use Symfony\Component\Ldap\Ldap;
use Symfony\Config\SecurityConfig;
return static function (SecurityConfig $security): void {
$security->provider('ldap_users')
->ldap()
->service(Ldap::class)
->baseDn('dc=example,dc=com')
->searchDn('cn=read-only-admin,dc=example,dc=com')
->searchPassword('password')
->defaultRoles(['ROLE_USER'])
->uidKey('uid')
->extraFields(['email'])
Caution
The Security component escapes provided input data when the LDAP user
provider is used. However, the LDAP component itself does not provide
any escaping yet. Thus, it's your responsibility to prevent LDAP injection
attacks when using the component directly.
Caution
The user configured above in the user provider is only used to retrieve
data. It's a static user defined by its username and password (for improved
security, define the password as an environment variable).
If your LDAP server allows retrieval of information anonymously, you can
set the search_dn and search_password options to null.
The ldap user provider supports many different configuration options:
type: string default: ldap
This is the name of your configured LDAP client. You can freely choose the
name, but it must be unique in your application and it cannot start with a
number or contain white spaces.
type: string default: null
This is the base DN for the directory
type: string default: null
This is your read-only user's DN, which will be used to authenticate
against the LDAP server to fetch the user's information.
type: string default: null
This is your read-only user's password, which will be used to authenticate
against the LDAP server to fetch the user's information.
type: array default: []
This is the default role you wish to give to a user fetched from the LDAP
server. If you do not configure this key, your users won't have any roles,
and will not be considered as authenticated fully.
type: string default: null
This is the entry's key to use as its UID. Depends on your LDAP server
implementation. Commonly used values are:
sAMAccountName (default)
userPrincipalName
If you pass null as the value of this option, the default UID key is used
sAMAccountName.
type: array default: null
Defines the custom fields to pull from the LDAP server. If any field does not
exist, an \InvalidArgumentException will be thrown.
type: string default: null
This key lets you configure which LDAP query will be used. The {uid_key}
string will be replaced by the value of the uid_key configuration value
(by default, sAMAccountName), and the {user_identifier} string will be
replaced by the user identified you are trying to load.
For example, with a uid_key of uid, and if you are trying to
load the user fabpot, the final string will be: (uid=fabpot).
If you pass null as the value of this option, the default filter is used
({uid_key}={user_identifier}).
To prevent LDAP injection, the username will be escaped.
The syntax for the filter key is defined by RFC4515.
Authenticating against an LDAP server can be done using either the form
login or the HTTP Basic authentication providers.
They are configured exactly as their non-LDAP counterparts, with the
addition of two configuration keys and one optional key:
type: string default: ldap
This is the name of your configured LDAP client. You can freely choose the
name, but it must be unique in your application and it cannot start with a
number or contain white spaces.
type: string default: {user_identifier}
This key defines the form of the string used to compose the
DN of the user, from the username. The {user_identifier} string is
replaced by the actual username of the person trying to authenticate.
For example, if your users have DN strings in the form
uid=einstein,dc=example,dc=com, then the dn_string will be
uid={user_identifier},dc=example,dc=com.
type: string default: null
This (optional) key makes the user provider search for a user and then use the
found DN for the bind process. This is useful when using multiple LDAP user
providers with different base_dn. The value of this option must be a valid
search string (e.g. uid="{user_identifier}"). The placeholder value will be
replaced by the actual user identifier.
When this option is used, query_string will search in the DN specified by
dn_string and the DN resulted of the query_string will be used to
authenticate the user with their password. Following the previous example, if
your users have the following two DN: dc=companyA,dc=example,dc=com and
dc=companyB,dc=example,dc=com, then dn_string should be
dc=example,dc=com.
Bear in mind that usernames must be unique across both DN, as the authentication
provider won't be able to select the correct user for the bind process if more
than one is found.
Examples are provided below, for both form_login_ldap and
http_basic_ldap.
<?xml version="1.0" encoding="UTF-8" ?>
<srv:container xmlns="http://symfony.com/schema/dic/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:srv="http://symfony.com/schema/dic/services"
xsi:schemaLocation="http://symfony.com/schema/dic/services
https://symfony.com/schema/dic/services/services-1.0.xsd
http://symfony.com/schema/dic/security
https://symfony.com/schema/dic/security/security-1.0.xsd">
<config>
<firewall name="main">
<form-login-ldap service="Symfony\Component\Ldap\Ldap"
dn-string="uid={user_identifier},dc=example,dc=com"/>
</firewall>
</config>
</srv:container>
use Symfony\Component\Ldap\Ldap;
use Symfony\Config\SecurityConfig;
return static function (SecurityConfig $security): void {
$security->firewall('main')
->formLoginLdap()
->service(Ldap::class)
->dnString('uid={user_identifier},dc=example,dc=com')
<?xml version="1.0" encoding="UTF-8" ?>
<srv:container xmlns="http://symfony.com/schema/dic/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:srv="http://symfony.com/schema/dic/services"
xsi:schemaLocation="http://symfony.com/schema/dic/services
https://symfony.com/schema/dic/services/services-1.0.xsd
http://symfony.com/schema/dic/security
https://symfony.com/schema/dic/security/security-1.0.xsd">
<config>
<firewall name="main" stateless="true">
<http-basic-ldap service="Symfony\Component\Ldap\Ldap"
dn-string="uid={user_identifier},dc=example,dc=com"/>
</firewall>
</config>
</srv:container>
use Symfony\Component\Ldap\Ldap;
use Symfony\Config\SecurityConfig;
return static function (SecurityConfig $security): void {
$security->firewall('main')
->stateless(true)
->formLoginLdap()
->service(Ldap::class)
->dnString('uid={user_identifier},dc=example,dc=com')
service: Symfony\Component\Ldap\Ldap
dn_string: 'dc=example,dc=com'
query_string: '(&(uid={user_identifier})(memberOf=cn=users,ou=Services,dc=example,dc=com))'
search_dn: '...'
search_password: 'the-raw-password'
<?xml version="1.0" encoding="UTF-8" ?>
<srv:container xmlns="http://symfony.com/schema/dic/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:srv="http://symfony.com/schema/dic/services"
xsi:schemaLocation="http://symfony.com/schema/dic/services
https://symfony.com/schema/dic/services/services-1.0.xsd
http://symfony.com/schema/dic/security
https://symfony.com/schema/dic/security/security-1.0.xsd">
<config>
<firewall name="main">
<form-login-ldap service="Symfony\Component\Ldap\Ldap"
dn-string="dc=example,dc=com"
query-string="(&(uid={user_identifier})(memberOf=cn=users,ou=Services,dc=example,dc=com))"
search-dn="..."
search-password="the-raw-password"/>
</firewall>
</config>
</srv:container>
use Symfony\Component\Ldap\Ldap;
use Symfony\Config\SecurityConfig;
return static function (SecurityConfig $security): void {
$security->firewall('main')
->stateless(true)
->formLoginLdap()
->service(Ldap::class)
->dnString('dc=example,dc=com')
->queryString('(&(uid={user_identifier})(memberOf=cn=users,ou=Services,dc=example,dc=com))')
->searchDn('...')
->searchPassword('the-raw-password')
Become a Symfony contributor
Be an active part of the community and contribute ideas, code and bug fixes.
Both experts and newcomers are welcome.
Learn how to contribute
