plugin-LoginLdap icon indicating copy to clipboard operation
plugin-LoginLdap copied to clipboard

Published 20 hours ago verified publisher icon matomo-org

REMOTE_USER auth prevents SuperAdmin access

Open grandpaslab opened this issue 2 years ago • 11 comments

With REMOTE_USER/Kerberos auth enabled there's no way to log in as the SuperAdmin account. You can't assign the SuperAdmin role to LDAP authenticated users, and there's no way to log in with non-LDAP accounts when REMOTE _USER auth is enabled. Clicking the logout button has no effect, since the web auth just re-authenticates you. I suppose if you were running your own LDAP server you could create an 'admin' user, but I'm in an enterprise Active Directory environment.

grandpaslab avatar Sep 08 '22 23:09 grandpaslab

@grandpaslab I am able to login with my super user credentials, can you share the log file matomo/tmp/logs/matomo.log ?

AltamashShaikh avatar Sep 09 '22 03:09 AltamashShaikh

I don't think the logs will help. The issue is that there's no way to get to a login prompt that will let me log in as 'admin'.

I'm using Apache's mod_auth_mellon module to do SAML auth through Okta. That means I have no access to the site until I've authenticated through Okta and REMOTE_USER is set. With REMOTE_USER set, I'm logged by LoginLdap in as whatever Okta account I'm using. Logging out does not get me to a Matomo login prompt--since REMOTE_USER is set, I'm automatically logged right back in again.

The obvious fix for this is to allow SuperAdmin to be assigned to LDAP-provisioned users.

grandpaslab avatar Sep 09 '22 20:09 grandpaslab

@grandpaslab What do you see when you visit this url {YOUR_MATOMO_URL}/index.php?module=LoginLdap ? Allowing super admin access via Ldap is a new feature which needs to be evaluated first and we can decide that. I am just thinking visiting the login page and trying to login with a super admin user who is not in your Ldap directory should work

AltamashShaikh avatar Sep 11 '22 16:09 AltamashShaikh

I do get the login prompt, but when I try to log in as admin, it actually logs me back in using my REMOTE_USER username.

grandpaslab avatar Sep 12 '22 16:09 grandpaslab

Same behaviour in a incognito mode?

AltamashShaikh avatar Sep 12 '22 16:09 AltamashShaikh

No: image

grandpaslab avatar Sep 12 '22 16:09 grandpaslab

Incognito would solve the issue right?

AltamashShaikh avatar Sep 12 '22 17:09 AltamashShaikh

No. The above screenshot is what I get after trying to log in as admin in incognito. Incognito=no cookies.

grandpaslab avatar Sep 12 '22 17:09 grandpaslab

@grandpaslab Is it possible to enable this when you start incognito mode ? Screenshot from 2022-09-13 06-49-35

AltamashShaikh avatar Sep 13 '22 01:09 AltamashShaikh

Doesn't help. LoginLdap still consumes REMOTE_USER, even if I enable cookies and try to log in as admin. So login appears to succeed, but I'm actually logged in as my own account, not admin.

grandpaslab avatar Sep 13 '22 16:09 grandpaslab

@grandpaslab Is the same username present in Ldap too ? If yes you need to create a user which do not exist in your Ldap directory and check

AltamashShaikh avatar Sep 14 '22 02:09 AltamashShaikh