[Ldap] Improving the LDAP component #17560
Conversation
| public function __construct(array $config = array()) | ||
| { | ||
| if (!extension_loaded('ldap')) { | ||
| throw new LdapException('The ldap module is needed.'); |
There was a problem hiding this comment.
Could we change this error message by something like: The ldap PHP extension is not enabled ?
|
Is support for paging planned to be implemented in the query? For many corporate LDAP implementations a max page size is enforced as a best practice, and large queries will fail without paging. However, I guess adding that might be a bit cumbersome as paging support for LDAP was added in PHP 5.4 and the min requirement for this component is 5.3. |
|
There's no issue with supporting paging, especially as version 3.0 of Symfony only supports PHP 5.5+. Thus, we could implement this. However, I won't support this right now, but maybe in a later PR. The goal of this PR is to be able to make the component more flexible, and make the correct abstractions, so different implementations can be used (using the PHP extension, for example). This way, we could support a userland ldap client, or even third-party libraries to provide such capability. |
| 'maxItems' => 0, | ||
| 'sizeLimit' => 0, | ||
| 'timeout' => 0, | ||
| 'deref' => LDAP_DEREF_NEVER, |
There was a problem hiding this comment.
Constants should be moved in QueryInterface.
|
By the way, as this PR breaks compatibility, the code from the Security component will be updated in another PR. |
|
Ping @fabpot @nicolas-grekas This PR is now stable, and a functional tests have been bootstrapped. |
|
The only build failing is the Appveyor build, as the CI does not have a LDAP server. Does anyone have a solution? |
|
For now, I'm disabling the |
| /** | ||
| * @author Charles Sarrazin <[email protected]> | ||
| */ | ||
| final class LdapFactory |
There was a problem hiding this comment.
Why do we need this class for? I would remove it altogether as it does not add anything useful AFAICS.
There was a problem hiding this comment.
The class is simply a shorthand way to create the Ldap class. Indeed, otherwise, you need to manually inject the adapter (and other configuration). This is basically to improve DX.
There was a problem hiding this comment.
But we don't have any other such classes anywhere in Symfony. So, I would remove it for now.
There was a problem hiding this comment.
I will merge the static method in the Ldap class. The idea was to have something like PropertyAccess::createPropertyAccessor().
|
|
||
| $this->connection = null; | ||
| } | ||
| } |
There was a problem hiding this comment.
Isn't it possible to keep this class for BC and proxy to the new one?
There was a problem hiding this comment.
Good idea. What I will do:
- create a
LdapClientclass, implementingLdapClientInterfaceand wrapping theLdapclass. - create a backward-compatible constructor initializing a
Ldapinstance. - move the
find()method from theLdapclass to theLdapClientclass.
* Moved connection logic to dedicated class * Added support for Ldap result entries iterator and renamed LdapClient to Ldap * Added support for multiple adapters * Attempt anonymous bind if the connection is not bound beforehand * Finalized API * Updated the Security component to use v3.1 of the Ldap component * Updated unit tests * Added support for functional tests * Updated README file
|
All done! It seems some tests fail because of VarDumper. |
|
👍 |
|
Thank you @csarrazi. |
This PR was merged into the 3.1-dev branch. Discussion ---------- [Ldap] Improving the LDAP component | Q | A | ------------- | --- | Bug fix? | no | New feature? | yes | BC breaks? | yes | Deprecations? | no | Tests pass? | no | Fixed tickets | #14602 | License | MIT | Doc PR | not yet This PR will address a few issues mentioned in #14602. * [x] Integrate the Config component in order to simplify the client's configuration * [x] Separate Connection handling from the Client * [x] Support for multiple drivers * [x] Add functional tests * [x] Update Security component Commits ------- 34d3c85 Added compatibility layer for previous version of the Security component 81cb79b Improved the Ldap Component
| @@ -48,6 +50,11 @@ before_install: | |||
| - if [[ $deps != skip ]]; then composer self-update; fi; | |||
| - if [[ $deps != skip ]]; then ./phpunit install; fi; | |||
| - export PHPUNIT=$(readlink -f ./phpunit) | |||
| - mkdir /tmp/slapd | |||
| - slapd -f src/Symfony/Component/Ldap/Tests/Fixtures/conf/slapd.conf -h ldap://localhost:3389 & | |||
| - sleep 3 | |||
There was a problem hiding this comment.
Do we really need this? And why three seconds? This looks like it may cause wrong build failure reports in the future.
There was a problem hiding this comment.
slapd is run in the background. Also, this ensures that the daemon is started before the test are run. We could remove this, but tests may be flaky.
This PR was merged into the 3.1 branch. Discussion ---------- [Security] Allow LDAP loadUser override | Q | A | ------------- | --- | Branch? | 3.1 | Bug fix? | no | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | - | License | MIT | Doc PR | - Back to 3.0, one could extend `Symfony\Component\Security\Core\User\LdapUserProvider` and override how User objects are created. Among several improvements, #17560 changed `loadUser` signature but also visibility to `private` which disallow any overriding. Even if the signature BC break is legitimate, we should still be able to override this method IMHO, which is not possible with a private visibility. This PRs introduces a `protected` visibility to allow again overriding. Commits ------- ae99aa8 [Security] Allow LDAP loadUser override
This PR will address a few issues mentioned in #14602.