Skip to content

Troubleshooting

Jump to bottom
Matthieu Aubry edited this page Mar 9, 2020 · 6 revisions

Troubleshooting

This document provides a general process for troubleshooting LDAP connectivity issues that may be experienced with the LoginLdap plugin.

Problems can occur due to LDAP server configuration, PHP configuration, plugin configuration or due to an unknown bug in the plugin. Each section deals w/ determining whether one of these causes is the real cause.

Getting the error "Could not bind as LDAP admin."

Try the following steps:

  • try prefixing the LDAP url by ldaps:// and try again?
  • Check that the LDAP credentials in Matomo's backend are admin LDAP credentials
  • also check the Ldap Searchfilter is correct eg. (objectClass=person)
  • check for LDAP connection issue. by issuing an ldapsearch command with the credentials you have configured with your ldap server.

Checking for an LDAP server configuration issue

To check if there's a problem with the LDAP server, simply attempt to connect, bind and query the server outside of Piwik, using the settings used for LoginLdap.

ldapsearch

For example, on linux you can issue an ldapsearch command, like:

ldapsearch -H <ldap_uri> -b <basedn> -D <admin_bind> -w <admin_pwd> -z 3 (objectClass=person)

Replace:

  • ldap_uri with the LDAP URI you plan to use for LoginLdap.
  • basedn with the value for the Base DN setting you are using for LoginLdap.
  • admin_bind with the value for the LDAP Bind Username setting you are using for LoginLdap.
  • admin_pwd with the value for the LDAP Password setting you are using for LoginLdap.

Make sure to run the command on the same server your Piwik instance is installed.

If it works, move on to the next test. Otherwise, there is a problem with your LDAP settings, LDAP server configuration or your LDAP client configuration.

LDAP client

JXplorer may be useful to troubleshoot your LDAP server configuration.

JXplorer is a cross platform LDAP browser and editor. It is a standards compliant general purpose LDAP client that can be used to search, read and edit any standard LDAP directory, or any directory service with an LDAP or DSML interface.

Checking for a PHP LDAP issue

To check if there's a problem with your PHP configuration, you can run the following script as a test.

<?php

$ldapUri = <ldap_uri>;
$baseDn = <basedn>;
$adminBind = <admin_bind>;
$adminPwd = <admin_pwd>;

$connection = ldap_connect($ldapUri);
if (empty($connection)) {
    echo "ERROR: Failed to connect to '$ldapUri'.\n";
    exit(1);
}

ldap_set_option($connection, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($connection, LDAP_OPT_REFERRALS, 0);

$bindResult = ldap_bind($connection, $adminBind, $adminPwd);
if (!$bindResult) {
    echo "ERROR: Failed to bind to '$adminBind'!\n";
    exit(1);
}

$result = ldap_search($connection, $baseDn, '(objectClass=person)');
if (empty($result)) {
    echo "ERROR: Got empty ldap_search result '$result'!\n";
    exit(1);
}

$count = ldap_count_entries($connection, $result);

echo "Query count: $count\n";
?>

Replace:

  • ldap_uri with the LDAP URI you plan to use for LoginLdap.
  • basedn with the value for the Base DN setting you are using for LoginLdap.
  • admin_bind with the value for the LDAP Bind Username setting you are using for LoginLdap.
  • admin_pwd with the value for the LDAP Password setting you are using for LoginLdap.

Make sure to run this test both through php-cli and through a web request. This requires loading the php-ldap extension in both php-cli's and php-fpm's php.ini.

If it works, move on to the next step. Otherwise, there is a problem with your LDAP settings or PHP configuration.

Checking for a plugin configuration issue

To check if there's a problem w/ your plugin configuration, run the following command from the root of your Piwik directory:

php ./console loginldap:synchronize-users --login=<login> -vvv

Replace:

  • login with the user ID of a non-admin user that should normally be able to login.

This command will attempt to synchronize a user from LDAP while displaying debug logging output. If there's a problem, you'll see the error message plus extra debug logs which will help you diagnose it.

Possible errors you might experience with this test include:

  • Unable to synchronise due to an existing non-LDAP user. This means someone created a normal Piwik user with the same name as the login you supplied to --login.

Or this means that you've switched from Always use LDAP authentication being unchecked to checked, but you've already logged in w/ or synchronized some users. The users that were synchronized before the switch will look like normal Piwik users, and thus will not be overwritten.

  • User not found. This occurs when the LDAP query used to find a user in LDAP fails to find him/her. Look through the debug output to find the query that was used and make sure it is correct for your LDAP server. The most common cause of this error is an incorrect value in the User ID Field setting.

  • User synchronization errors. This can occur due to a variety of reasons, but usually points to an error in the plugin settings. Individual error messages & debug logs should tell you what you need to change.

  • Cannot bind as Ldap admin. if you still get that message during test in plugin configuration Check the given admin credentials in Matomos backend amnd also check the Ldap Searchfilter (f.e. "(objectClass=person)" )

If this test passes, the plugin should be working. You should be able to login via the UI w/o any trouble.

If all of these tests pass

If all of the above tests pass, but you still cannot login w/ an LDAP user, it's possible that there is a bug in the plugin, or it's being used in an unanticipated way. In either case, please create a new issue in the issue tracker: https://github.com/piwik/plugin-LoginLdap/issues

Clone this wiki locally