Plugin for LDAP Authentication

[anonymous-matomo-user]

This plugin syncs Piwik's user and access table against LDAP and performs Authentication via LDAP.

For installation instructions, see the README file in the tarball.

Install the plugin in one click from the Marketplace: LoginLdap on the marketplace

Keywords: ldap, auth, login, third-party-plugin

[anonymous-matomo-user]

Hello,

I don't understand what I have to (and what I can) write in the ldap.json file.

Can you give me more information about this file ?

[anonymous-matomo-user]

In the example below, these groups and memberships are assumed:

mygroup
  user
  admin  
site1viewers
  site1admin
  site1user

{
        "groups": {
                "cn=mygroup,ou=foo,ou=bar,o=Organization,c=at": {
                        "Site1": "view",
                        "Site2": "view",
                        "Site3": "view"
                },
                "cn=site1viewers,ou=foo,ou=bar,o=Organization,c=at": {
                        "Site1": "view"
                }
        },
        "users": {
                "cn=admin,ou=foo,ou=bar,o=Organization,c=at": {
                        "Site1": "admin",
                        "Site2": "admin",
                        "Site3": "admin"
                },
                "cn=site1admin,ou=foo,ou=bar,o=Organization,c=at": {
                        "Site1": "admin"
                }
        }
}

Users and groups must be specified with their distinguished name (dn). The entry for a user or group must contain Key-Value pairs: site name->permission, permission may assume "view" or "admin"

In this example, the users end up with these permissions:

user
  view -> Site1, Site2, Site3
admin
  admin -> Site1, Site2, Site3
site1user
  view -> Site1
site1admin
  admin -> Site1

[anonymous-matomo-user]

Thanks. For your answer, and for this plugin too.

Your plugin don't work for me for the moment. I think it's because the filter (function Auth.doLdapSearch) is based on "cn" attribute. But in our organisation the unique identifier in LDAP is an attribute named "uid". I have to change the filter and test.

PS: Is this ticket the good place to give you feedback, report bug, ask question, ... ?

PPS: I tried to install Wordpress MU too. And I think you can see about this plugin, it may be interesting :
http://sourceforge.net/projects/wpmu-ldap/

PPPS: Sorry for my english if it's not good ... I'm french. :-)

[anonymous-matomo-user]

Be warned, this now depends on #828

[anonymous-matomo-user]

It don't understand exactly why you warn me. But it's not a problem. I will always need to have a LDAP authentication with Piwik. So I will use a Piwik version with a functional LDAP plugin.

For the filter in Auth.doLdapSearch() it's OK if I change "cn" by "uid". I will try to add a property in the config file and send you a patch.

PS: FIY: I just have to check the json file. The syntax is good but the permissions are not added (I think my "dn" are not correct).

[anonymous-matomo-user]

The attribute designating the userid and the Objectclass designating groups can be configured now, check the config.ini example.
You have to apply the patch from #828 against piwik 0.4.1 for the LDAP plugin to work, that's what the warning is about.
You should use these permissions on ldap.json:

chown root:<apache group>
chmod 0640 ldap.json

[robocoder]

You might want to open a ticket proposing login-ldap-plugin.patch (or a variant thereof) be applied to Piwik core.

I would suggest you move the sample configuration files to the LdapLogin folder, and re-package it so it can be extracted into the plugins folder.

[anonymous-matomo-user]

Hello,

After some weeks when I didn't use Piwik, I try it again and I try to use the LdapLogin plugin.

To search the LDAP groups, I had to change attribute "member" by "uniqueMember"
I added a parameter in the config file ("group_member_attribute") and I updated the function doLdapGroupLookup()

function authenticate()

// If the parent can't authenticate the user, let LDAP try.

Even if the parent authenticate the user, we have to connect to LDAP for updating user's informations (ex: email)
And we need to update user rights against the "ldap.json" file.
So I think we always need to connect to LDAP and to call populateDB()
Perhaps an idea is to be able to differenciate LDAP users and local users
ex: add a prefix in the login column in the database : login = {ldap}$this->login
ex: store a special string in the password column (we don't need this column for LDAP users) : password = {{ldap}}

In this case, we don't need to play with $session->done, $this->login, $result, ... It's complicated to understand this code (and so it's complicated to participate in this plugin). It's simplier to have a variable or a function to know if the user is authenticated and if it's local or LDAP user.

protected function assignAccess()

Before the loop : foreach($this->groups as $group)
I have to do this : $ldap_map_groups = get_object_vars($ldap_map["groups"]);
And I change $ldap_map["groups"] with $ldap_map_groups
If I don't do that, array_key_exists(..) always return false.
In this loop, I do first : $group = str_replace(", ", ",", $group);
I don't know if it's my LDAP server but sometimes a group dn is :
cn=MY-GROUP-NAME,ou=people,ou=MY-OU,o=orga.com
and sometimes it's :
cn=MY-GROUP-NAME,ou=people, ou=MY-OU, o=orga.com
And then array_key_exists(..) return false

I hope all of these points can help you to improve your plugin. (it's already a great plugin)

Regards,
Neoh

[robocoder]

BTW there's a feature request in #1723 for LDAP tracking.

[anonymous-matomo-user]

Played quite alot with this plugin.

Just for clarification:

• confirmed that the plugin does NOT work with the newest version.
• authentication is still done by piwik. The plugins just copies users it cant find in piwik from ldap.

[anonymous-matomo-user]

For Piwik in the Enterprise this functionality really needs to be added to the core to allow integration with Active Directory as-well.

[robocoder]

Robert: I can make the change to Login/Login.php in core. However, it looks like Ldap/Controller.php overrides a number of methods in Login/Controller.php, so am I correct in assuming the patch to plugins/Login/Controller.php is no longer needed?

[anonymous-matomo-user]

Is there any chance to get a version of the plugin working with the current 1.4 of piwik (out of the box)?

Thanks for any hints (or .tar.gz-archives ,-)!

[anonymous-matomo-user]

I am not able to download plugin. Can anyone help to download the plugin

[anonymous-matomo-user]

Hi everybody,

as we also didn't manage to get this plugin working we developed a new Piwik LDAP plugin based on this one.
We are using piwik 1.5.1 with this plugin and it's working fine.

Here's the Content of the README-file also included in the .zip file:

gigatec LDAP Connector

Installation Workflow: 
1) Download the plugin code and extract the files into the /plugins Folder
2) Login to Piwik backend as superuser
3) Navigate to Settings->Plugins
4) Disable the "Login" Plugin
5) Enable the "LoginLdap" Plugin
6) Customize your LDAP Settings via Settings->LDAP Users
DONE :)

HowTo Create a new User from LDAP in Piwik:
1) Login to Piwik backend as superuser
2) Navigate to Settings->LDAP Users
3) If the LDAP Settings are correct you are now able to look up users from your directory

Note: 
Everytime a user is trying to login to your Piwik, the password is first of all checked 
against your LDAP, if fails the plugin will check against the database. 

Note2: 
Users may be modified and deleted via Settings->Users

Have fun. 
your gigatec-Team

Any questions, wishes or suggestions are welcome!

[anonymous-matomo-user]

Attachment: working ldap plugin for piwik
LoginLdap-1.0.0.zip

[mattab]

gigatec, thank you for the nice plugin submission. When are users copied to the piwik user table? Any other special changes to the way users are handled / created / modified ?

[anonymous-matomo-user]

after clicking on the "Load User from LDAP" button the plugin is searching for the username in the directory.
If this search was successful the user is added to piwik user table.

Regards

[mattab]

Attachment: Piwik LDAP plugin screenshot
screen_piwik_ldap.png

[anonymous-matomo-user]

This plugin is not working for me in the latest (1.6) version. I have unzipped into the plugins folder but when I deactivate the exiting login plugin I get an error:
Authentication object cannot be found in the Registry. Maybe the Login plugin is not activated?
You can activate the plugin by adding:
Plugins[] = Login
under the [Plugins] section in your config/config.inc.php

So even when I directly amend the config file to use the LoginLdap plugin it still does not work.
Any ideas?
thanks,
jonny

[anonymous-matomo-user]

Error while trying to read a specific config file entry 'LoginLdap' in your configuration file config/global.ini.php

Is the error you get when you do activate LoginLdap.

[anonymous-matomo-user]

As charstring says I am also getting:

Error while trying to read a specific config file entry 'LoginLdap' in your configuration file config/global.ini.php This problem would usually appear after a Piwik upgrade. If so, please check that the file config/global.ini.php was overwritten with the equivalent file from the latest Piwik version.

When I manually change Plugins[= "Login" to Plugins = "LoginLdap" in the config.ini.php file.

[anonymous-matomo-user]

I am having the same problem as Jonny. If I try to deactivate the normal "Login" plugin then I can't change any settings in Piwik even though I'm the superuser

[anonymous-matomo-user]

Hi guys,

unfortunatly the initial setup is not working with piwik 1.6.
It works only with 1.5. after that you can upgrade to 1.6 without problems.

If you don't wont to install 1.5 and than upgrade to 1.6 you can configure piwik manually by putting this in your config.inc.php

[LoginLdap]
serverUrl = "ldap://localhost/"
baseDn = "dc=corp,dc=gigatec,dc=org"
userIdField = "uid"
mailField = "mail"
aliasField = "cn"
adminUser = "Administrator"
adminPass = "******"

We will fix the problem with our new release in january.

Cheers,
Stefan

[anonymous-matomo-user]

[LoginLdap] 
serverUrl = "ldap://localhost/"
baseDn = "dc=corp,dc=gigatec,dc=org" 
userIdField = "uid" 
mailField = "mail" 
aliasField = "cn" 
adminUser = "Administrator" 
adminPass = "******"

[anonymous-matomo-user]

Hi,

Version 1.0.0 is not working for me. There was no ldap_bind while searching for user and also while logging in, so I just got errors. After fixing this and logging in, authenticateLDAP() function was called more than 10 times per request with no/false password and my AD locked automatically my user account. So I added an if statent to check if we have username and password before we make any LDAP searches. After that everything seems to be working.
In the future I'd like to add filter parameters, that will be included in search, so I could query only example unlocked users and users that are members of specific group.

You can find my fixed Controller.php and Auth.php here: http://aivo.ee/piwik_ldap_plugin_fix_201202.zip

The fix itself (maybe not the best solution but working for me):

Controller.php - find line 147 "$search = ldap_search"
Add before:

$ldapadmin = Zend_Registry::get('config')->LoginLdap->adminUser;
$ldappass = Zend_Registry::get('config')->LoginLdap->adminPass;
ldap_bind($ldapconn, $ldapadmin, $ldappass);

Auth.php - find line 151 "$success = false;"
Add after:

if ($this->login!="anonymous" && strlen($this->password)>0) {

Find from the end of the file line containing:

error_reporting($error_reporting);

Before that, close the added "if" statement with curly bracket "}"

Auth.php - near line 161 find "$search = ldap_search"
Add before:

$ldapadmin = Zend_Registry::get('config')->LoginLdap->adminUser;
$ldappass = Zend_Registry::get('config')->LoginLdap->adminPass;
ldap_bind($ldapconn, $ldapadmin, $ldappass);

Regards, Aivo

[anonymous-matomo-user]

Attachment: gigatec LoginLdap 1.2.0
LoginLdap-1.2.0.zip

[anonymous-matomo-user]

Hi Aivo,

thanks for your contribution!

Meanwhile we also developed a new version of the Piwik LDAP Plugin with ActiveDirectory support. We just had not enough time to test and release it untill now. Version 1.0.0 was actually not compatible with ActiveDirectory untill your fix.

The new version (1.2.0) should be fully compatible with ActiveDirectory. We also restructed the code a little bit and added some more options to the settings menu.

I attached the new version to this ticket. Please let us know whether the new solution is working for you if you will integrate it in your Piwik.

Cheers,
Stefan

[anonymous-matomo-user]

@everybody:

With this new release (LoginLdap 1.20) the install problem for Piwik 1.6 and Piwik 1.7 is also fixed.

[mattab]

@gigatec thank you for the update, it is very appreciated! A lot of Piwik users actually use this plugin and will benefit from your update.

Do you know if there is any "feature request" pending? If so, would you mind listing here in a comment, the list of "Known limitations" and "feature requests" ? I would like to have an overview of the status of this plugin. Thanks!!

[anonymous-matomo-user]

After upgrading to Piwik 1.9 the following error message is displayed on the ldap page:

There is an error. Please report the message (Piwik 1.9) and full backtrace in the Piwik forums (please do a Search first as it might have been reported already!).

 Notice: Undefined index: usingOldGeoIPPlugin in /var/www/tmp/templates_c/%%38^383^383EA889%%header.tpl.php on line 108 

Backtrace -->

 #0 Piwik_ErrorHandler(...) called at [/var/www/tmp/templates_c/%%38^383^383EA889%%header.tpl.php:108]
 #1 include(...) called at [/var/www/libs/Smarty/Smarty.class.php:1869]
 #2 Smarty->_smarty_include(...) called at [/var/www/tmp/templates_c/%%9D^9D7^9D7A6FB8%%LoginLdap.tpl.php:8]
 #3 include(...) called at [/var/www/libs/Smarty/Smarty.class.php:1263]
 #4 Smarty->fetch(...) called at [/var/www/core/View.php:133]
 #5 Piwik_View->render(...) called at [/var/www/plugins/LoginLdap/Controller.php:95]
 #6 Piwik_LoginLdap_Controller->admin(...) called at [:]
 #7 call_user_func_array(...) called at [/var/www/core/FrontController.php:138]
 #8 Piwik_FrontController->dispatch(...) called at [/var/www/index.php:61]

[mattab]

(In [7300]) Refs #734 Fixing
Notice: Undefined index: usingOldGeoIPPlugin in

[anonymous-matomo-user]

Replying to matt:

(In [7300]) Refs #734 Fixing
Notice: Undefined index: usingOldGeoIPPlugin in

Thanks. This seems to fix this issue. The error message has disappeared.

[anonymous-matomo-user]

Replying to matt:

@ALL users, does the LDAP plugin work for API authentication? we had a report from a Piwik Mobile App user who said the Piwik Mobile app wasn't authenticating when using the LDAP plugin. Thanks for more insights.

---

Hi Matt,
it is true, the LDAP Login does not work inside the Piwik Mobile App. While login as Administrator works like a charm, ldap-user login produces an error message. It has ever been this way and we are testing piwik since the very beginning.

Some more info on that. I just updated Piwik to 1.9.1 (glad to see that this error on the ldap page has gone) and were using what seems to be the actual LDAP Plugin version 1.3.0 (http://code.google.com/p/piwik-ldap/downloads/list).

Piwik Mobile App (version 1.9.2) is running on an Samsung Galaxy S3. See Screenshot for error message... [http://postimage.org/image/lmgut0gw5/]

[tsteur]

Hi guys,

would be really cool to be able to login via API / AuthToken. Is it possible that you add this feature to the LDAP plugin? Otherwise Piwik Mobile users can't log in. This is going to be more important as Mobile will be the future :)

[anonymous-matomo-user]

Replying to jnk:

Replying to matt:

(In [7300]) Refs #734 Fixing
Notice: Undefined index: usingOldGeoIPPlugin in

Thanks. This seems to fix this issue. The error message has disappeared.

Hi
I just upgraded to Piwik 1.9.1 because the LoginLDAP plugin didn't work as described below. It seems to have fixed that issue, but when I login now I get another error.

---

There is an error. Please report the message (Piwik 1.9.1) and full backtrace in the Piwik forums (please do a Search first as it might have been reported already!).

Notice: Undefined index: enable_trusted_host_check in /www/www-live/other-sites/piwik/core/Url.php on line 465

Backtrace -->

#0 Piwik_ErrorHandler(...) called at [/www/www-live/other-sites/piwik/core/Url.php:465]
#1 Piwik_Url::isLocalUrl(...) called at [/www/www-live/other-sites/piwik/core/Nonce.php:74]
#2 Piwik_Nonce::verifyNonce(...) called at [/www/www-live/other-sites/piwik/plugins/Login/Controller.php:64]
#3 Piwik_Login_Controller->login(...) called at [/www/www-live/other-sites/piwik/plugins/Login/Controller.php:46]
#4 Piwik_Login_Controller->index(...) called at [:]
#5 call_user_func_array(...) called at [/www/www-live/other-sites/piwik/core/FrontController.php:138]
#6 Piwik_FrontController->dispatch(...) called at [/www/www-live/other-sites/piwik/index.php:53]

There is an error. Please report the message (Piwik 1.9.1) and full backtrace in the Piwik forums (please do a Search first as it might have been reported already!).

Notice: Undefined index: password in /www/www-live/other-sites/piwik/plugins/LoginLdap/LoginLdap.php on line 116

Backtrace -->

#0 Piwik_ErrorHandler(...) called at [/www/www-live/other-sites/piwik/plugins/LoginLdap/LoginLdap.php:116]
#1 Piwik_LoginLdap->initSession(...) called at [:]
#2 call_user_func_array(...) called at [/www/www-live/other-sites/piwik/libs/Event/Dispatcher.php:284]
#3 Event_Dispatcher->postNotification(...) called at [/www/www-live/other-sites/piwik/core/PluginsManager.php:722]
#4 Piwik_PostEvent(...) called at [/www/www-live/other-sites/piwik/plugins/Login/Controller.php:159]
#5 Piwik_Login_Controller->authenticateAndRedirect(...) called at [/www/www-live/other-sites/piwik/plugins/Login/Controller.php:71]
#6 Piwik_Login_Controller->login(...) called at [/www/www-live/other-sites/piwik/plugins/Login/Controller.php:46]
#7 Piwik_Login_Controller->index(...) called at [:]
#8 call_user_func_array(...) called at [/www/www-live/other-sites/piwik/core/FrontController.php:138]
#9 Piwik_FrontController->dispatch(...) called at [/www/www-live/other-sites/piwik/index.php:53]

---

[anonymous-matomo-user]

I disabled the LoginLdap plugin, and restarted the server, activated the LoginLdap plugin, then deactivated the Login plugin, and it worked fine now.....

[anonymous-matomo-user]

There's an encoding error when logging in:

There is an error. Please report the message (Piwik 1.9.2) and full backtrace in the Piwik forums (please do a Search first as it might have been reported already!).

Warning: json_encode() href='function.json-encode'>function.json-encode</a>: Invalid UTF-8 sequence in argument in [PATH]/htdocs/plugins/LoginLdap/GigatecLdap.php on line 44

when printing the $result object, I think it might stumble over either:
P����CtxCfgPresent���C

or:
����olN%D

(multiple occurrences of the latter)

LDAP is configured for a MS Active Directory (small business server 2003)

For now I have disabled the log-message and it seems to work.

[anonymous-matomo-user]

Hi;
I seem to be having a problem related to the LoginLdap plugin when used with the new Overlay feature. When viewing an Overlay I get the error message "Error: Authentication failed". When LoginLdap is disabled and the default Login plugin is used, it works fine. I have also tried granting read access to all reports to user "Anonymous", but I still get the same problem. All the other features in Piwik seem to work great. I have checked and there are no PHP errors or Apache errors that I can see.
Anybody have any ideas that can point me in the right direction, or is there a fix available?

Thanks
Sean

[anonymous-matomo-user]

Anyone have any ideas? This is pretty critical for us.

Replying to sean:

Hi;
I seem to be having a problem related to the LoginLdap plugin when used with the new Overlay feature. When viewing an Overlay I get the error message "Error: Authentication failed". When LoginLdap is disabled and the default Login plugin is used, it works fine. I have also tried granting read access to all reports to user "Anonymous", but I still get the same problem. All the other features in Piwik seem to work great. I have checked and there are no PHP errors or Apache errors that I can see.
Anybody have any ideas that can point me in the right direction, or is there a fix available?

Thanks
Sean

[mattab]

Please get in touch with: http://piwik.org/consulting/#contact-consultant if you need professional support.

[anonymous-matomo-user]

Hi Matt; and thanks. I don't think it will be necessary now. I was able to fix the error with the LdapLogin plugin.
I notice the overlay plugin was using Cookie Authentication - So I just added a few lines to the LdapLogin.php page - mirroring what is in the latest login.php file of the default Login plugin.

    Zend_Registry::set('auth', $auth);

$allowCookieAuthentication = $notification->getNotificationInfo();

    $action = Piwik::getAction();
    if (Piwik::getModule() === 'API'
        && (empty($action) || $action == 'index')
        && $allowCookieAuthentication !== true)
    {
        return;

I will upload the working file here so others may use it.
thanks
sean

[anonymous-matomo-user]

Attachment: Correction added so Page Overlay feature works
LoginLdap.php

[mattab]

Thanks for the follow up that's useful!

[anonymous-matomo-user]

+1 following

[anonymous-matomo-user]

LoginLdap-1.3.3 released @ http://code.google.com/p/piwik-ldap/

Fixed:

• Undefined index: phpVersion,
• Login fails because of non-UTF8 values passed to json_encode(),
• Setting a custom mail field has no effect.

[anonymous-matomo-user]

Hey! Is there any chance we will get this awesome plugin for piwik 2.0?
I really don't wanna bother you the day after the release, but I need to know this for an installation that I currently have to set up!
THx!

[anonymous-matomo-user]

This page is not monitored actively, so please use https://github.com/tehnotronic/PiwikLdap/issues in the future, if you have any issues.
We also had Google Code page, but Github is now our main site with latest info.
Also try the new and awesome LoginLdap for Piwik 2.x at the Marketplace!

[mattab]

Congratulations on making this plugin available on the marketplace so quickly.

LoginLdap on the marketplace

Wishing you to enjoy Piwik with LDAP, Happy new year 2014 to all!

[mattab]

The plugin LDAP has been moved to github and published on the marketplace. We have fixed some issues in Piwik core to make Ldap work fine. We will keep working with LoginLdap plugin developers to make it work well in the future. Keep up the good work, and enjoy Piwik 2.0 with Ldap!