Security & the User Class

Hey Antonio!

We're not planning one at this time, but I'd be happy to help if you have some specific questions - and if I know the answers ;).

Cheers!

Hey Ryan, can I ask you a question about ldap?

I have a symfony 5 application that works just great on centos 8 (on azure) with Apache 2.4.46.

But now we want ldap to do the authentication.
I have used ldap before with symfony 3 on a windows server. This works great. We even have 'single signon' working

But the problem is, i can not get it to work with centos 8, apache and symfony 5.

• I have modules installed on centos8. like ldap_module and authnz_ldap_module.
• I also have http2 protocol working.
• We have ssl working
• installed ldap: "symfony/ldap": "5.1.*",
• security bundle: "symfony/security-bundle": "^5.1",

Also created a virtual host on centos.

<VirtualHost *:8443>
        Protocols h2 http/1.1
        ServerName xxx
        DocumentRoot /var/www/html/portal/public
        DirectoryIndex /index.php
        
        <  Directory /var/www/html/portal/public  >
                AllowOverride All
                Order Allow,Deny
                Allow from All
                Satisfy any
                AuthType Basic
                AuthName "LDAP authentication"
                AuthBasicProvider ldap
               Require valid-user
        </Directory>

This is my security.yaml.

    
firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        main:
            stateless: true
            http_basic_ldap:
                service: Symfony\Component\Ldap\Ldap
                dn_string: 'uid={username},dc=example,dc=com'

This is services.yaml:

    
Symfony\Component\Ldap\Ldap:
        arguments: ['@Symfony\Component\Ldap\Adapter\ExtLdap\Adapter']
    Symfony\Component\Ldap\Adapter\ExtLdap\Adapter:
        arguments:
            -   host: xxx
                port: 389
                encryption: ssl
                options:
                    protocol_version: 3
                    referrals: false

I do get the ldap popup that asks for my username and password. But is won't open up the application. The popup is coming back.
In symfony logs i get no error messages.
In apache error logs i get

[Tue Aug 25 07:03:46.027059 2020] [lbmethod_heartbeat:notice] [pid 36808:tid 140326978189504] AH02282: No slotmem from mod_heartmonitor<br />[Tue Aug 25 07:03:46.066243 2020] [mpm_event:notice] [pid 36808:tid 140326978189504] AH00489: Apache/2.4.46 (codeit) OpenSSL/1.1.1g PHP/7.3.21 configured -- resuming normal operations<br />[Tue Aug 25 07:03:46.066298 2020] [core:notice] [pid 36808:tid 140326978189504] AH00094: Command line: 'httpd -f /etc/httpd/conf/httpd1.conf'<br />

Can you help me out please? I REALLY would appreciate this!

Thanks in advance and keep up this great work you're doing!!!

Hi truuslee!

I'm far from an LDAP expert (more of a novice really!, but since you seem to know it well, let's see if we can figure this out together ;).

The first question that comes to mind is: does the Symfony application ever get triggered. I'm curious if that HTTP basic popup is coming from Symfony or if it's coming from Apache. You could determine this by opening your public/index.php file and putting a die('executed'); line right after the opening PHP tag.

What I don't know (because I'm such a novice on this topic) is what config you're supposed to have in Apache to get this to work. Do you need that Apache LDAP configuration at all? I really don't know and I could absolutely be mistaken, but it almost looks like we're implementing LDAP HTTP basic authentication at the Apache level (which may not be working correctly) and then again on the Symfony level. The Symfony http_basic_ldap should be able to handle everything on its own (as long as it can communicate to the LDAP server). I don't think (?) that Apache should be involved in any ways. But, these are guesses :).

Let me know if any of this makes sense, and if the Symfony app is actually being executed.

Cheers!

Thank you Ryan for your quick response. You're the best.

The die('executed') is being reached. On Apache I don't have to do any configuration at all? Only make sure the ldap modules are installed?
All the ldap configuration needs to be done in Symfonies service.yaml and security.yaml?

Many many thanks !!!

Hi truuslee!

> On Apache I don't have to do any configuration at all? Only make sure the ldap modules are installed?

Unfortunately, I have no idea! But yes, this is my "feeling". If you have all the ldap configuration and connection information inside Symfony, this means that Symfony is talking directly to the LDAP server. If that's the case, then I can't think of why you would need anything in Apache. A similar thing happens with normal (non-LDAP) HTTP Basic: Apache *does* have a feature to use HTTP basic directly inside of it. But usually, you don't use that at all, and instead configure Symfony to do HTTP basic.

> The die('executed') is being reached

Ok! You've already told me that the Symfony logs don't have an errors. I would double-check that again - look very closely for anything related to security. There may not be anything, but I'm trying to be sure. Also, completely remove the LDAP stuff from Apache. Does the HTTP basic popup still happen? Im trying to determine if the HTTP basic popup is coming from Apache or Symfony.

Finally, you may need to do some debugging in the core of Symfony to figure out what's failing. In theory, after Symfony shows you the HTTP basic popup, when you submit, Symfony should grab the username and password that were entered and call the checkAuthentication() method in this class - https://github.com/symfony/...

I would add a die() statement in there to make sure it's being executed. And you may also be able to figure out why/when it's failing if it IS executed.

Let me know what you find out!

Cheers!

Hello Ryan,

I'm debugging LdapBindAuthenticationProvider.php
What's really weird is that it says i've entered a bad password.

`catch (ConnectionException $e) {

   print('bad password');die;
   throw new BadCredentialsException('The presented password is invalid.');

}
`
This is in the function 'checkAuthentication'.

I tried with other credentials, same error.
Did a print of the username and password. It's all there.

But at least now i know where it's going bad.
If you any idea why this is happening, what i have to check, please write to me.
Many thanks in advance.

Cheers!!!

Hey truuslee!

Excellent debugging! Hmm. So, once you're inside of checkCredentials(), this is all raw, Ldap logic, which I imagine would indicate some sort of misconfiguration... or something. This is where my lack of LDAP knowledge renders me a bit useless ;).

But, there is one thing that stands out: the BadCredentialsException is being thrown inside a catch for a ConnectionException. I would add dd($e) right before the exception is thrown so that you can actually see the error. It may be that there are multiple possible reasons for this error (maybe the LDAP server can't even be reached!) and that, for security reasons, all of those are being caught and given the generic "The presented password is invalid." error.

Let me know what you find :).

Cheers!

Hello Ryan,
I can run the code on development now. Before today i could only debug this code on production. And that is very difficult.
So i think i will find the problem now. Thanks for all your help and keep up the good work!!!

With kind regards,
Annemieke Buijs

Hey Ryan,

Thanks for helping me out.
I'm the only programmer here, so sometimes it just helps to talk to somebody about the problems i'm facing.

This is a dump of the '$e'

`Symfony\Component\Ldap\Exception\ConnectionException {#320 ▼
#message: "<b>Can't contact LDAP server"</b>
#code: 0
#file: "/var/www/html/portal/vendor/symfony/ldap/Adapter/ExtLdap/Connection.php"
#line: 70
trace: {▼

/var/www/html/portal/vendor/symfony/ldap/Adapter/ExtLdap/Connection.php:70 {▶}
/var/www/html/portal/vendor/symfony/ldap/Ldap.php:40 {▼
  Symfony\Component\Ldap\Ldap->bind(string $dn = null, string $password = null) …
  › {
  ›     $this->adapter->getConnection()->bind($dn, $password);
  › }
  arguments: {▼
    $dn: "uid=abu,dc=example,dc=com"
    $password: "xxx"
  }
}
/var/www/html/portal/vendor/symfony/security-core/Authentication/Provider/LdapBindAuthenticationProvider.php:104 {▶}
/var/www/html/portal/vendor/symfony/security-core/Authentication/Provider/UserAuthenticationProvider.php:80 {▶}
/var/www/html/portal/vendor/symfony/security-core/Authentication/AuthenticationProviderManager.php:81 {▶}
/var/www/html/portal/vendor/symfony/security-http/Firewall/BasicAuthenticationListener.php:86 {▶}
/var/www/html/portal/vendor/symfony/security-http/Firewall/AbstractListener.php:27 {▶}
/var/www/html/portal/vendor/symfony/security-http/Firewall.php:111 {▶}
/var/www/html/portal/vendor/symfony/security-http/Firewall.php:84 {▶}
/var/www/html/portal/vendor/symfony/event-dispatcher/EventDispatcher.php:270 {▶}
/var/www/html/portal/vendor/symfony/event-dispatcher/EventDispatcher.php:230 {▶}
/var/www/html/portal/vendor/symfony/event-dispatcher/EventDispatcher.php:59 {▶}
/var/www/html/portal/vendor/symfony/http-kernel/HttpKernel.php:133 {▶}
/var/www/html/portal/vendor/symfony/http-kernel/HttpKernel.php:79 {▶}
/var/www/html/portal/vendor/symfony/http-kernel/Kernel.php:196 {▶}
/var/www/html/portal/public/index.php:28 {▼
  › $request = Request::createFromGlobals();
  › $response = $kernel->handle($request);
  › $response->send();
  arguments: {▶}
}

}
}
`

And this is the dump of the ldap parameter in the same class.

`Symfony\Component\Ldap\Ldap {#174 ▼
-adapter: Symfony\Component\Ldap\Adapter\ExtLdap\Adapter {#175 ▼

-config: array:3 [▼
  "host" => "xxxl"
  "port" => 389
  "options" => array:1 [▼
    "protocol_version" => 3
  ]
]
-<b>connection: null</b>
-entryManager: null

}
}`

I think a major issue is that the connection parameter is empty?
Thank you in advance !

Greetz,
Annemieke

Hey Annemieke!

Thanks for helping me out.
I'm the only programmer here, so sometimes it just helps to talk to somebody about the problems i'm facing.

My pleasure - I know how this can be ;)

This is a dump of the '$e'
Symfony\Component\Ldap\Exception\ConnectionException {#320 ▼
#message: "Can't contact LDAP server"

Ok, this is kind of what I was expecting - that there is some connection issue. So, it appears - by looking in the code a bit for how the different errors are handled - that this is not an "invalid credentials" error. Instead, it's simply some sort of connection issue with the LDAP server.

But first, you mentioned:

I think a major issue is that the connection parameter is empty?

MAYBE. This property remains null until you try to connect to LDAP. So, depending on when you dumped the Ldap object (e.g. you dumped it before anyone tried to use it), it's totally normal for it to be null. You could actually play around with this Ldap object a bit if you want:

$ldap = // the Ldap object that you dumped earlier
$ldap->bind($dn, $password); // this line will likely explode - it's what the security system is doing internally

I don't know if being able to play with the Ldap object more directly will help... I just think there is some sort of connection error. And so, I would back up and see if you are able to connect to the Ldap server in general. You could do this 2 different ways:

a) Create a little play.php script anywhere on your filesystem, and see if you can manually use ldap_connect() and ldap_bind() with your connection config to successfully connect to the LDAP server - https://www.php.net/manual/en/ldap.examples-basic.php - run the file at your terminal via php play.php

b) Install the OpenLDAP utilities - https://www.digitalocean.com/community/tutorials/how-to-manage-and-use-ldap-servers-with-openldap-utilities - and see if you can connect to the LDAP server at the command line.

I'm quite (but not absolutely, as LDAP is not my expertise) certain that there is a connection problem to the LDAP server. Either it's simply not accessible, or we have the wrong connection config.

Cheers!

Hey Ryan, thanks again for all your help.
The Play.php works fine on production. No problem.

But the function ldap_bind in LdapBindAuthenticationProvider.php is somehow different?

in play.php:
ldap_bind($ds, $dn, $password)

in LdapBindAuthenticationProvider.php:
ldap_bind($dn, $password)

As you can guess, the connection works, the ldap bind works in play.php, but ldap_bind does not work in LdapBindAuthenticationProvider.php

You still want to help me?

Greetz from the Netherlands (stroopwafels)

Hi truuslee !

Excellent debugging! And, I love stroopwafels ;). We were in Amsterdam last year for SymfonyCon, so we enjoyed many fresh stroopwafels ;).

Ok, so we know the connection to the LDAP server on production is working - that's an awesome step. Now, you mentioned:

in play.php:
ldap_bind($ds, $dn, $password)

in LdapBindAuthenticationProvider.php:
ldap_bind($dn, $password)

That's not quite accurate. In LdapBindAuthenticationProvider, the code is $this->ldap->bind($dn, $password) - https://github.com/symfony/symfony/blob/c649bfa9d48a07f00bcd1e47aaad5018e88148bf/src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.php#L104 - that is not calling the ldap_bind function directly. Instead, this ultimately calls this https://github.com/symfony/symfony/blob/c649bfa9d48a07f00bcd1e47aaad5018e88148bf/src/Symfony/Component/Ldap/Adapter/ExtLdap/Connection.php#L54-L60 - and that calls the ldap_bind. I'm mentioning this to show that, in both play.php and LdapBindAuthenticationProvider, eventually, the ldap_bind() function is being called with the same 3 arguments - so it's not that Symfony is missing the first argument :).

Here is what I would do next (if you're able to do this - ideally you would do it on production, or at least on a server where you KNOW that ldap_bind() is working): go into the core Ldap connection class - https://github.com/symfony/symfony/blob/c649bfa9d48a07f00bcd1e47aaad5018e88148bf/src/Symfony/Component/Ldap/Adapter/ExtLdap/Connection.php#L54-L60 - and hack in some temporary debugging code:

A) Right before this line, I would add var_dump($dn, $password);die; and then test. This will tell you if the $dn and $password are what you expect (and what you have in play.php).

B) Next, right before this line - https://github.com/symfony/symfony/blob/c649bfa9d48a07f00bcd1e47aaad5018e88148bf/src/Symfony/Component/Ldap/Adapter/ExtLdap/Connection.php#L136 - add var_dump($this->config['connection_string']);die;. This will tell you if the argument that you're passing to ldap_connect() is what you expect.

As you can see, now that you've verified that you ARE able to talk to the LDAP server and you have it working in play.php, it seems to me that we must just have some invalid configuration somewhere in our Symfony app. That's what I'm trying to debug :).

Cheers!

Hi Ryan, (Mr. Stroopwafel). I was there at the SymfonyCon in Amsterdam. That was a real nice con. And i listened to your speech, the rest of the day I had stroopwafels on my mind!

I've got ldap working. It was indeed just getting the config right. So it's up and running now on production. Ldap is a great tool, but because i didn't create it myself there's a lot i don't know. But mainly thanks to you i relaxed and started to look good at the code again.
Thank you very much Ryan, please keep doing what you 're doing.
And maybe until the next Con!

Annemieke

Hey Annemieke!

> I was there at the SymfonyCon in Amsterdam. That was a real nice con

:). I was wondering if you were! I also really enjoyed that conference - and I particularly enjoyed Amsterdam (unfortunately, I didn't have time to visit other parts of the country).

> I've got ldap working. It was indeed just getting the config right

Woohoo! Yea, this is a particularly hard area because Symfony, sort of, "hides" the real error from us (remember, it originally was "The presented password is invalid") so that *real* errors aren't leaked to the user. Nice job sticking with it pulling back the pieces until the bad config presented itself :).

> And maybe until the next Con!

I sure hope so - whenever that will be!

Cheers!

Hey AbelardoLG,

Yeah, now when symfony/lts package is abandoned - you can get rid of it. First, make sure you have symfony/flex in your dependencies and then you can remove it with "composer remove symfony/lts". But it's not required, so you skip this warning, especially if you're working on a demo project you downloaded from SymfonyCasts.

Cheers!

Hi there, victor : Thanks for your words! ;)

Hey AbelardoLG,

Yes, according to this deprecation warning: https://github.com/doctrine... - you need to use "\Doctrine\Persistence\ManagerRegistry" instead of "Doctrine\Common\Persistence\ManagerRegistry" since doctrine/persistence 1.3.

I hope this helps!

Cheers!

Hey Alexandre,

Thank you for this tip! Actually, there's even easier solution, check Composer docs for more info: https://getcomposer.org/doc...

Cheers!

I solved my issue.

Thanks for replying a Sunday evening! :)

Best regards.

Hi.
I am building a login form with security bundle (yes, I am trying to replicate your example but for my app). I understand you mean I should export the creation script of the table user in dev and import into the mysql in prod environment, right?

I have to create a table in prod in order to pair my entity user into mysql (it's the engine database I am using).

Hey Cheshire Y.

That line was automatically added after creating the User class. You can check it here: https://symfonycasts.com/sc...
What it basically does is to reload the User from session at the start of a request, and for other internal functionalities of Symfony (like the SwitchUser mechanishm)

Cheers!

Hey there!

Hmm. Did you download the course code from this page? Or are you using something different? I just checked the downloadable code on this page, and it *did* install without any issues. However, I noticed that some of the versions of my libraries (from the code download) are different than your version - for example "doctrine/persistence" (which is related to your error) is 1.1.0 in your pastebin but is 1.3.7 in both the start and finish code from the download.

Let me know - I *do* know this error (Doctrine split some of their libraries into smaller pieces, and so sometimes you can get annoying dependency mismatches).

Cheers!

Thanks for the reply. Turns out Windows had the maximum path length limit turned on, and composer just silently failed to write those files instead of warning me.

However, I'm now getting a new error:

Executing script cache:clear [KO]
 [KO]
Script cache:clear returned with error code 1
!!
!!  In FileLocator.php line 71:
!!
!!    The file "services.xml" does not exist (in: C:\Users\username\Google Drive\Technische Keuzemodule (SymfonyCasts
!!     keuzevak)\Uitwerkingen\5. Symfony Security - Beautiful Authentication, Powerful Authorization\vendor\doctrine\doct
!!    rine-migrations-bundle\DependencyInjection/../Resources/config/).```



I've done `git diff --no-index "the config directory from the download" "the config directory after finishing the previous course"` and the only difference were in a few files that had nothing to do with doctrine.


Neither the current course that I'm trying to install nor the previous one had a file named `services.xml`, so I've got no idea what's going wrong here. Google isn't giving me very useful results.

Hey Why!

Look at the path! From the error you can see that services.xml file does not exist in vendor/ directory. I'd recommend you to remove your vendor/ directory completely and install the dependancies again. You literally should do:

$ rm -rf vendor/
$ composer install

Does it help? Btw, which version of Composer do you use? You can check it with "composer --version" command. If you're using Composer 2.0 - it might be related to the problem. Try to install the dependencies using the 1.x Composer, you can download the latest 1.x version of Composer from the official website right to the project dir and execute it from there like:

$ php ./composer.phar install

Does it help?

Cheers!

Didn't, already tried.

But I finally found the cause, was again related to path name length. Windows did actually have that services.xml file, but PHP failed to read it or recognize that it existed. Shortening the path name fixed it.

Interesting... so PHP couldn't read the path because it was too long?

Hey Emad,

Unfortunately, I can't see your images because the access is restrict to them. Could you make them public and let us know? Or please, upload the images to any public image server e.g. Imgur.com . Or, at least, copy/paste the error in your comment, please. Otherwise we can't help you without knowing the error :)

Cheers!

thanks for your reply and sorry for being late

first image
https://imgur.com/a/TbVIhRC

second image
https://imgur.com/bwqAuYE

Hey Emad,

I see both images identical :) Anyway, I just double-checked: downloaded the course code and run "composer install" in the start/ directory using PHP 7.3.16 installed - it worked great without any errors. Could you re-download the project and just run "composer install" in start/ directory? Do you have the same error? Can you share the screenshot of it?

It just should work. The error I see on both your screenshots probably related to failed "composer update" operation. If do not do any updates and just run "composer install" - it should work.

I hope this helps!

Cheesr!

Hey Raed,

If you don't have "make:user" command but have other commands from MakerBundle like "make:auth", "make:entity", etc. - you probably have an old version MakerBundle that just does not have that command. Try to upgrade maker, you can do it with:

$ composer update symfony/maker-bundle

It should help. If not - let me know what version of MakerBundle you have installed, this command should help with this:

$ composer info symfony/maker-bundle

The 2nd error means that looks like you don't have symfony security package that is required to be able to generate Guard authenticator with "make:auth" command. First, try to do exactly what the command says - install security package with:

$ composer require security

And see what output does it show you. Probably there was some failed installation of it.

Cheers!

Hey @Victor Bocharsky,

Thank you so much for your prompt reply, i did re-update the maker-bundle and
run composer require security but it was not helpful
i got this output:
Cannot autowire service "App\Repository\ArticleRepository": argument "$registry" of method "__construct()" references interface "Symfony\Bridg
e\Doctrine\RegistryInterface" but no such service exists. Try changing the type-hint to "Doctrine\Persistence\ManagerRegistry" instead.

<b>Infos after running composer info symfony/maker-bundle</b>

autoload
psr-4
Symfony\Bundle\MakerBundle\ => src/

requires
doctrine/inflector ^1.2
nikic/php-parser ^4.0
php ^7.1.3
symfony/config ^3.4|^4.0|^5.0
symfony/console ^3.4|^4.0|^5.0
symfony/dependency-injection ^3.4|^4.0|^5.0
symfony/filesystem ^3.4|^4.0|^5.0
symfony/finder ^3.4|^4.0|^5.0
symfony/framework-bundle ^3.4|^4.0|^5.0
symfony/http-kernel ^3.4|^4.0|^5.0

requires (dev)
doctrine/doctrine-bundle ^1.8|^2.0
doctrine/orm ^2.3
friendsofphp/php-cs-fixer ^2.8
friendsoftwig/twigcs ^3.1.2
symfony/http-client ^4.3|^5.0
symfony/phpunit-bridge ^4.3|^5.0
symfony/process ^3.4|^4.0|^5.0
symfony/security-core ^3.4|^4.0|^5.0
symfony/yaml ^3.4|^4.0|^5.0

<b>ArticleRepository class</b>

`namespace App\Repository;

use App\Entity\Article;
use Doctrine\ORM\QueryBuilder;
use Doctrine\Common\Collections\Criteria;
use Symfony\Bridge\Doctrine\RegistryInterface;
use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;

/**

• @method Article|null find($id, $lockMode = null, $lockVersion = null)
• @method Article|null findOneBy(array $criteria, array $orderBy = null)
• @method Article[] findAll()
• @method Article[] findBy(array $criteria, array $orderBy = null, $limit = null, $offset = null)
  */
  class ArticleRepository extends ServiceEntityRepository
  {
  public function __construct(RegistryInterface $registry)
  {

   parent::__construct($registry, Article::class);
  

  }`

I appreciate your help ! Thanks

Hey Raed,

Well, actually, it helped as far as I see, right? At least, you have a different error now :) So I believe you do have that "make:user" command, run "bin/console make:user --help" to make sure it is available. Or just "bin/console make:" one and look it in the list of available commands from Maker bundle.

About another error you see - looks like you upgraded too much, I suppose you did "composer update"? If so, it looks like it upgraded not only the Maker bundle but all your packages, including Doctrine package. Basically, you need to do what the error message suggest you, change typehint from "RegistryInterface" to "ManagerRegistry" in your "ArticleRepository" (and probably in other entity repositories too).

I hope this helps!

Cheers!

Hey victor ,

Thanks a lot for your reply & help !

Yes it helped so much that we could kill the first error successfully :-)

- looks like you upgraded too much, YES ,i thought upgrading would help me solve the problem, afterwards, i did change typehint from "RegistryInterface" to "ManagerRegistry" only in "ArticleRepository" ignoring that i should have also changed it in all other repositories,
finally, i re-started the project with only installing the composer, and no error showed after.
I'm glad that i made this type of error :-) Because you just uncovered a lot behind the scene ! Thanks again !

Hey Raed,

Haha, glad you got it working :) Yeah, it depends on project but sometimes you need to do some minor tweaks after packages upgrade, and fixing errors step by step should help moving forward.

Cheers!

Hey Nathan

Looks like you got outdated code, can you re-download it and try again? if you will get same notice again, than share please your php and doctrine/orm versions

Cheers!

Hey juantreses

Let me see if I got it right. You copied all the files from the start directory to a new folder in your system? Then, you ran composer install without any problems until you ran php bin/console server:run?

If that's the case, I think something went wrong during the process. Try clearing the cache manually and re-install your vendors
I hope it does the job but if not, please let me know

Cheers!

So, it appears I was confusing a branch and a worktree in git workflow. So I started over in a new directory and everything is working fine now.

Now my question is: How can I get these two different directories on the same repository but a different working tree?

you could create a branch per each directory