Skip to content
This repository has been archived by the owner on Dec 11, 2023. It is now read-only.

Personalize role mapping #18

Open
matracine opened this issue Sep 29, 2016 · 6 comments
Open

Personalize role mapping #18

matracine opened this issue Sep 29, 2016 · 6 comments

Comments

@matracine
Copy link

With my open Ldap schema, group mapping is not done with the "memberof" attribute in the user object. The mapping is done like that :

  • objectClass posixAccount : uid=username, gidNumber=main group
  • objectClass posixGroup : cn=groupname, gidNumber=group number, memberUid[]=uids of members.
    In fact, role mapping can rely on others conditions than groups, so, could you please extract the roles extraction in a protected method of the LdapUserProvider, so everybody could derivate the class to implement their own Role mapping.
    I could provide the class for role to group mapping with the posix ldap schema.
@matracine
Copy link
Author

Having also a protected method to retrieve the defaults options would be great. This would permit to set the default search filter in the class.

@DerManoMann
Copy link
Owner

If there are multiple standard ways (I assume memerof and posixGroup are standard schemes) wouldn't it be better to have a RoleResolverInterface and custom implementations that can be used?
I suppose in more complex scenarios additional LDAP queries might be necessary too, right?

@matracine
Copy link
Author

I think you're right. I'm a pretty newby in Silex/Symfony developpement so I didn't know this interface. I will take a look at it.
I'm an old school developper so derivation is more natural for me ;)

@matracine
Copy link
Author

Again I think you're right, but just for fun, I've pushed a branch new_methods in my repo.
It's quite simple and works perfectly.
https://github.com/matracine/ldap-auth-service-provider/tree/new_methods/src/Security/Core/User

@DerManoMann
Copy link
Owner

Looks reasonable.
The interface doesn't exist - its something I made up, but by doing that all that is required would be to pass in a custom implementation in the config rather than extending code.

Say,

interface RoleResolverInterface {
    public function getRoles(array $data);
}

and then there would be another config option:

   'roleResolver' => ' 'Radebatz\\Silex\\LdapAuth\\Security\\Core\\User\\LdapMemberOfRoleResolver',

and the user provider would do:

$roleResolverClass = $this->options['roleResolver'];
$roleResolver = new $roleResolverClass();
$roles = $roleResolver->getRoles($userData);

The advantange, IMO, is that it would even allow to use multiple resolver (chain them) and other custom processing.

Let me think a little more about, tho...

@matracine
Copy link
Author

Hello,
After thinkng and testing around, I think you're right about the RoleResolver.
But I think also that it is necessary to have specialized LDap(Posix|whatElse)?User, Ldap(Posix|whatElse)?Group, Ldap(Posix|whatElse)?UserProvider, and Ldap(Posix|whatElse)?RoleResolver that mask the inner structure of the ldap and could be overriden easily.
For that, in the contructors, a getDefaultOptions() call is necessary to overide options in specialized classes.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DerManoMann @matracine