Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Anonymous binding to the ldap server when LoginLdap tries to synchronize users with ldap. #213

Open
Kaochkidu opened this issue Oct 1, 2020 · 7 comments
Open

Anonymous binding to the ldap server when LoginLdap tries to synchronize users with ldap. #213

Kaochkidu opened this issue Oct 1, 2020 · 7 comments

Comments

@Kaochkidu
Copy link

Hello,

When synchronizing users with the LDAP server using the command loginldap:synchronize-users, the LoginLdap plugin bind the server with an anonymous connection.
The plugin does not bind because we refuse anonymous connections to the ldap server and this causes warnings.
These warnings cause an error when the plugin manages to synchronize users to ldap.

WARNING [2020-09-30 16:24:56] 105  /var/www/html/plugins/LoginLdap/Ldap/Client.php(91): Warning - ldap_bind(): Unable to bind to server: Inappropriate authentication - Matomo 3.13.5 - Please report this message in the Matomo forums: https://forum.matomo.org (please do a search first as it might have been reported already)
INFO [2020-09-30 16:24:56] 105  LdapUsers::makeLdapClient: Using LDAP server ldaps://ldap.XXXXXX.com:636
Synchronizing 'demo.demo'...  WARNING [2020-09-30 16:24:56] 105  /var/www/html/plugins/LoginLdap/Ldap/Client.php(91): Warning - ldap_bind(): Unable to bind to server: Inappropriate authentication - Matomo 3.13.5 - Please report this message in the Matomo forums: https://forum.matomo.org (please do a search first as it might have been reported already)
INFO [2020-09-30 16:24:56] 105  LdapUsers::makeLdapClient: Using LDAP server ldaps://ldap.XXXXXX.com:636
success!

Synchronized 1 users!

Error: error or warning logs detected, exit 1

Could you modify the behaviour of the LoginLdap plugin so that it bind the Ldap server with a non-annonymous connection please ?

Regards
@idandr
Copy link

idandr commented Jul 8, 2021

Same here. It would be great to have a config option to switch anonymous bind off and use bind with credentials instead.

@doits
Copy link

doits commented Feb 7, 2023

I guess I have the same problem:

/var/www/piwik/plugins/LoginLdap/Ldap/Client.php(96): Warning - ldap_bind(): Unable to bind to server: Inappropriate authentication - Matomo 4.13.3 - Please report this message in the Matomo forums: https://forum.matomo.org (please do a search first as it might have been reported already)
INFO [2023-02-07 16:40:07] 1290162 LdapUsers::makeLdapClient: Using LDAP server ldaps://XXX:636

/var/www/piwik/console core:update spits out this for every user I guess, takes long time to finish ...

@snake14
Copy link
Contributor

snake14 commented Feb 7, 2023

Hi @doits . I just tested the plugin and see what you're talking about. I'm not sure why that warning is displaying. However, it is just a warning. When I ran the LDAP plugin with my debugger running, I could see the warning, but I also saw that the LDAP client was successfully created and that the users were correctly synced. So, the plugin appears to be working correctly, but that warning displays. Any other thoughts @AltamashShaikh ?

@doits
Copy link

doits commented Feb 7, 2023

It works for me, too (clients can authenticate etc.) but displays this warning at the top after every login, too.

LDAP server logs this first:

BIND dn="" method=128
RESULT tag=97 err=48 qtime=0.000013 etime=0.000055 text=anonymous bind disallowed

... and then the second bind is done correctly right afterwards with the provided credentials:

BIND dn="uid=XXX" method=128
BIND dn="uid=XXX" mech=SIMPLE bind_ssf=0 ssf=256
RESULT tag=97 err=0 qtime=0.000015 etime=0.000150 text=

The culprit is the first anonymous bind if I see it correctly.

@AltamashShaikh
Copy link
Contributor

AltamashShaikh commented Feb 8, 2023
edited
Loading

@doits The plugin tries to bind anonymously first and which fails, may be we shouldn't show it as a warning if its an obvious case.
Ill see if we can do anything better here, I currently don't have time to look into it immediately but will keep a not of it

@pboguslawski
Copy link

Same log flooding here. Seems redundant anonymous binding was introduced in

#34
47ac583

because

ldap_connect will not always try to connect to the server, so execute a bind to test the connection

but according to php manual ldap_connect does not open LDAP connection and anonymous binding looks like (probably) unnecessary hack because every LDAP request should be prepared handle exceptions (i.e. connection may die just before binding with correct user data, after this anon hack).

Please verify and remove this hack if unnecessary (including b021706) and make sure all LDAP operations are prepared to handle LDAP exceptions.

@AltamashShaikh
Copy link
Contributor

@pboguslawski Will check if we can remove this logging 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@doits @pboguslawski @snake14 @AltamashShaikh @idandr @Kaochkidu