irisit/lmod-authz-ldap

Auth & Authorization system for AdLdap2

Authz Ldap Module

Documentation du module d'authentification et d'authorisation, _(*1)

Fonctionnalités

Guest

• Sign in

Admin

• List of users -- Assign role to user -- Trigger ldap sync, _(*2)

• List of permissions -- Parse from source file -- Edit descriptions, _(*3)

• List of roles -- Create role -- Edit role --- Assign permissions to role, _(*4)

Install

Begin by installing this package through Composer. Edit your project's composer.json file to require laravelcollective/html., _(*5)

composer require "laravelcollective/html":"^5.4.0" composer require "adldap2/adldap2-laravel": "^3.0", _(*6)

Next, add your new provider to the providers array of config/app.php:, _(*7)

  'providers' => [
    // ...
    Collective\Html\HtmlServiceProvider::class,
    Irisit\AuthzLdap\AuthzServiceProvider::class,
    Adldap\Laravel\AdldapServiceProvider::class,
    Adldap\Laravel\AdldapAuthServiceProvider::class,
    // ...
  ],

Finally, add two class aliases to the aliases array of config/app.php:, _(*8)

  'aliases' => [
    // ...
      'Form' => Collective\Html\FormFacade::class,
      'Html' => Collective\Html\HtmlFacade::class,
      'Adldap' => Adldap\Laravel\Facades\Adldap::class,
    // ...
  ],

Replace all the in the App\User::class, _(*9)

<?php

namespace App;

use Adldap\Laravel\Traits\HasLdapUser;
use Illuminate\Notifications\Notifiable;
use Irisit\AuthzLdap\Models\BaseUser as Authenticatable;

class User extends Authenticatable
{
    use Notifiable, HasLdapUser;

    /**
     * The attributes that are mass assignable.
     *
     * @var array
     */
    protected $fillable = [
        'firstname',
        'lastname',
        'username',
        'email',
        'password',
        'role_id'
    ];

    /**
     * The attributes that should be hidden for arrays.
     *
     * @var array
     */
    protected $hidden = [
        'password', 'remember_token',
    ];
}

Replace in migrations the name attribute by, _(*10)

$table->string('firstname');
$table->string('lastname');
$table->string('username')->unique();

Replace the line in App\Http\Kernel.php, _(*11)

'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,, _(*12)

by, _(*13)

'guest' => \Irisit\AuthzLdap\Http\Middleware\RedirectIfAuthenticated::class,, _(*14)

And add at the end ( after guest ), _(*15)

'role' => \Irisit\AuthzLdap\Http\Middleware\RedirectIfNotRole::class,, _(*16)

so you can use the middleware 'role' to protect a route or a group like this middleware => 'role:admin,manager', _(*17)

Run, _(*18)

php artisan db:seed --class=Irisit\AuthzLdap\Database\Seeds\DatabaseSeeder, _(*19)

Add to config/filesystem.php, _(*20)

        'base' => [
            'driver' => 'local',
            'root' => base_path() . DIRECTORY_SEPARATOR,
        ],

Add this to app/Exceptions/Handler.php, _(*21)

/**
 * @override
 * @param \Illuminate\Http\Request $request
 * @param AuthenticationException $exception
 * @return \Illuminate\Http\JsonResponse|\Illuminate\Http\RedirectResponse|\Illuminate\Http\Response
 */
protected function unauthenticated($request, AuthenticationException $exception)
{
    return $request->expectsJson()
        ? response()->json(['message' => 'Unauthenticated.'], 401)
        : redirect()->guest(route('authz.get_login'));
}

And run php artisan vendor:publish --provider="Irisit\AuthzLdap\AuthzServiceProvider" to get the configuration file and the seeder file, _(*22)

For the seeder add $this->call(RoleTableSeeder::class); to the /database/seeders/DatabaseSeeder.php, _(*23)

to import users : php artisan adldap:import, _(*24)

to get groups : php artisan lmod_authz:import_groups_ldap, _(*25)

to get permissions : php artisan lmod_authz:parse_permissions, _(*26)

to promote user as admin : php artisan lmod_authz:promote_user_admin, _(*27)

In order to use the filters you have to create a scope, _(*28)

<?php

namespace App\Scopes;

use Adldap\Query\Builder;
use Adldap\Laravel\Scopes\ScopeInterface;

class FilterScope implements ScopeInterface
{
    /**
     * {@inheritdoc}
     */
    public function apply(Builder $builder)
    {
        $builder->rawFilter(config('irisit_authz.ldap_filters'));
    }
}

And add the scope to adldap_auth.php config file, _(*29)

    'scopes' => [

        // Only allows users with a user principal name to authenticate.

        App\Scopes\SamAccountNameScope::class,

        App\Scopes\FilterScope::class, <---

    ],