Authenticate users through LDAP


#1

I’m groking my way through pimcore and will admit that I’m not that far along but not having a LDAP connector for authentication seems like an oversite. Is the expectation that I should manually create every user and role? It seems burdensome to then have to keep passwords sync’d?


#2

Hi,

Since the new Pimcore 5 is based on the symfony 3 framework you could try to use it’s LDAP adapter.


I did not use it yet, but it might be worth a try.

Greets axe


#3

There is a Partner Plugin for Pimcore 4 that enables LDAP Login, I am sure it will get ported to Pimcore 5 as well. Not sure when and if fully open source, but someone will create eventually something.


#4

I’ve looked at this and was thinking it could be leveraged. I’m a long-time python/django person so PHP/Symfony is all new to me. Could be a while before I can tackle it myself.


#5

Speaking of which, is there a repository somewhere of plugins? Google doesn’t return that much or it seems scattered.


#6

Do you happen to know where this plugin is? I can’t find it via google.


#7

As said, its only for Partners. There are a few partner only plugins, not much. LDAP is one of them. (Ecommerce Framework used to be only for partners as well, but with v5 they open sourced it for every one).

If you are looking for plugins, try searching on packagist for v5: pimcore-bundle or v4: pimcore-plugin.


#8

Gotcha. I wasn’t aware of what “Partner” meant, but that makes sense.


#9

Hi,
LDAP plugin for pimcore will be migrated to Pimcore 5 (since it is in use) and I guess then we will make it available for everyone.

Cheers…


#10

Hi,
If you still need it I built this sample bundle which uses Symfony’s LDAP component from which you can start.

Alessandro


#11

Sweat. I’ll give it a try. Thanks.


#12

Ok, let me know if you need help!


#13

Hi, works great, thanks! :slight_smile:
The only thing I miss after the first test is something like a checkbox ‘is LDAP user’ on the user edit page (which would somehow add the user to the ‘exclude’ array). Because when manually adding users in Pimcore, they won’t be able to login now without editing the config.yml.
Alternatively, try Pimcore authentication if LDAP authentication failed?


#14

Hi @camico,
Thanks for your feedback.
Unfortunately Pimcore doesn’t allow you to extend backend users (see https://pimcore.com/docs/5.x/Development_Documentation/Development_Tools_and_Details/Extending_a_Backend_User.html).
What I was thinking to implement it was a better way to exclude users by role or by using wildcards.
Something like:

exclude:
- {kind: ‘role’, value: ‘ROLE_ADMIN’}
- {kind: ‘user’, value: ‘noldap_*’}

In this way you could exclude from ldap authentication all the users with the ROLE_ADMIN or with a username starting with noldap_.
To exclude a user it will be sufficient that just one of the exclude rules will be satisfied.

Would it be enough?


#15

Ah, yes that would also be fine. Even better maybe than an additional checkbox, because roles are already there. Or even just simple array options exclude_users, exclude_roles?


#16

Hi @camico,
I added a new configuration option ‘exclude_rules’ which accept the sub-nodes ‘users’ and ‘roles’.
In each sub-node you can define a list of users/roles to exclude from LDAP authentication (you can use valid regular expressions as well).
The old ‘exclude’ option is still working but has been deprecated.

Please see the updated documentation for details.

Alessandro


#17

Great! Thanks a lot, also for the release version, it’s very useful. :+1:


#18

Alessandro, does your ldap bundle work with secure ldap as well? (I am getting TLS errors but I’m not sure if that’s a problem with my server or the plugin).


#19

It should support it because it’s based on Symfony’s LDAP component which it’s supporting it (https://symfony.com/doc/3.4/components/ldap.html).
Are you sure that you correctly configured the Symfony’s LDAP component?

If you want you can share with me the errors you are getting so I can have a look at them.
BTW I’m setting up a secure LDAP test server to make some tests.