new: Add support for LDAP authentication

.env

@@ -21,3 +21,43 @@ MAILER_FROM=support@example.com
 # You should not change this value unless you know what you're doing.
 # More documentation at https://symfony.com/doc/current/messenger.html#transport-configuration
 MESSENGER_TRANSPORT_DSN=doctrine://default?auto_setup=0
+
+######################
+# LDAP configuration #
+######################
+# Set to true to use LDAP.
+LDAP_ENABLED=false
+
+# The hostname of the LDAP server.
+LDAP_HOST="ldap"
+
+# The port of the LDAP server.
+LDAP_PORT=1389
+
+# The version of LDAP used by the server.
+LDAP_VERSION=3
+
+# The encryption used to connect to the LDAP server (can be 'none', 'ssl', 'tls').
+LDAP_ENCRYPTION="none"
+
+# The base DN of the LDAP directory.
+LDAP_BASE_DN="dc=example,dc=com"
+
+# The credentials of the admin user of the LDAP directory.
+LDAP_ADMIN_DN="cn=admin,dc=example,dc=com"
+LDAP_ADMIN_PASSWORD="secret"
+
+# The DN to log a user in the LDAP directory. The {user_identifier} placeholder
+# will be replaced by the value entered by the users.
+LDAP_USERS_DN="cn={user_identifier},ou=users,dc=example,dc=com"
+
+# The search query to find users in the LDAP directory when they aren't know by
+# Bileto. The {user_identifier} placeholder will be replaced by the value
+# entered by the users. If you use a different attribute than in LDAP_USERS_DN,
+# make sure that the values are identical in the LDAP directory.
+LDAP_SEARCH_QUERY="(uid={user_identifier})"
+
+# The name of the LDAP attributes to search for the email and the fullname of
+# the users.
+LDAP_FIELD_EMAIL=mail
+LDAP_FIELD_FULLNAME=displayName

.env.test

@@ -1,3 +1,5 @@
+LDAP_ENABLED=true
+
 KERNEL_CLASS='App\Kernel'
 APP_SECRET='$ecretf0rt3st'
 MAILER_DSN=null://null

.github/workflows/tests.yml

@@ -13,6 +13,7 @@ on:
 env:
     NO_DOCKER: true
     COVERAGE: --coverage-text
+    LDAP_HOST: localhost
 
 jobs:
     postgresql:
@@ -47,6 +48,19 @@ jobs:
               with:
                   php-version: ${{ matrix.php-versions }}
 
+            - name: Start OpenLDAP server
+              run: |
+                  # The server cannot be run as a normal service because it
+                  # wouldn't have access to the docker/ldap-ldifs/ folder.
+                  docker run -d \
+                      -p "1389:1389" \
+                      -v ${{ github.workspace }}/docker/ldap-ldifs:/ldifs \
+                      -e LDAP_ROOT="dc=example,dc=com" \
+                      -e LDAP_ADMIN_USERNAME=admin \
+                      -e LDAP_ADMIN_PASSWORD=secret \
+                      -e BITNAMI_DEBUG=true \
+                      bitnami/openldap:2
+
             - name: Run the test suite
               run: make test
               env:
@@ -83,6 +97,19 @@ jobs:
               with:
                   php-version: ${{ matrix.php-versions }}
 
+            - name: Start OpenLDAP server
+              run: |
+                  # The server cannot be run as a normal service because it
+                  # wouldn't have access to the docker/ldap-ldifs/ folder.
+                  docker run -d \
+                      -p "1389:1389" \
+                      -v ${{ github.workspace }}/docker/ldap-ldifs:/ldifs \
+                      -e LDAP_ROOT="dc=example,dc=com" \
+                      -e LDAP_ADMIN_USERNAME=admin \
+                      -e LDAP_ADMIN_PASSWORD=secret \
+                      -e BITNAMI_DEBUG=true \
+                      bitnami/openldap:2
+
             - name: Run the test suite
               run: make test
               env:

Makefile

@@ -26,6 +26,10 @@ else
 	DOCKER_COMPOSE_PROFILE = --profile pgsql
 endif
 
+ifdef LDAP
+	DOCKER_COMPOSE_PROFILE += --profile ldap
+endif
+
 ifndef COVERAGE
 	COVERAGE = --coverage-html ./coverage
 endif

composer.json

@@ -8,6 +8,7 @@
         "ext-ctype": "*",
         "ext-iconv": "*",
         "ext-intl": "*",
+        "ext-ldap": "*",
         "ext-pdo": "*",
         "ext-sodium": "*",
         "ext-xsl": "*",
@@ -23,6 +24,7 @@
         "symfony/flex": "^2",
         "symfony/framework-bundle": "6.3.*",
         "symfony/html-sanitizer": "6.3.*",
+        "symfony/ldap": "6.3.*",
         "symfony/mailer": "6.3.*",
         "symfony/messenger": "6.3.*",
         "symfony/proxy-manager-bridge": "6.3.*",

config/packages/security.yaml

@@ -12,6 +12,7 @@ security:
             entity:
                 class: App\Entity\User
                 property: email
+
     firewalls:
         dev:
             pattern: ^/(_(profiler|wdt)|css|images|js)/
@@ -21,10 +22,8 @@ security:
             lazy: true
             provider: app_user_provider
 
-            form_login:
-                login_path: login
-                check_path: login
-                enable_csrf: true
+            custom_authenticators:
+                - App\Security\FormLoginAuthenticator
 
             logout:
                 path: logout

config/services.yaml

@@ -42,6 +42,18 @@ services:
         arguments:
             - "%kernel.project_dir%/public/icons.svg"
 
+    Symfony\Component\Ldap\Ldap:
+        arguments: ['@Symfony\Component\Ldap\Adapter\ExtLdap\Adapter']
+        tags:
+            - ldap
+
+    Symfony\Component\Ldap\Adapter\ExtLdap\Adapter:
+        arguments:
+            - host: '%env(LDAP_HOST)%'
+              version: '%env(int:LDAP_VERSION)%'
+              port: '%env(int:LDAP_PORT)%'
+              encryption: '%env(LDAP_ENCRYPTION)%'
+
 when@dev:
     services:
         _defaults:

docker/Dockerfile

@@ -9,13 +9,14 @@ ENV COMPOSER_HOME /tmp
 RUN apt-get update && apt-get install -y \
     git \
     libicu-dev \
-    libzip-dev \
-    unzip \
+    libldap-dev  \
     libpq-dev \
     libxslt-dev \
+    libzip-dev \
+    unzip \
   && pecl install xdebug \
   && docker-php-ext-configure intl \
-  && docker-php-ext-install -j$(nproc) intl zip pdo pdo_pgsql pdo_mysql xsl \
+  && docker-php-ext-install -j$(nproc) intl ldap pdo pdo_mysql pdo_pgsql xsl zip \
   && docker-php-ext-enable xdebug \
   && echo "xdebug.mode=coverage" >> /usr/local/etc/php/conf.d/docker-php-ext-xdebug.ini;
 

docker/docker-compose.yml

@@ -63,3 +63,18 @@ services:
         ports:
             - "3025:3025"
             - "3143:3143"
+
+    ldap:
+        image: bitnami/openldap:2
+        ports:
+            - "1389:1389"
+            - "1636:1636"
+        environment:
+            - LDAP_ROOT=dc=example,dc=com
+            - LDAP_ADMIN_USERNAME=admin
+            - LDAP_ADMIN_PASSWORD=secret
+            - BITNAMI_DEBUG=true
+        volumes:
+            - ./ldap-ldifs:/ldifs:z
+        profiles:
+            - ldap