如何对 Active Directory 服务器的身份验证进行故障排除

Question

我正在尝试使用 ldaprecord-laravel 对 ActiveDirectory 进行身份验证。我按照documentation 对文件进行了必要的更改。但是，我最终只有 php artisan ldap:test 工作，php artisan ldap:import ldap 表明没有用户可以导入。

当我使用在线LDAP测试服务器时，我可以进一步在Tinker中制作Auth::attempt(['uid' => 'einstein', 'password' => 'password'])，并且导入工作，但是网络登录仍然不起作用。使用 AD，我无法使用 samaccountname、username 和 uid 尝试进行身份验证。虽然使用 ldap_connect 和 ldap_bind 的普通身份验证有效。

应用程序/用户.php

<?php

namespace App;

use Illuminate\Notifications\Notifiable;
use Illuminate\Foundation\Auth\User as Authenticatable;
use Illuminate\Support\Facades\Hash; 
use LdapRecord\Laravel\Auth\LdapAuthenticatable;
use LdapRecord\Laravel\Auth\AuthenticatesWithLdap;

class User extends Authenticatable implements LdapAuthenticatable
{
    use Notifiable, AuthenticatesWithLdap;

    protected $table = 'users';
    protected $primaryKey = 'id';
    public $timestamps = false;
    public $incrementing = false;

    /*
    public function getAuthPassword()
    {
        return Hash::make( $this->user_pass );
    }
    */

    /**
     * Настройки пользователя.
     *
     * @return HasMany
     */
    public function settings()
    {
        return $this->hasMany(Models\Settings::class, 'id', 'id');
    }

}

App/Http/Controllers/Auth/LoginController.php

<?php

namespace App\Http\Controllers\Auth;

use App\Http\Controllers\Controller;
use Illuminate\Foundation\Auth\AuthenticatesUsers;
use Illuminate\Http\Request;
use LdapRecord\Laravel\Auth\ListensForLdapBindFailure;

class LoginController extends Controller
{
    /*
    |--------------------------------------------------------------------------
    | Login Controller
    |--------------------------------------------------------------------------
    |
    | This controller handles authenticating users for the application and
    | redirecting them to your home screen. The controller uses a trait
    | to conveniently provide its functionality to your applications.
    |
    */

    use AuthenticatesUsers, ListensForLdapBindFailure;

    /**
     * Where to redirect users after login.
     *
     * @var string
     */
    protected $redirectTo = '/';

    /**
     * Create a new controller instance.
     *
     * @return void
     */
    public function __construct()
    {
        $this->middleware('guest')->except('logout');
    }

    /**
     * Переопределяем переменную, в которой хранится логин пользователя
     *
     * @return string
     */
    public function username()
    {
        return 'user_login';
    }

    /**
     * Валидация данных на сервере
     *
     * @param  Request $request
     *
     * @return void
     */
    protected function validateLogin(Request $request)
    {
        $request->validate([
            $this->username() => 'required|string',
            'password' => 'required|string',
        ]);
    }  

    protected function credentials(Request $request)
    {
        return [
            'uid' => $request->username,
            'password' => $request->password,
        ];
    }
}

如何找出导致问题的原因？

Answer 1

Laravel 中的故障排除通常使用logging 完成。根据给定的文档，您可以使用记录字符串

use Illuminate\Support\Facades\Log;

// somewhere in the code
Log::debug('info string');

Laravel 将它的日志放在 storage/logs 文件夹中。日志中有这样的条目：

[2021-08-24 10:41:13] local.INFO: LDAP (ldap://ldap.forumsys.com:389) - Operation: Bound - Username: cn=read-only-admin,dc=example,dc=com  
[2021-08-24 10:35:54] local.INFO: LDAP (ldap://ldap.forumsys.com:389) - Operation: Search - Base DN: dc=example,dc=com - Filter: (&(objectclass=\74\6f\70)(objectclass=\70\65\72\73\6f\6e)(objectclass=\6f\72\67\61\6e\69\7a\61\74\69\6f\6e\61\6c\70\65\72\73\6f\6e)(objectclass=\69\6e\65\74\6f\72\67\70\65\72\73\6f\6e)(uid=)) - Selected: (entryuuid,*) - Time Elapsed: 471.78  

我们看到uid没有给出，是因为我们使用user_login而不是username，所以最终决定更改LoginController.php：

protected function credentials(Request $request)
{
    return [
        'uid' => $request->user_login,
        'password' => $request->password,
    ];
}

完成后，登录成功。