LoginLDAP with SSL (PEM config)

echampagne_bst · January 13, 2020, 6:50pm

Hello community,

I’m new to this community and this product, but a long time sysadmin.

I have trouble setting LDAPS with our LoginLDAP plugin on our Matomo instance.

What has been tested :

LDAP authentication on RODC in non-SSL setting is working perfectly (port 389).
The RODC server is listening on port 636.
Firewall port 636 is opened on RODC.

What I don’t know how to do and that I think is necessary for make it work :

Configure CACERT.PEM library file to include internal root CA certificate.
Add a Computer certificate to Matomo config so the system will use to authenticate with RODC.

I’m pretty sure this is what is missing. I’ve searched extensively, but did not find a defined procedure to help me configure it correctly. We need to use LDAPS since our politics severely condemn non-secure LDAP connections.

I’ve joined the log line that states the failure in the process. I can provide any more info as necessary. Thank you SOOOO much in advance for any help you might be able to provide.

WARNING LoginLdap[2020-01-13 17:41:23 UTC] [78c74] D:\wwwroot\Matomo\plugins\LoginLdap\Ldap\Client.php(146): Warning - ldap_bind(): Unable to bind to server: Can't contact LDAP server - Matomo 3.13.0 - Please report this message in the Matomo forums: https://forum.matomo.org (please do a search first as it might have been reported already) [internal function]: Piwik\ErrorHandler::errorHandler(),#1\plugins\LoginLdap\Ldap\Client.php(146),#2\plugins\LoginLdap\Model\LdapUsers.php(591),#3\plugins\LoginLdap\Model\LdapUsers.php(276),#4\plugins\LoginLdap\Model\LdapUsers.php(506),#5\plugins\LoginLdap\Model\LdapUsers.php(279),#6\plugins\LoginLdap\API.php(98),[internal function]: Piwik\Plugins\LoginLdap\API->getCountOfUsersMemberOf(),#8\core\API\Proxy.php(237),#9\core\Context.php(28)

busbyk · November 10, 2020, 5:19pm

Hi @echampagne_bst,

Did you ever resolve this issue? I’m having a very similar problem and would love to know if you found a solution.

Thanks!

echampagne_bst · November 10, 2020, 8:11pm

Hi @busbyk

After literally weeks of support and opening a call with Microsoft, I found out the issue was the RODC that was not able to use port 636 effectively.

Our RODC had some specifications.

It was a Windows 2016 Server Datacenter CORE
It was located in a DMZ separated from internal DCs
Only some specific ports were authorized via the firewall

What happened is that when the RODC was promoted, it did not got correctly enrolled for LDAPS communication because the Dynamic RPC ports needed for autoenrollment were bloked in our firewall. After a LOT of work sessions, we have found the solutions. Here are a couple of Microsoft Technet articles about this.

https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

https://docs.microsoft.com/en-us/archive/blogs/xdot509/troubleshooting-autoenrollment

https://docs.microsoft.com/en-us/archive/blogs/askds/how-to-troubleshoot-certificate-enrollment-in-the-mmc-certificate-snap-in

https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx

Good luck in troubleshooting this issue. There are great probabilities that the issue is not on Matomo side!

busbyk · November 10, 2020, 9:10pm

Thanks so much for the detailed response! I really appreciate it.

This is helpful as I continue to troubleshoot.