CakePHP (LDAP) 中的替代身份验证源 [英] Alternative authentication sources in CakePHP (LDAP)

问题描述

我正在开发一个 CakePHP 项目，目前正在构建它的用户身份验证部分.问题是我的身份验证信息(即:密码)没有存储在我的数据库中——身份验证源是 LDAP，但我的问题同样适用于任何非数据库源.

I'm working on a CakePHP project and am currently building the user authentication part of it. The problem is that my authentication information (ie: the passwords) are not stored in my database -- the authentication source is LDAP but my question applies equally to any non-database source.

Cake 似乎只处理本地数据库中存在的密码.蛋糕食谱建议你可以告诉它一个不同的控制器/模型/对象通过使用 $this->Auth->authorize 变量提供授权过程，但是查看代码(特别是 Auth::startup() 函数)它看起来像 Cake 总是会尝试首先查询数据库，检查匹配的用户名/密码，然后再查看您使用 Auth->authorize 指定的替代对象.即修改authorize只是增加了二级过滤器，并没有替代数据库查找.

It appears as though Cake only handles passwords when they exist in the local database. The Cake Cookbook suggests that you can tell it a different controller/model/object to provide an authorization procedure by using the $this->Auth->authorize variable, however looking at the code (specifically the Auth::startup() function) it looks like Cake will always try to query the database first, checking for a matching username/password, before then looking at the alternative object you specified with Auth->authorize. That is, changing authorize only adds a second-level filter, it doesn't replace the database lookup.

// The process
1. User provides details
2. Cake checks the database
3. If OK, then check the custom object method
4. If OK, return true

// What I'd like:
1. User provides details.
2. Check the custom object method
3. If OK, return true
4. Profit.

关于如何做到这一点的任何想法，希望不会破解核心文件?

Any ideas on how to do this, hopefully without hacking the core files?

推荐答案

假设您只是绑定 LDAP 并从 MySQL 存储/检索用户数据，这种方法将作为一个桥梁"，它会自动创建成功的帐户登录:

Assuming you are simply binding against LDAP and are storing/retrieving User data from MySQL, this approach will work as a "bridge" which will automatically create accounts for successful logins:

// app/controllers/components/ldap_auth.php
<?php
App::import('Component', 'Auth');
class LdapAuthComponent extends AuthComponent {
/**
 * Don't hash passwords
 */
    function hashPasswords($data){
        return $data;
    }
/**
 * We will initially identify the user
 */
    function identify($user=null, $conditions=null) {
        // bind credentials against ldap
        $ldapUser = $this->_ldapAuth($user); // do your stuff
        if (!$ldapUser) {
            return null; // if bind fails, then return null (as stated in api)
        }
        // get the cake model you would normally be authenticating against
        $model =& $this->getModel(); // default is User
        // check for existing User in mysql
        $user = $model->find('first', array('conditions' => array(
            'username' => $ldapUser['cn']
        ));
        // if no existing User, create a new User
        if (!$user) {
            $user = $model->save(array('User' => array(
                'username' => $ldapUser['cn'],
                // .. map needed ldap fields to mysql fields ..
            )));
            if (!$user) {
                $this->cakeError('ldapCreateUser');
            }
            // pass the id of the newly created User to Auth's identify
            return parent::identify($model->id, $conditions);
        }
        // pass the id of the existing User to Auth's identify
        return parent::identify($user[$this->userModel][$model->primaryKey], $conditions);
    }
/**
 * Lets check LDAP
 *
 * @return mixed Array of user data from ldap, or false if bind fails
 */
    function _ldapAuth($user) {
        $username = $user[$this->userModel][$this->fields['username']];
        $password = $user[$this->userModel][$this->fields['password']];
        // use the php ldap functions here
        return $ldapUser;
    }
}
?>

要使用，请将您的应用程序中对 Auth 的所有引用替换为 LdapAuth 或遵循 这里的说明.

To use, replace all references to Auth with LdapAuth in your application or follow the instructions here.

请注意，尽管受保护的 _ldapAuth() 方法可以抽象为 LdapUser 模型，并且该模型应该 从 LdapSource 读取，LDAP 服务器连接设置应该 在 database.php 配置中，LdapAuthComponent 应该适应使用可配置的字段映射，这些不是完成它"的要求.:)

Note that although the protected _ldapAuth() method could be abstracted out to an LdapUser model, and that model should read from an LdapSource, and the LDAP server connection settings should be in the database.php config, and the LdapAuthComponent should be adapted to use configurable field mappings, these aren't requirements to "just get it done". :)

这篇关于CakePHP (LDAP) 中的替代身份验证源的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！