Open lolllpop opened 9 years ago
Using the mobile app w/ LoginLdap requires that the Always Use LDAP for Authentication setting be unchecked. This is because the mobile app calculates the token auth of a user, it doesn't query Piwik for the token auth in the DB. So the token auth it uses will be different from what is in the DB unless the actual password of a user is stored in Piwik's DB.
There are two ways around this:
I think neither of these solutions is ideal for you since you've removed existing user entries, so I'll keep trying to think of another way to solve this.
Hi @diosmosis
Would it be possible to document this in a FAQ in the readme of loginLdap ? it seems more and more users have this question and they could help themselves with such FAQ :+1:
I've just seen #80 which looks similar so +1
@diosmosis: thanks for your explanation!
For me, however, the main purpose of the LDAP plugin is the authentication at an external, central authentication point. The very last thing I want are the users' passwords being replicated to the application's db - in whatever form.
I added a feature request for the Mobile App to support password authentication over TLS or the entry of a manually specified token. https://github.com/piwik/piwik-mobile-2/issues/5326
Just upgraded to Piwik 2.9.1 and LoginLDAP 3.1.0 (from 2.2.7). For this, I completely re-configured the LDAP config, deleted all accounts (but my master admin) from the piwik_user table and synchronized all accounts via console. For LoginLdap, I have to following setup:
Always Use LDAP for Authentication: yes Synchronize Users After Successful Login: yes Use Web Server Auth: no Generate Random token_auth For New Users: yes
Records in piwik_user have passwords starting with {LDAP}xxx and a new tokens. Within the web app, everything is working fine (thanks!). User and admin accounts can login and have their old authorizations to the websites.
However, login with the iOS MobileApp 2.2 is not possible anymore. It tells me that I should check username and password and have access to at least one website, but credentials and authorizations are correct. Any ideas?
Thanks Martin