LoginLdap with SSL


(Josh) #1

Hi,

I’m having issues with the ldap plugin connecting over SSL. It works fine on the default port 389, I can sync users and login. But when I move to ldaps://server.domain.com port 636, I get “Could not bind as ldap admin” on the web ui. And when i run the ./console loginldap:synchronize-users -vvv it says “Can’t contact LDAP server”.

I have many other webservers that can bind with ldaps to this domain controller. I am able to bind with ldapsearch over SSL. But can’t seem to figure out why Matomo isn’t working.

Any pointers or help debugging would be greatly appreciated.

Thanks

EDIT:
Looking at it again, I went back and checked that this works
ldapsearch -H ‘ldaps://server.com:636’ -b -s sub -D user@server.com -W (objectclass=Person)

So that tells me the ldap.conf is correctly pointed to my .pem.

Back in Matomo, I configure the server for ldaps and port 636 and it still says unable to bind ldap admin, HOWEVER when i run the synchronize-users it succeeds. I still cannot login with ldap credentials to the webui.

Synchronizing ‘testing’… DEBUG [2019-02-04 23:10:02] 11510 Model\LdapUsers: start getUser() with [array]
DEBUG [2019-02-04 23:10:02] 11510 Calling ldap_connect(‘ldaps://server.com’, 636)
DEBUG [2019-02-04 23:10:02] 11510 ldap_connect result is [resource]
DEBUG [2019-02-04 23:10:02] 11510 anonymous ldap_bind call finished; connection ok
INFO [2019-02-04 23:10:02] 11510 LdapUsers::makeLdapClient: Using LDAP server ldaps://server.com:636
DEBUG [2019-02-04 23:10:02] 11510 Calling ldap_bind([resource], ‘cn=testing,cn=users,dc=server,dc=com’, <password[length=14]>)
DEBUG [2019-02-04 23:10:02] 11510 ldap_bind result is ‘1’
DEBUG [2019-02-04 23:10:02] 11510 Calling ldap_search([resource], ‘cn=users,dc=server,dc=com’, ‘(&(objectclass=person)(memberOf=cn=matomo_group,cn=users,dc=server,dc=com)(samaccountname=testing))’)
DEBUG [2019-02-04 23:10:02] 11510 ldap_search result is [resource]
DEBUG [2019-02-04 23:10:02] 11510 Calling ldap_get_entries([resource], [resource])
DEBUG [2019-02-04 23:10:02] 11510 ldap_get_entries result is not null
DEBUG [2019-02-04 23:10:02] 11510 Calling ldap_close([resource])
DEBUG [2019-02-04 23:10:02] 11510 ldap_close returned true
DEBUG [2019-02-04 23:10:02] 11510 Model\LdapUsers: end getUser() with [array]
DEBUG [2019-02-04 23:10:02] 11510 UserSynchronizer::synchronizeLdapUser: synchronizing user [ piwik login = testing, ldap login = testing ]
success!

Synchronized 2 users!


(Josh) #2

Finally resolved by adding “TLS_REQCERT never” to my ldap.conf. This disables checking the FQDN of the server matches the cert.