We are upgrading Matomo from 3.14.1 to 4.1.1 and upgrading LoginLDAP plugin from 4.0.7 to 4.3.0. When I do a user sync at the command line, every entry has the following warning.
UserSynchronizer.php(148): Notice - Undefined index: alias - Matomo 4.1.1
LDAP on matomo 3.14.1 has which are missing from 4.1.1:
“User Alias Field”
“Last Name Field”
Considering that our 4.0.7 deployment has two fields that are no longer present in the 4.3.0 LDAP configuration, which would make sense why we are getting the above error. What is the best way to resolve this issue?
LDAP users are also not able to login to Matomo at this time when access prior to the upgrade was successful.
Users still cannot login via LDAP. I’ve tested the following scenarios and none allow a superuser or standard user who is configured in Active Directory to have access to this server.
I restored the database to pre-4.1.1 upgrade which was 3.14.1. The LoginLDAP was 4.0.8. I tested 3.14.1 with LoginLDAP 4.0.9 and logins still worked. As soon as I upgrade Matomo and the database to 4.0.#, user cannot login with LDAP anymore.
The first test scenerios were as follows:
Matomo 4.0.0 upgrade with LoginLDAP 4.2.0. Received an error when trying to login “You are now accessing Matomo from https://*.domain.com/index.php but Matomo is configured to run at https://matomo-name.domain.com/index.php”. When I was connecting from Chrome and/or Safari, it was using the correct URL, so this error made no sense.
I continued to upgrade from 4.0.0 to 4.0.1 and incrementally to 4.0.5 when finally this error went away. I continued to upgrade from 4.0.5 to 4.1.0 and 4.1.1. I also update the LoginLDAP plugin from 4.2.0 to 4.3.0. I lastly tried downgrading our PHP from 7.4 to 7.2. None of these tests worked.
I was able to get to the login screen, but only a locally created user could login. No LDAP connections worked.
Also, when I checked the LDAP settings, the LoginLDAP plugin was active and showing the version 4.2.0. It also gave a warning, “NOTE: Since you updated from a pre-3.0.0 version, you should probably …” We did not upgrade from a pre-3.0.0 version. We were on 4.0.8 before going to Matomo 4.0.0 or higher.
Every time I logged into the Matomo container and ran " /usr/share/nginx/html/console loginldap:synchronize-users" it would sync the users. I even deleted a test user from the Matomo console and then re-ran the ldap sync and it was recreated with the appropriate permissions. The warning that the “undefined index: alias” is still there even though I upgraded to 4.2.0 during this testing.
All tests in the Matomo console succeed when trying to test or sync LDAP. Users just cannot login. Says “Error: Wrong Username and password combination.” I did use Chrome incognito mode and Safari. Cleared the cache in both as well.
Not sure what else to test with this. Please let me know if you have any suggestions.
I enabled debug logging and captured some snippets below. The only thing tested was a normal user login and it failed. No password change attempts were made (or option given).
DEBUG LoginLdap[2021-02-16 21:34:37 UTC] [8836b] UserSynchronizer::makeConfigured(): Using UserAccessMapper when synchronizing users.
DEBUG LoginLdap[2021-02-16 21:34:37 UTC] [8836b] UserSynchronizer::makeConfigured: configuring with defaultSitesWithViewAccess =
DEBUG LoginLdap[2021-02-16 21:34:37 UTC] [8836b] Auth\Base::tryFallbackAuth: trying normal auth with token auth
DEBUG LoginLdap[2021-02-16 21:34:37 UTC] [8836b] Auth\Base::tryFallbackAuth: normal auth returned result code 1 for user ‘anonymous’
DEBUG LoginLdap[2021-02-16 21:34:37 UTC] [8836b] Auth\Base::tryFallbackAuth: trying normal auth with user password
DEBUG LoginLdap[2021-02-16 21:34:37 UTC] [8836b] Auth\Base::tryFallbackAuth: normal auth returned result code 0 for user ‘ad.username’
DEBUG LoginLdap[2021-02-16 21:34:37 UTC] [8836b] Model\LdapUsers: start authenticate() with [array]
DEBUG LoginLdap[2021-02-16 21:34:37 UTC] [8836b] Calling ldap_connect(‘ldaps://domain.com:#’, #)
DEBUG LoginLdap[2021-02-16 21:34:37 UTC] [8836b] ldap_connect result is [resource]
DEBUG LoginLdap[2021-02-16 21:34:37 UTC] [8836b] anonymous ldap_bind call finished; connection ok
INFO LoginLdap[2021-02-16 21:34:37 UTC] [8836b] LdapUsers::makeLdapClient: Using LDAP server ldaps://domain.com:#:#
DEBUG LoginLdap[2021-02-16 21:34:37 UTC] [8836b] Model\LdapUsers: start getUser() with [array]
DEBUG LoginLdap[2021-02-16 21:34:37 UTC] [8836b] Calling ldap_bind([resource], ‘CN=#####’, <password[length=##]>)
DEBUG LoginLdap[2021-02-16 21:34:37 UTC] [8836b] ldap_bind result is ‘1’
DEBUG LoginLdap[2021-02-16 21:34:37 UTC] [8836b] Calling ldap_search([resource], ‘dc=###’, ‘(&(objectClass=person)(memberOf=CN####)(samaccountname=ad.username))’)
DEBUG LoginLdap[2021-02-16 21:34:37 UTC] [8836b] ldap_search result is [resource]
DEBUG LoginLdap[2021-02-16 21:34:37 UTC] [8836b] Calling ldap_get_entries([resource], [resource])
DEBUG LoginLdap[2021-02-16 21:34:37 UTC] [8836b] ldap_get_entries result is not null
DEBUG LoginLdap[2021-02-16 21:34:37 UTC] [8836b] Model\LdapUsers: end getUser() with [array]
DEBUG LoginLdap[2021-02-16 21:34:37 UTC] [8836b] Calling ldap_bind([resource], ‘CN=####’, <password[length=##]>)
DEBUG LoginLdap[2021-02-16 21:34:37 UTC] [8836b] ldap_bind result is ‘1’
DEBUG LoginLdap[2021-02-16 21:34:37 UTC] [8836b] Calling ldap_close([resource])
DEBUG LoginLdap[2021-02-16 21:34:37 UTC] [8836b] ldap_close returned true
DEBUG LoginLdap[2021-02-16 21:34:37 UTC] [8836b] Model\LdapUsers: end authenticate() with [array]
DEBUG LoginLdap[2021-02-16 21:34:37 UTC] [8836b] UserSynchronizer::synchronizeLdapUser: synchronizing user [ piwik login = ad.username, ldap login = ad.username ]
WARNING LoginLdap[2021-02-16 21:34:37 UTC] [8836b] /usr/share/nginx/html/plugins/LoginLdap/LdapInterop/UserSynchronizer.php(148): Notice - Undefined index: alias - Matomo 4.1.1 - Please report this message in the Matomo forums: https://forum.matomo.org (please do a search first as it might have been reported already) #0/plugins/LoginLdap/LdapInterop/UserSynchronizer.php(148),#1/core/Access.php(673),#2/plugins/LoginLdap/LdapInterop/UserSynchronizer.php(155),#3/plugins/LoginLdap/Auth/Base.php(335),#4/plugins/LoginLdap/Auth/Base.php(362),#5/plugins/LoginLdap/Auth/LdapAuth.php(103),#6/core/Session/SessionInitializer.php(65),#7/core/Session/SessionInitializer.php(32),#8/plugins/Login/Controller.php(309),#9/plugins/Login/Controller.php(142)
ERROR UsersManager[2021-02-16 21:34:37 UTC] [8836b] Uncaught exception in API: /usr/share/nginx/html/plugins/LoginLdap/LoginLdap.php(194): Changing your password is not supported for LDAP users. As you use LDAP, your user settings are managed in LDAP directly. For more information, please contact your LDAP server administrator or your Matomo administrator.
I checked the file and it did not match. I manually uninstalled and reinstalled the plugin and it worked correctly. Will continue to look at Dockerfile to see what is wrong with the installation of this plugin. Thank you for your help.