the problem is, that Zend_Auth_Adapter_Ldap in its default configuration tries to split the username at the @-sign to retrieve the username and the domain name. It hereby assumes that a username with an @-sign is a new Microsoft Windows domain username in the form username@domain (old form, prior to Windows Server 2003 I think, was DOMAIN\username).
You can stop Zend_Auth_Adapter_Ldap from trying to split the username by setting the tryUsernameSplit option to false (true by default).
$adapter = new Zend_Auth_Adapter_Ldap(array(
// ...
'tryUsernameSplit' => false
), $username, $password);
That should do the trick.
Best regards
Stefan
-----Ursprüngliche Nachricht-----
Von: Ondrej Ivanič [mailto:ondrej.ivanic@gmail.com]
Gesendet: Freitag, 20. November 2009 05:56
An: fw-auth@lists.zend.com
Betreff: [fw-auth] trouble with Zend_Auth_Adapter_Ldap
Hi
I had to implement Zend_Amf auth service against LDAP which seems like
an easy task but it wasn't (maybe I missed something)
Zend_Amf_Server requires to use Zend_Amf_Auth_Abstract as a base class
because abstract class provides additional method for settings
credentials. Another surprise came with Zend_Auth_Adapter_Ldap which
doesn't like e-mail address as a uid. I always got error message
'ondrej' not found (ondrej@example.com). We use following LDAP
structure:
dc=customers, dc=local (<- baseDn)
ou=customer1
uid=ondrej@example.com
uid=user1@example.com
ou=customer1
uid=user1@example.com
uid=user2@example.com
and customers use (email, password) as credentials for login
Basically, I had to copy almost everything from
Zend_Auth_Adapter_Ldap::authenticate() (it's not possible to extend
because Zend_amf server requires Zend_Amf_Auth_Abstract as a base
class) method and add few searches because I need associated user and
company information.
Is there a better solution?
Thanks,
-class Zend_Auth_Adapter_Ldap implements Zend_Auth_Adapter_Interface
+class Amf_Auth_Ldap extends Zend_Amf_Auth_Abstract
@@ -275,15 +252,34 @@
continue;
}
- $canonicalName = $ldap->getCanonicalAccountName($username);
+ // bind with defualt credentials
+ $ldap->bind();
+ $user =
$ldap->search("(&(objectClass=inetorgperson)(uid=$username))");
+ if(1 != sizeof($user)) {
+ throw new Zend_Auth_Adapter_Exception('User: One
user expected; got ' . sizeof($user));
+ }
+ $user = $user->getFirst();
+
+ $ldap->bind($user['dn'], $password);
- $ldap->bind($canonicalName, $password);
+ $parentDn = explode(',', $user['dn'], 3);
+ if(isset($parentDn[1])) {
+ $parentDn = $parentDn[1];
+ } else {
+ throw new Zend_Auth_Adapter_Exception('Wrong LDAP
structure; expected organisation as a parent' .
sizeof($organisation));
+ }
+
+ $organisation =
$ldap->search("(&(objectClass=organizationalunit)($parentDn))");
+ if(1 != sizeof($organisation)) {
+ throw new
Zend_Auth_Adapter_Exception('Organisation: One result expected; got '
. sizeof($organisation));
+ }
+ $organisation = $organisation->getFirst();
$messages[0] = '';
$messages[1] = '';
- $messages[] = "$canonicalName authentication successful";
+ $messages[] = "$username authentication successful";
- return new
Zend_Auth_Result(Zend_Auth_Result::SUCCESS, $canonicalName,
$messages);
+ return new
Zend_Auth_Result(Zend_Auth_Result::SUCCESS, new
FraudControl_UserInfo($user, $organisation), $messages);
} catch (Zend_Ldap_Exception $zle) {
--
Ondrej Ivanic
(ondrej.ivanic@gmail.com)
没有评论:
发表评论