Customizing Filament’s Login to use LDAP
This is a quick rough draft post for how to override the default Filament login and use your own to login with LDAP.
Tested With:
- Laravel 9
- Filament 2
- ldaprecord-laravel 2.6
Notes:
- I’m using Filament 2 but it should work the same in 3. But check the code and refer to the docs if you run into trouble. There’s not a lot of super custom code here so this should work with updated versions of all the packages used.
- I’m using ldaprecord-laravel package 2.x in this example as well.
- In my use case I only needed to authenticate against our LDAP login. Using ldaprecord may be overkill in my use case but I expected there to be more requirements at some point. If you need to sync anything from the LDAP user model ldaprecord will let you do that.
- Could we do this with just some event listener or other way instead of overriding the Filament Login.php? That would be better so we don’t have to keep our version of Login.php current with any changes to the standard one provided by Filament. I never got a chance to look into this but it seems like there would be a way. Feel free to shout in the comments if you know.
I’m using the directorytree/ldaprecord-laravel package in this code, so you’ll need to:
composer require directorytree/ldaprecord-laravel
Make sure to go star the repo. Steve is a really sharp developer and all around nice guy.
Follow the instructions to setup your LDAP configuration in Laravel. It’s pretty standard Laravel stuff here. Make sure to configure your ldap connection per the instructions for this package. We’ll be using these variables to connect and verify that the user provided valid credentials.
Then you just need to override the default login by creating our own here:
app/Filament/Pages/Auth/Login.php
Below is what this code looks like. It’s a combination of the default login from Filament with the ldap stuff doing the job of validating the creds, then we just log the user in the standard Laravel way.
Below is the code, commented for clarity.
That should do it. Let me know if I missed anything or if you have suggestions for improvement.
<?php namespace App\Filament\Pages\Auth; use App\Models\User; use Exception; use Filament\Forms\Components\Checkbox; use Filament\Forms\Components\TextInput; use Filament\Forms\Components\ViewField; use Filament\Forms\Contracts\HasForms; use Filament\Http\Livewire\Auth\Login as BasePage; use Filament\Http\Responses\Auth\Contracts\LoginResponse; use Illuminate\Support\Facades\Auth; use Illuminate\Support\Facades\Hash; use Illuminate\Support\Str; use LdapRecord\Connection; use LdapRecord\Container; class Login extends BasePage implements HasForms { public $username = ''; public $password = ''; public $remember = false; public function authenticate() : ?LoginResponse { // Implement rate limiting to protect against brute force attacks try { $this->rateLimit(5); } catch (TooManyRequestsException $exception) { $this->addError('username', __('filament::login.messages.throttled', [ 'seconds' => $exception->secondsUntilAvailable, 'minutes' => ceil($exception->secondsUntilAvailable / 60), ])); return null; } $data = $this->form->getState(); // Prefix for LDAP user names (corp\\username) $ldap_user = 'corp' . '\\' . $data['username']; $ldap_pass = $data['password']; // Use environment variables for LDAP configuration $connection = new Connection([ 'hosts' => [config('LDAP_HOST', 'your_default_host')], 'port' => config('LDAP_PORT', 389), 'base_dn' => config('LDAP_BASE_DN', 'DC=corp,DC=your_domain,DC=com'), 'username' => $ldap_user, 'password' => $ldap_pass, ]); Container::addConnection($connection); // Attempt LDAP authentication try { $connection->auth()->attempt($ldap_user, $ldap_pass); } catch (Exception $e) { // Provide a more specific error message for authentication failure $this->addError('username', __('Authentication failed, please try again.')); $this->addError('password', __('Authentication failed, please try again.')); return null; } if (get_class($connection) === Connection::class) { $query = $connection->query(); // Retrieve LDAP record, add any additional logic you want to check for a valid/active user here $ldap_record = $query->where('your_ldap_account_field_name', '=', $data['username'])->first(); // Create or update the local user $user = User::updateOrCreate([ 'email' => $ldap_record['your_ldap_email_field_name'][0], ], [ 'name' => $ldap_record['cn'][0], 'password' => Hash::make(Str::random(10)), // Hash a random string for password ]); Auth::login($user, $this->remember); // Additional steps for user model or login process can be added here // Return the expected LoginResponse class return app(LoginResponse::class); } return null; } protected function getFormSchema() : array { return [ ViewField::make('login-notice')->view('filament.pages.auth.login.header'), TextInput::make('username') ->label(__('Username')) ->required() ->autocomplete(), TextInput::make('password') ->label(__('filament::login.fields.password.label')) ->password() ->required(), Checkbox::make('remember') ->label(__('filament::login.fields.remember.label')), ]; } }
In the above code you could implement the user sync from ldap to your local database. That was not a requirement for my use case. But it’s documented in the ldaprecord package if you need that.
Leave a Reply