.100.100"],

    'base_dn' => 'dc=mydomain,dc=local',

    'admin_username' => 'adAccount',

    'admin_password' => 'accountPassword',

];


// ESTABLISH CONNECTION

try {

    $ad = new adLDAP($options);

    echo "Awesome, we're connected!";

} catch (adLDAPException $e) {

    echo $e;

    exit();

}


// AUTHENTICATE USER

echo "AUTH STATUS: ";

try {

    if($ad->authenticate('LDAP_username', 'hisPersonalPassword')){

        echo "OK!<br>";

    }

    else{

        echo "FAILED!<br>";

    }

}

catch (adLDAPException $e) {

    echo $e;

    exit();

}


// GET INFORMATION ABOUT CURRENT USER

$info = $ad->user()->infoCollection('LDAP_username');

echo '<br>Login: '.$info->samaccountname;

echo '<br>Email: '.$info->mail;

echo '<br>Name: '.$info->displayName;

echo '<br>Tel.: '.$info->telephonenumber;

Best Regards

5

Thank you. I need to do all this automatically in the background. User should never see any username / password prompt. I just need some info on how to wire up the logic in the Yii2 framework. Maybe I should write my own component to handle this, not sure how this will affect any other base components of the framework.

6

But why do you need then login, if person is not supposed to enter login data?

7

I never said I needed a manual login. All this should be done automatically. I will probably try implementing a custom module in the next few days. I also might need to change AccessRule and AccessControl.