LDAP to Eloquent for forcing login

[yakatz]

I have a third party authentication provider that some of my users use. I have their outside username stored in my LDAP server. Without a database, I was able to just pass that object to Auth::login() and the user would be logged in. Now I am switching to use a backing database and I can't find a way to convert these users.

use LdapRecord\Models\FreeIPA\User as LdapUser;

public function login(Request $request)
{
    // Use apereo/phpcas to get SSO user
    $cas_manager = app(CasManager::class);

    if( ! $cas_manager->checkAuthentication() )
    {
        $cas_manager->authenticate();
    }

    $cas_username =  $cas_manager->user();

    $authPerson = $this->findPersonOrFail($cas_username);
    Auth::login($authPerson, false);

    return redirect()->intended('/');
}

public function findPersonOrFail($username)
{
    $users = LdapUser::where('SSO_UID', $username)->get();

    $user = null;
    switch ($users->count()) {
        case 1:
            $user = $users->first();
            break;
        case 0:
            abort(403, "There are no users with the SSO ID '{$username}'. If you think this is in error, please contact the helpdesk with your employee number, username and SSO ID.");
            break;
        default:
            abort(403, "There is more than one user with the SSO ID '{$username}'. This is not currently supported.");
            break;
    }

    return $user;
}

The error message now is Illuminate\Auth\SessionGuard::login(): Argument #1 ($user) must be of type Illuminate\Contracts\Auth\Authenticatable, LdapRecord\Models\FreeIPA\User given.

I don't see a simple way to convert the LdapUser into an EloquentUser. I thought I could call Import\Synchronizer::createOrFindEloquentModel(), but it seems like that will require tons of setup since I can't load the existing UserSyncronizer from the service container (as far as I can tell).

Suggestions?

[yakatz]

This seems like a fragile hack to me - looking for a better answer...

public function findPersonOrFail($username)
{
    $users = LdapUser::where('SSO_UID', $username)->get();

    $user = null;
    switch ($users->count()) {
    case 1:
        $user = $users->first();
        break;
        case 0:
            abort(403, "There are no users with the SSO ID '{$username}'. If you think this is in error, please contact the helpdesk with your employee number, username and SSO ID.");
            break;
        default:
            abort(403, "There is more than one user with the SSO ID '{$username}'. This is not currently supported.");
            break;
    }

    Auth::getProvider()->setAuthenticatingUser($user);
    $eloquentUser = Auth::getProvider()->getLdapUserSynchronizer()->run($user);
    $eloquentUser->save();

    return $eloquentUser;
}

[stevebauman]

Hi @yakatz,

The FreeIPA\User model doesn't implement the Laravel Authenticatable interface, as the ActiveDirectory\User and OpenLDAP\User does. This is due to me not having a FreeIPA server to test with, so I'm not able to ensure it's capability.

If you're just looking to create a session for the LDAP user, then extend the FreeIPA\User model with your own and implement the Authenticatable interface. You may also add the CanAuthenticate trait to this model, which will supply the methods that the Authenticatable interface requires. Ex:

namespace App\Ldap;

use Illuminate\Contracts\Auth\Authenticatable;
use LdapRecord\Models\FreeIPA\User as BaseUser;
use LdapRecord\Models\Concerns\CanAuthenticate;

class User extends BaseUser implements Authenticatable
{
    use CanAuthenticate;
}

Once you're able to get your FreeIPA user model properly setup for authentication, consider submitting a pull request that implements the Authenticatable interface to the FreeIPA\User model, so we know it works! 👍

If you're looking for importing your FreeIPA users into your local applications database, then let me know and I can assist you with the implementation.

[yakatz]

I have a FreeIPA model from Adldap2 that I am working on moving - I need to set up a test environment to make the smallest possible changes.

I am definitely interested in the database import. I see the sync happens in retrieveByCredentials. I wonder if it would just make sense to have a retrieveByLDAPQuery method which does the same thing and it more generalizable.

[stevebauman]

If you're looking to import users manually, then you can either utilize the Importer or the LdapUserImporter which is utilize by the php artisan ldap:import command:

use LdapRecord\Laravel\Import\Importer;

use App\User as DatabaseUser;
use LdapRecord\Models\FreeIPA\User as LdapUser;

// Importing multiple users.
$imported = (new Importer())
    ->setLdapModel(LdapUser::class)
    ->setEloquentModel(DatabaseUser::class)
    ->setSyncAttributes([
        'name' => 'cn',
        'email' => 'mail',
    ])->execute();

// Importing one user.
$user = LdapUser::where('cn', '=', 'My User')->firstOrFail();

$imported = (new Importer())
    ->setLdapObjects(collect($user))
    ->setEloquentModel(DatabaseUser::class)
    ->setSyncAttributes([
        'name' => 'cn',
        'email' => 'mail',
    ])->execute();

You can also utilize the Synchronizer or UserSynchronizer.

I am definitely interested in the database import. I see the sync happens in retrieveByCredentials. I wonder if it would just make sense to have a retrieveByLDAPQuery method which does the same thing and it more generalizable.

There's a ton of utility in the source that you can utilize outside of the authentication driver. The authentication driver basically glues the functionality of the synchronizer, importer and auth config together.