Closed larrys closed 9 years ago
From the PHP docs, as long as your PHP and LDAP are configured correctly, it should work (though there could be a bug in the plugin). Can you ensure a generic LDAP query works when you run it through an LDAP client, ie (objectClass=person)
?
Also, if you're using the raw hostname (ie, myldaphost.com) instead of a ldaps:// URL, can you use ldaps://myldaphost.com/
instead and see if it works?
When I use ldaps://host.domain.com I got some other error, and now when I go to reproduce it, it says how many users match the filter. I blame gremlins.
The error was "Could not bind as LDAP admin", which I get now when I try to load a user from LDAP. I bind anonymously to LDAP. Is that an issue? Plus, if I were to bind, our admins would not let me bind as an admin.
It could be an issue, but a lot of this depends on your LDAP server config. The requirement is that whatever user is used (or if anonymous bind is used), the account must have read access to the users in LDAP.
You can get more information from the plugin by running the following command:
php /path/to/piwik/console loginldap:synchronise-users --login=someuserslogin -vvv
Also, it's probably a good idea to make sure you can bind & query LDAP from the machine Piwik is on from a different LDAP client (eg, ldapsearch). If you can verify it works, then we can be sure the plugin is doing something wrong, or a plugin setting is incorrect, rather than an error in the LDAP server.
"Generate Random token_auth For New Users" needs to be set when you bind anonymously. But I added it. I got my username synched over in the test. but now I can't log in.
I see the LdapFunctionsMissing message at the top, but they have been installed, and apache restarted. Is there something else amiss?
Is there a way to run this not as root, or the apache user?
[InvalidArgumentException]
The directory "/var/www/html/piwik/tmp/cache/tracker/" does not exist and could not be created.
I see the LdapFunctionsMissing message at the top, but they have been installed, and apache restarted. Is there something else amiss?
Looks like there are two issues, PHP can't find the ldap_connect method, and for some reason text isn't being translated (LdapFunctionsMissing should have been replaced w/ "The PHP LDAP extension does not appear to be enabled. It is required for this plugin, please install it."). The first problem might just be the old error you've received not being cleared as a notification. For now, I'd ignore it unless it becomes persistent and nothing else works. The second problem is an issue w/ your Piwik install. It's not serious, but you may want to look into it later.
Is there a way to run this not as root, or the apache user?
The tmp/cache/tracker issue is a known issue w/ Piwik. I think at the moment you have to run it as the web user at least once to create the folder (note: you can do this w/ su
). I wouldn't recommend running it as root.
I put LdapFunctionsMissing so it was shorter, and that is what I found in code, sorry for the confusion.
Here's an oddity, I click on the test on the LDAP search filter, and sometimes it will list the users matched by the filter, and sometimes it puts "Could not bind as LDAP admin."
I can click it over and over, and it will randomly switch between the two.
W/o debug information and w/o your attempting to connect & query LDAP it will be impossible to diagnose this error. If you can't run the command, you can try enabling debug logging (see here: http://piwik.org/faq/troubleshooting/faq_115/) and trying to use LDAP functionality. If you'd like to share the logs, email them to hello@piwik.org
(in case there is sensitive information in them).
I figured since sometimes testing the filter showed the number of users, it shows that it sometimes works. I also was able through the UI synch my username over.
Now every time I click on the test button for the filter, I get the error... here is the debug log content
DEBUG Piwik\Db[2015-04-15 17:01:12] [0bb9e] Db::fetchAll() executing SQL: SELECT DATABASE()
DEBUG Piwik\Db[2015-04-15 17:01:12] [0bb9e] Db::fetchAll() executing SQL: SELECT option_value, option_name FROM piwik_option
WHERE autoload = 1
DEBUG Piwik\Db[2015-04-15 17:01:12] [0bb9e] Db::fetchOne() executing SQL: SELECT option_value FROM piwik_option
WHERE option_name = ?
DEBUG Piwik\Plugin\Manager[2015-04-15 17:01:12] [0bb9e] Loaded plugins: CorePluginsAdmin, CoreAdminHome, CoreHome, CoreVisualizations, Proxy, API, ExamplePlugin, Widgetize, Transitions, LanguagesManager, Actions, Dashboard, MultiSites, Referrers, UserSettings, UserLanguage, DevicesDetection, Ecommerce, SEO, Events, UserCountry, VisitsSummary, VisitFrequency, VisitTime, VisitorInterest, ExampleAPI, ExampleRssWidget, Provider, Feedback, Monolog, UsersManager, SitesManager, Installation, CoreUpdater, CoreConsole, ScheduledReports, UserCountryMap, Live, CustomVariables, PrivacyManager, ImageGraph, Annotations, MobileMessaging, Overlay, SegmentEditor, Insights, ZenMode, LeftMenu, Morpheus, Contents, BulkTracking, Resolution, DevicePlugins, InterSites, LoginLdap
DEBUG LoginLdap[2015-04-15 17:01:12] [0bb9e] ServerInfo::makeConfigured: configuring with hostname = ldaps://ldap.company.com, baseDn = ou=People,o=company.com,o=company,c=us, port = 636, adminUser = ..., adminPass =
Is ldaps://ldap.company.com
an actual server? Can you confirm through another LDAP client you can connect, bind and query this server w/ the credentials supplied in Piwik settings?
I'm starting to suspect SSL cert issues... working with my IT department through possible problems.
Thanks for your help so far. I'll keep you updated.
On Wed, Apr 15, 2015 at 4:46 PM, Benaka notifications@github.com wrote:
Is ldaps://ldap.company.com an actual server? Can you confirm through another LDAP client you can connect, bind and query this server w/ the credentials supplied in Piwik settings?
— Reply to this email directly or view it on GitHub https://github.com/piwik/plugin-LoginLdap/issues/94#issuecomment-93589972 .
Looks like it was an SSL problem, the ldap.conf file has TLS_CACERTDIR /etc/openldap/cacerts
and /etc/openldap/cacerts directory is only readable by root...
I click on the test for LDAP search filter, and it sits there with the icon. Once I change the port to the default (so it is not going over SSL), it will give me the number of users that matched the filter.
I need to be able to talk to LDAP over SSL.