Download the PHP package padosoft/laravel-iam-directory without Composer
On this page you can find all versions of the php package padosoft/laravel-iam-directory. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download padosoft/laravel-iam-directory
More information about padosoft/laravel-iam-directory
Files in padosoft/laravel-iam-directory
Package laravel-iam-directory
Short Description Modulo opzionale Directory di Laravel IAM: LDAP/Active Directory (LdapRecord) in v1; SCIM in v2.
License MIT
Informations about the package laravel-iam-directory
Laravel IAM โ Directory
Bring your LDAP / Active Directory into Laravel IAM โ safely.
Directory login, Just-In-Time provisioning and group โ role mapping, hardened against the
classic identity-sync pitfalls.
๐ Read the documentation โ
Why this package
Most teams already have their users in LDAP or Active Directory. Wiring that into an app usually means one of two bad outcomes: a brittle hand-rolled bind that silently fails open, or a "sync everything" job that happily takes over local accounts, keeps stale privileges forever, and lets a single wrong row in a group-mapping table escalate a user to admin.
laravel-iam-directory is the optional Directory module of Laravel IAM.
It authenticates against your directory, provisions users Just-In-Time on first login, and keeps their
IAM roles in sync with their directory groups โ while closing every one of those pitfalls by design:
- Anti-takeover โ an email already owned by a non-directory account is never auto-linked. You get a
conflict, not a hijack. - No privilege persistence โ drop a user from an LDAP group and the matching role is revoked on the next sync. Manually-granted roles are never touched.
- Protected roles โ list the roles (e.g.
iam:super_admin) that can never be granted through group mapping, no matter what the directory says. - Fail-closed โ bad credentials or a connector error resolve to denied, never to a half-provisioned user.
The real LDAP transport (LdapRecord) is optional and isolated: the core works against any
DirectoryConnector, so you can test, map and provision without ext-ldap installed.
Features
DirectoryAuthenticatorโ the login entry point: authenticate โ map groups โ provision/sync, all fail-closed.GroupMapperโ maps a user's directory groups to IAM roles (full_key), accepting both the full DN and the short CN, case-insensitively. Unmapped groups are ignored (default-deny โ no implicit roles).DirectoryProvisionerโ JIT on first login (creates user + membership + grants) and an authoritative, idempotent sync afterwards that adds missing roles and revokes stale directory-sourced ones.DirectoryJitPolicyโ secure-by-default:require_verified_email,allowed_domains,approval_required,default_roles,group_mapping, andprotected_roles.DirectoryUser/DirectoryConnectorโ a normalized identity and a transport seam, so the core is decoupled from LDAP and trivially testable.DirectoryOutcomeโ a typed result:provisionedยทlinkedยทconflictยทpendingยทdenied.- Optional
Ldap\LdapConnectorโ the real LDAP/AD transport via LdapRecord, isolated so the package installs and analyses cleanly withoutext-ldap.
Use cases
- SSO-less LDAP/AD login. Let enterprise users sign in with their directory credentials, without standing up a full SAML/OIDC IdP.
- Auto-provision on first login. New hire appears in AD โ on first login they get an IAM user, membership and the right roles, with no manual onboarding.
- Keep roles in sync with AD groups โ safely. Group membership changes flow into IAM roles on every login, with stale roles revoked and protected roles never auto-granted.
Installation
Requirements: PHP 8.3+, Laravel 13, and a running Laravel IAM server
(padosoft/laravel-iam-server).
The real LDAP/Active Directory transport is optional and needs the PHP ext-ldap extension:
Without it, the core (group mapping + JIT) still works against any DirectoryConnector you provide โ handy
for tests and non-LDAP sources.
Publish the config:
Quick start
1. Configure the directory & mapping
config/iam-directory.php:
2. Authenticate a user against the directory
3. The roles stay in sync โ automatically
On every login the provisioner re-syncs the user's directory-sourced roles:
- user added to
developersin AD โ getsapp:developer,app:deployer - user removed from
warehouse-adminsโwarehouse:adminis revoked (manual grants untouched) iam:super_adminmapped by a rogue group row โ ignored (it's a protected role)
4. Use a custom (non-LDAP) source
Implement DirectoryConnector to provision from any source โ no ext-ldap needed:
โ ๏ธ Security model. This module is deliberately strict: it refuses account takeover by email collision, revokes stale directory roles on sync, and never grants
protected_rolesfrom the directory. Don't relax these in a custom connector โ seedocs/provisioning-and-security.md.
Ecosystem
| Package | Role |
|---|---|
| laravel-iam-contracts | Shared interfaces & DTOs โ the dependency root |
| laravel-iam-server | The IAM server: identity, PDP, OAuth/OIDC, audit, governance, Admin API & panel |
| laravel-iam-client | Client for apps consuming Laravel IAM: middleware, Gate adapter |
| laravel-iam-ai | Optional AI module: advisory-only governance |
| laravel-iam-directory (this repo) | Optional directory module: LDAP / Active Directory (LdapRecord); SCIM in v2 |
| laravel-iam-bridge-spatie-permission | Migration bridge from spatie/laravel-permission |
Documentation
๐ Full documentation: doc.laravel-iam-directory.padosoft.com โ a 22-page docmd site with semantic search, covering:
- Get started โ Quickstart, Installation, Core concepts
- Guides โ Directory login, Group โ role mapping, JIT provisioning & sync, Custom connector
- Security & theory โ Anti-takeover, Authoritative sync, Protected roles, Fail-closed transport
- Architecture โ overview, login pipeline, data model, ADR
- Reference โ PHP API, config keys, outcomes & reasons
The Markdown sources live in docs-site/docs/; the site is built with
docmd and deployed to Cloudflare Pages.
Security
Laravel IAM is fail-closed by design. This module adds directory-specific hardening: anti-takeover
(email collision โ conflict), stale-privilege revocation on sync, and protected_roles that the directory
can never grant. The directory assigns roles; the PDP, not this module, decides allow/deny. If you
discover a security issue, email [email protected] rather than opening a public issue.
License
MIT ยฉ Padosoft. See LICENSE.
All versions of laravel-iam-directory with dependencies
padosoft/laravel-iam-contracts Version ^1.0
padosoft/laravel-iam-server Version ^1.0
spatie/laravel-package-tools Version ^1.16