Plugin for LDAP Authentication

[anonymous-matomo-user]

This plugin syncs Piwik's user and access table against LDAP and performs Authentication via LDAP.

For installation instructions, see the README file in the tarball.

Install the plugin in one click from the Marketplace: LoginLdap on the marketplace

Keywords: ldap, auth, login, third-party-plugin

[anonymous-matomo-user]

Attachment: working ldap plugin for piwik LoginLdap-1.0.0.zip

[mattab]

Attachment: Piwik LDAP plugin screenshot screen_piwik_ldap.png

[anonymous-matomo-user]

Attachment: gigatec LoginLdap 1.2.0 LoginLdap-1.2.0.zip

[anonymous-matomo-user]

Attachment: gigatec LoginLdap 1.2.1 (minor bug fix - logging) LoginLdap-1.2.1.zip

[anonymous-matomo-user]

Attachment: LoginLdap-1.3.0.zip

[anonymous-matomo-user]

Attachment: Correction added so Page Overlay feature works LoginLdap.php

[anonymous-matomo-user]

Hello,

I don't understand what I have to (and what I can) write in the ldap.json file.

Can you give me more information about this file ?

[anonymous-matomo-user]

In the example below, these groups and memberships are assumed:

mygroup
  user
  admin  
site1viewers
  site1admin
  site1user

{
        "groups": {
                "cn=mygroup,ou=foo,ou=bar,o=Organization,c=at": {
                        "Site1": "view",
                        "Site2": "view",
                        "Site3": "view"
                },
                "cn=site1viewers,ou=foo,ou=bar,o=Organization,c=at": {
                        "Site1": "view"
                }
        },
        "users": {
                "cn=admin,ou=foo,ou=bar,o=Organization,c=at": {
                        "Site1": "admin",
                        "Site2": "admin",
                        "Site3": "admin"
                },
                "cn=site1admin,ou=foo,ou=bar,o=Organization,c=at": {
                        "Site1": "admin"
                }
        }
}

Users and groups must be specified with their distinguished name (dn). The entry for a user or group must contain Key-Value pairs: site name->permission, permission may assume "view" or "admin"

In this example, the users end up with these permissions:

user
  view -> Site1, Site2, Site3
admin
  admin -> Site1, Site2, Site3
site1user
  view -> Site1
site1admin
  admin -> Site1

[anonymous-matomo-user]

Thanks. For your answer, and for this plugin too.

Your plugin don't work for me for the moment. I think it's because the filter (function Auth.doLdapSearch) is based on "cn" attribute. But in our organisation the unique identifier in LDAP is an attribute named "uid". I have to change the filter and test.

PS: Is this ticket the good place to give you feedback, report bug, ask question, ... ?

PPS: I tried to install Wordpress MU too. And I think you can see about this plugin, it may be interesting : http://sourceforge.net/projects/wpmu-ldap/

PPPS: Sorry for my english if it's not good ... I'm french. :-)

[anonymous-matomo-user]

Be warned, this now depends on #828

[anonymous-matomo-user]

It don't understand exactly why you warn me. But it's not a problem. I will always need to have a LDAP authentication with Piwik. So I will use a Piwik version with a functional LDAP plugin.

For the filter in Auth.doLdapSearch() it's OK if I change "cn" by "uid". I will try to add a property in the config file and send you a patch.

PS: FIY: I just have to check the json file. The syntax is good but the permissions are not added (I think my "dn" are not correct).

[anonymous-matomo-user]

The attribute designating the userid and the Objectclass designating groups can be configured now, check the config.ini example. You have to apply the patch from #828 against piwik 0.4.1 for the LDAP plugin to work, that's what the warning is about. You should use these permissions on ldap.json:

chown root:<apache group>
chmod 0640 ldap.json

[robocoder]

You might want to open a ticket proposing login-ldap-plugin.patch (or a variant thereof) be applied to Piwik core.

I would suggest you move the sample configuration files to the LdapLogin folder, and re-package it so it can be extracted into the plugins folder.

[anonymous-matomo-user]

Hello,

After some weeks when I didn't use Piwik, I try it again and I try to use the LdapLogin plugin.

To search the LDAP groups, I had to change attribute "member" by "uniqueMember" I added a parameter in the config file ("group_member_attribute") and I updated the function doLdapGroupLookup()

function authenticate()

// If the parent can't authenticate the user, let LDAP try.

Even if the parent authenticate the user, we have to connect to LDAP for updating user's informations (ex: email) And we need to update user rights against the "ldap.json" file. So I think we always need to connect to LDAP and to call populateDB() Perhaps an idea is to be able to differenciate LDAP users and local users ex: add a prefix in the login column in the database : login = {ldap}$this->login ex: store a special string in the password column (we don't need this column for LDAP users) : password = {{ldap}}

In this case, we don't need to play with $session->done, $this->login, $result, ... It's complicated to understand this code (and so it's complicated to participate in this plugin). It's simplier to have a variable or a function to know if the user is authenticated and if it's local or LDAP user.

protected function assignAccess()

Before the loop : foreach($this->groups as $group) I have to do this : $ldap_map_groups = get_object_vars($ldap_map["groups"]); And I change $ldap_map["groups"] with $ldap_map_groups If I don't do that, array_key_exists(..) always return false. In this loop, I do first : $group = str_replace(", ", ",", $group); I don't know if it's my LDAP server but sometimes a group dn is : cn=MY-GROUP-NAME,ou=people,ou=MY-OU,o=orga.com and sometimes it's : cn=MY-GROUP-NAME,ou=people, ou=MY-OU, o=orga.com And then array_key_exists(..) return false

I hope all of these points can help you to improve your plugin. (it's already a great plugin)

Regards, Neoh

[robocoder]

BTW there's a feature request in #1723 for LDAP tracking.

[anonymous-matomo-user]

Played quite alot with this plugin.

Just for clarification:

• confirmed that the plugin does NOT work with the newest version.
• authentication is still done by piwik. The plugins just copies users it cant find in piwik from ldap.

[anonymous-matomo-user]

For Piwik in the Enterprise this functionality really needs to be added to the core to allow integration with Active Directory as-well.

[robocoder]

Robert: I can make the change to Login/Login.php in core. However, it looks like Ldap/Controller.php overrides a number of methods in Login/Controller.php, so am I correct in assuming the patch to plugins/Login/Controller.php is no longer needed?

[anonymous-matomo-user]

Is there any chance to get a version of the plugin working with the current 1.4 of piwik (out of the box)?

Thanks for any hints (or .tar.gz-archives ,-)!

[anonymous-matomo-user]

I am not able to download plugin. Can anyone help to download the plugin

[anonymous-matomo-user]

Hi everybody,

as we also didn't manage to get this plugin working we developed a new Piwik LDAP plugin based on this one. We are using piwik 1.5.1 with this plugin and it's working fine.

Here's the Content of the README-file also included in the .zip file:

gigatec LDAP Connector

Installation Workflow: 
1) Download the plugin code and extract the files into the /plugins Folder
2) Login to Piwik backend as superuser
3) Navigate to Settings->Plugins
4) Disable the "Login" Plugin
5) Enable the "LoginLdap" Plugin
6) Customize your LDAP Settings via Settings->LDAP Users
DONE :)

HowTo Create a new User from LDAP in Piwik:
1) Login to Piwik backend as superuser
2) Navigate to Settings->LDAP Users
3) If the LDAP Settings are correct you are now able to look up users from your directory

Note: 
Everytime a user is trying to login to your Piwik, the password is first of all checked 
against your LDAP, if fails the plugin will check against the database. 

Note2: 
Users may be modified and deleted via Settings->Users

Have fun. 
your gigatec-Team

Any questions, wishes or suggestions are welcome!

[mattab]

gigatec, thank you for the nice plugin submission. When are users copied to the piwik user table? Any other special changes to the way users are handled / created / modified ?

[anonymous-matomo-user]

after clicking on the "Load User from LDAP" button the plugin is searching for the username in the directory. If this search was successful the user is added to piwik user table.

Regards

[anonymous-matomo-user]

This plugin is not working for me in the latest (1.6) version. I have unzipped into the plugins folder but when I deactivate the exiting login plugin I get an error: Authentication object cannot be found in the Registry. Maybe the Login plugin is not activated? You can activate the plugin by adding: Plugins[] = Login under the [Plugins] section in your config/config.inc.php

So even when I directly amend the config file to use the LoginLdap plugin it still does not work. Any ideas? thanks, jonny

[anonymous-matomo-user]

Error while trying to read a specific config file entry 'LoginLdap' in your configuration file config/global.ini.php

Is the error you get when you do activate LoginLdap.

[anonymous-matomo-user]

As charstring says I am also getting:

Error while trying to read a specific config file entry 'LoginLdap' in your configuration file config/global.ini.php This problem would usually appear after a Piwik upgrade. If so, please check that the file config/global.ini.php was overwritten with the equivalent file from the latest Piwik version.

When I manually change Plugins[= "Login" to Plugins = "LoginLdap" in the config.ini.php file.

[anonymous-matomo-user]

I am having the same problem as Jonny. If I try to deactivate the normal "Login" plugin then I can't change any settings in Piwik even though I'm the superuser

[anonymous-matomo-user]

Hi guys,

unfortunatly the initial setup is not working with piwik 1.6. It works only with 1.5. after that you can upgrade to 1.6 without problems.

If you don't wont to install 1.5 and than upgrade to 1.6 you can configure piwik manually by putting this in your config.inc.php

[LoginLdap] serverUrl = "ldap://localhost/" baseDn = "dc=corp,dc=gigatec,dc=org" userIdField = "uid" mailField = "mail" aliasField = "cn" adminUser = "Administrator" adminPass = "**"

We will fix the problem with our new release in january.

Cheers, Stefan

[anonymous-matomo-user]

[LoginLdap] 
serverUrl = "ldap://localhost/"
baseDn = "dc=corp,dc=gigatec,dc=org" 
userIdField = "uid" 
mailField = "mail" 
aliasField = "cn" 
adminUser = "Administrator" 
adminPass = "******"

[anonymous-matomo-user]

Hi,

Version 1.0.0 is not working for me. There was no ldap_bind while searching for user and also while logging in, so I just got errors. After fixing this and logging in, authenticateLDAP() function was called more than 10 times per request with no/false password and my AD locked automatically my user account. So I added an if statent to check if we have username and password before we make any LDAP searches. After that everything seems to be working. In the future I'd like to add filter parameters, that will be included in search, so I could query only example unlocked users and users that are members of specific group.

You can find my fixed Controller.php and Auth.php here: http://aivo.ee/piwik_ldap_plugin_fix_201202.zip

The fix itself (maybe not the best solution but working for me):

Controller.php - find line 147 "$search = ldap_search" Add before:

$ldapadmin = Zend_Registry::get('config')->LoginLdap->adminUser;
$ldappass = Zend_Registry::get('config')->LoginLdap->adminPass;
ldap_bind($ldapconn, $ldapadmin, $ldappass);

Auth.php - find line 151 "$success = false;" Add after:

if ($this->login!="anonymous" && strlen($this->password)>0) {

Find from the end of the file line containing:

error_reporting($error_reporting);

Before that, close the added "if" statement with curly bracket "}"

Auth.php - near line 161 find "$search = ldap_search" Add before:

$ldapadmin = Zend_Registry::get('config')->LoginLdap->adminUser;
$ldappass = Zend_Registry::get('config')->LoginLdap->adminPass;
ldap_bind($ldapconn, $ldapadmin, $ldappass);

Regards, Aivo

[anonymous-matomo-user]

Hi Aivo,

thanks for your contribution!

Meanwhile we also developed a new version of the Piwik LDAP Plugin with ActiveDirectory support. We just had not enough time to test and release it untill now. Version 1.0.0 was actually not compatible with ActiveDirectory untill your fix.

The new version (1.2.0) should be fully compatible with ActiveDirectory. We also restructed the code a little bit and added some more options to the settings menu.

I attached the new version to this ticket. Please let us know whether the new solution is working for you if you will integrate it in your Piwik.

Cheers, Stefan

[anonymous-matomo-user]

@Everybody:

With this new release (LoginLdap 1.20) the install problem for Piwik 1.6 and Piwik 1.7 is also fixed.

[mattab]

@gigatec thank you for the update, it is very appreciated! A lot of Piwik users actually use this plugin and will benefit from your update.

Do you know if there is any "feature request" pending? If so, would you mind listing here in a comment, the list of "Known limitations" and "feature requests" ? I would like to have an overview of the status of this plugin. Thanks!!

[anonymous-matomo-user]

@gigatec: Thank you for the new release! It's a big step forward. And thanks for the information, didn't know about the previous AD limitation. I got this one also working.

I have just a couple of notes: 1) GigatecLdap.php @ function log() - the variable $enableLogging shoud be called as $this->enableLogging or there will be errors that variable not defined. 2) If someone has admin rights for just one site out of many, he/she can also edit and save LDAP connection parameters. It should be allowed only for superuser. Maybe the LDAP tab should not be visible for regular admins? 3) It would be nice as a feature request to add a custom LDAP search filter option. So for example only active users can login: (userAccountControl:1.2.840.113556.1.4.803:=2) or only as a person: (objectCategory=person). Etc. 4) Also it would be nice, if this plugin enables optionally Kerberos login (it just has to look for REMOTE_USER env parameter).

Regards, Aivo

[anonymous-matomo-user]

Hi Avio,

thanks for finding this logging-bug. First I actually didn't want to put this logging feature into this release. But then however I decided to do so. Unfortunately I didn't test it again. Thanks for finding and reporting it! :)

I fixed it and uploaded the new release -> LoginLdap 1.2.1

@matt Acutally we don't have any features requests pending at the moment.

The plugin is working for our needs at the moment. But we are happy to implement some small features if you need them. We are also happy for any assistance :).

@Aivo Are you maybe interessted in working together with us to implement some features?

Cheers, Stefan

[anonymous-matomo-user]

Hi again and thanks for the quick fix.

I am interested indeed, as I need some new features in my organisation.

You can contact me for details: aivo (dot) koger (at) gmail (dot) com

Bregs.

[anonymous-matomo-user]

Hi everybody!

We created a google code project so everybody could file in feature requests or even help implementing :).

http://code.google.com/p/piwik-ldap/

Cheers, Stefan

[anonymous-matomo-user]

Please try our new version LoginLdap-1.3.0 - available at http://code.google.com/p/piwik-ldap/downloads/list I attached the same file here. It would be nice to know if you have any problems or if it's all fine. Thanks!

LoginLdap 1.3.0:

• Issue !#1 Only superuser can modify LDAP configuration
• Issue !#2 LDAP search filters
• Issue !#3 Enable Kerberos login for piwik
• Issue !#4 You cannot login as superuser if LDAP connection fails
• Issue !#5 Add more LDAP logging options

[anonymous-matomo-user]

Hi @All,

i updated my piwik installation with the working ldap module from 1.7.1 to 1.8, and after this the ldap login isn't working! Please give me an information, if you need some backtraces or further information. In the moment the ldap module is disabled and deleted from my installation

Any answer is very appreciated

Thank you very much!

[mattab]

towerlexa, your error is due to a bug in piwik 1.8, not this plugin, see the fix here: http://dev.piwik.org/trac/changeset/6446

please apply and let me know if you still have problems

[anonymous-matomo-user]

Hi Matt,

thank you for your help and the hint above. This works for me! Great!

[mattab]

@all users, does the LDAP plugin work for API authentication? we had a report from a Piwik Mobile App user who said the Piwik Mobile app wasn't authenticating when using the LDAP plugin. Thanks for more insights.

[anonymous-matomo-user]

After upgrading to Piwik 1.9 the following error message is displayed on the ldap page:

There is an error. Please report the message (Piwik 1.9) and full backtrace in the Piwik forums (please do a Search first as it might have been reported already!).

 Notice: Undefined index: usingOldGeoIPPlugin in /var/www/tmp/templates_c/%%38^383^383EA889%%header.tpl.php on line 108 

Backtrace -->

 #0 Piwik_ErrorHandler(...) called at [/var/www/tmp/templates_c/%%38^383^383EA889%%header.tpl.php:108]
 #1 include(...) called at [/var/www/libs/Smarty/Smarty.class.php:1869]
 #2 Smarty->_smarty_include(...) called at [/var/www/tmp/templates_c/%%9D^9D7^9D7A6FB8%%LoginLdap.tpl.php:8]
 #3 include(...) called at [/var/www/libs/Smarty/Smarty.class.php:1263]
 #4 Smarty->fetch(...) called at [/var/www/core/View.php:133]
 #5 Piwik_View->render(...) called at [/var/www/plugins/LoginLdap/Controller.php:95]
 #6 Piwik_LoginLdap_Controller->admin(...) called at [:]
 #7 call_user_func_array(...) called at [/var/www/core/FrontController.php:138]
 #8 Piwik_FrontController->dispatch(...) called at [/var/www/index.php:61]

[mattab]

(In [7300]) Refs #734 Fixing Notice: Undefined index: usingOldGeoIPPlugin in

[anonymous-matomo-user]

Replying to matt:

(In [7300]) Refs #734 Fixing Notice: Undefined index: usingOldGeoIPPlugin in

Thanks. This seems to fix this issue. The error message has disappeared.

[anonymous-matomo-user]

Replying to matt:

@all users, does the LDAP plugin work for API authentication? we had a report from a Piwik Mobile App user who said the Piwik Mobile app wasn't authenticating when using the LDAP plugin. Thanks for more insights.

---

Hi Matt, it is true, the LDAP Login does not work inside the Piwik Mobile App. While login as Administrator works like a charm, ldap-user login produces an error message. It has ever been this way and we are testing piwik since the very beginning.

Some more info on that. I just updated Piwik to 1.9.1 (glad to see that this error on the ldap page has gone) and were using what seems to be the actual LDAP Plugin version 1.3.0 (http://code.google.com/p/piwik-ldap/downloads/list).

Piwik Mobile App (version 1.9.2) is running on an Samsung Galaxy S3. See Screenshot for error message... [http://postimage.org/image/lmgut0gw5/]

[tsteur]

Hi guys,

would be really cool to be able to login via API / AuthToken. Is it possible that you add this feature to the LDAP plugin? Otherwise Piwik Mobile users can't log in. This is going to be more important as Mobile will be the future :)

[anonymous-matomo-user]

Replying to jnk:

Replying to matt:

(In [7300]) Refs #734 Fixing Notice: Undefined index: usingOldGeoIPPlugin in

Thanks. This seems to fix this issue. The error message has disappeared.

Hi I just upgraded to Piwik 1.9.1 because the LoginLDAP plugin didn't work as described below. It seems to have fixed that issue, but when I login now I get another error.

---

There is an error. Please report the message (Piwik 1.9.1) and full backtrace in the Piwik forums (please do a Search first as it might have been reported already!).

Notice: Undefined index: enable_trusted_host_check in /www/www-live/other-sites/piwik/core/Url.php on line 465

Backtrace -->

0 Piwik_ErrorHandler(...) called at [/www/www-live/other-sites/piwik/core/Url.php:465]

1 Piwik_Url::isLocalUrl(...) called at [/www/www-live/other-sites/piwik/core/Nonce.php:74]

2 Piwik_Nonce::verifyNonce(...) called at [/www/www-live/other-sites/piwik/plugins/Login/Controller.php:64]

3 Piwik_Login_Controller->login(...) called at [/www/www-live/other-sites/piwik/plugins/Login/Controller.php:46]

4 Piwik_Login_Controller->index(...) called at [:]

5 call_user_func_array(...) called at [/www/www-live/other-sites/piwik/core/FrontController.php:138]

6 Piwik_FrontController->dispatch(...) called at [/www/www-live/other-sites/piwik/index.php:53]

There is an error. Please report the message (Piwik 1.9.1) and full backtrace in the Piwik forums (please do a Search first as it might have been reported already!).

Notice: Undefined index: password in /www/www-live/other-sites/piwik/plugins/LoginLdap/LoginLdap.php on line 116

Backtrace -->

0 Piwik_ErrorHandler(...) called at [/www/www-live/other-sites/piwik/plugins/LoginLdap/LoginLdap.php:116]

1 Piwik_LoginLdap->initSession(...) called at [:]

2 call_user_func_array(...) called at [/www/www-live/other-sites/piwik/libs/Event/Dispatcher.php:284]

3 Event_Dispatcher->postNotification(...) called at [/www/www-live/other-sites/piwik/core/PluginsManager.php:722]

4 Piwik_PostEvent(...) called at [/www/www-live/other-sites/piwik/plugins/Login/Controller.php:159]

5 Piwik_Login_Controller->authenticateAndRedirect(...) called at [/www/www-live/other-sites/piwik/plugins/Login/Controller.php:71]

6 Piwik_Login_Controller->login(...) called at [/www/www-live/other-sites/piwik/plugins/Login/Controller.php:46]

7 Piwik_Login_Controller->index(...) called at [:]

8 call_user_func_array(...) called at [/www/www-live/other-sites/piwik/core/FrontController.php:138]

9 Piwik_FrontController->dispatch(...) called at [/www/www-live/other-sites/piwik/index.php:53]

---

[anonymous-matomo-user]

I disabled the LoginLdap plugin, and restarted the server, activated the LoginLdap plugin, then deactivated the Login plugin, and it worked fine now.....

[anonymous-matomo-user]

There's an encoding error when logging in:

There is an error. Please report the message (Piwik 1.9.2) and full backtrace in the Piwik forums (please do a Search first as it might have been reported already!).

Warning: json_encode() href='function.json-encode'>function.json-encode</a>: Invalid UTF-8 sequence in argument in [PATH]/htdocs/plugins/LoginLdap/GigatecLdap.php on line 44

when printing the $result object, I think it might stumble over either: P
CtxCfgPresent
C

or:
olN%D

(multiple occurrences of the latter)

LDAP is configured for a MS Active Directory (small business server 2003)

For now I have disabled the log-message and it seems to work.