Use REMOTE_USER for checking against LDAP User Provider

[fleskalebas]

Since my web app is only used internally, I want to switch from form based login (by suppling our AD username and AD password) to SSO via Windows Authentication in IIS.

This works fine when I witch Symfony to the remote_user instad of the LDAPtools Guard but only when I use the user_db provider. This means that a user must exist in the database before login is allowed.

I want to mix SSO and LDAP login to login to the web app without the need for the user to exist in the database first. The reason why I want to use LDAP too is so I can use AD Group Membership to allow different parts of the web app.

Currently IIS fills the PHP REMOTE_USER with NETBIOSDOMAIN\username. LDAPtools queries the ldap with sAMAccountName=NETBIOSDOMAIN\5cusername which doesnt exist because sAMAccountName is only the username and not the full string with domain included (also it translates the backslash to 5c)

Is it possible for LDAPtools to for example strip the NETBIOSDOMAIN\ and query with only the last part provided in REMOTE_USER? Or am I completely taking the wrong approach?

[fleskalebas]

I am a little bit closer...by stripping the username to remove the domain, I can login. However, no new user is created in the database and I get a new error on accessing each new page (but the next refresh doesn't give the error, after that it does, after that it doesn't, etc).

Adding the line

$username = substr(strrchr($username, '\\'), 1); //strip domain info

before line 91 does make the login work:

ldaptools-bundle/Security/User/LdapUserProvider.php

Line 91 in eaa445a

$this->dispatcher->dispatch(LoadUserEvent::BEFORE, new LoadUserEvent($username, $this->ldap->getDomainContext()));