idandr
commented
3 years ago Same here. It would be great to have a config option to switch anonymous bind off and use bind with credentials instead.
Open Kaochkidu opened 4 years ago
idandr
commented
3 years ago Same here. It would be great to have a config option to switch anonymous bind off and use bind with credentials instead.
doits
commented
1 year ago I guess I have the same problem:
/var/www/piwik/plugins/LoginLdap/Ldap/Client.php(96): Warning - ldap_bind(): Unable to bind to server: Inappropriate authentication - Matomo 4.13.3 - Please report this message in the Matomo forums: https://forum.matomo.org (please do a search first as it might have been reported already) INFO [2023-02-07 16:40:07] 1290162 LdapUsers::makeLdapClient: Using LDAP server ldaps://XXX:636
/var/www/piwik/console core:update spits out this for every user I guess, takes long time to finish ...
snake14
commented
1 year ago Hi @doits . I just tested the plugin and see what you're talking about. I'm not sure why that warning is displaying. However, it is just a warning. When I ran the LDAP plugin with my debugger running, I could see the warning, but I also saw that the LDAP client was successfully created and that the users were correctly synced. So, the plugin appears to be working correctly, but that warning displays. Any other thoughts @AltamashShaikh ?
doits
commented
1 year ago It works for me, too (clients can authenticate etc.) but displays this warning at the top after every login, too.
LDAP server logs this first:
BIND dn="" method=128 RESULT tag=97 err=48 qtime=0.000013 etime=0.000055 text=anonymous bind disallowed
... and then the second bind is done correctly right afterwards with the provided credentials:
BIND dn="uid=XXX" method=128 BIND dn="uid=XXX" mech=SIMPLE bind_ssf=0 ssf=256 RESULT tag=97 err=0 qtime=0.000015 etime=0.000150 text=
The culprit is the first anonymous bind if I see it correctly.
AltamashShaikh
commented
1 year ago @doits The plugin tries to bind anonymously first and which fails, may be we shouldn't show it as a warning if its an obvious case. Ill see if we can do anything better here, I currently don't have time to look into it immediately but will keep a not of it
pboguslawski
commented
6 months ago Same log flooding here. Seems redundant anonymous binding was introduced in
https://github.com/matomo-org/plugin-LoginLdap/issues/34 https://github.com/matomo-org/plugin-LoginLdap/commit/47ac583dea7f022f6f3e3868c2ec28de7b7d121e
because
ldap_connect will not always try to connect to the server, so execute a bind to test the connection
but according to php manual ldap_connect does not open LDAP connection and anonymous binding looks like (probably) unnecessary hack because every LDAP request should be prepared handle exceptions (i.e. connection may die just before binding with correct user data, after this anon hack).
Please verify and remove this hack if unnecessary (including https://github.com/matomo-org/plugin-LoginLdap/commit/b0217060c587ca81bb7ddc1f8389145003bfe74e) and make sure all LDAP operations are prepared to handle LDAP exceptions.
AltamashShaikh
commented
6 months ago @pboguslawski Will check if we can remove this logging :+1:
Hello,
When synchronizing users with the LDAP server using the command loginldap:synchronize-users, the LoginLdap plugin bind the server with an anonymous connection. The plugin does not bind because we refuse anonymous connections to the ldap server and this causes warnings. These warnings cause an error when the plugin manages to synchronize users to ldap.
Could you modify the behaviour of the LoginLdap plugin so that it bind the Ldap server with a non-annonymous connection please ?
Regards