Error "Could not find LDAP password for user" when logging into Matomo

d19dotca

Hello,

I've been having this error for quite a while honestly but I rarely login so haven't been too concered since it seems I can still login without issues, and it shows me all the data I'm allowed to view.

The error I see when logging into Matomo:

WARNING: UserMapper::getPiwikPasswordForLdapUser: Could not find LDAP password for user '<myUserAccount>', generating random one. (Module: LoginLdap, In CLI mode: false)

The closest thing I could find online (but didn't really offer a solution other than to open a bug defect) is this one: https://forum.matomo.org/t/ldap-warning-upon-first-time-login/18015 & https://github.com/matomo-org/plugin-LoginLdap/issues/204

In the second link, it seems that they propose setting synchronize_users_after_login = 0, but I'm confused why it seems nobody else is really encountering this issue within Cloudron, so it makes me wonder if it's more of a "me" issue or if it's really something we should change in the Cloudron package for Matomo to have that property as a default value.

d19dotca

Tried to set that value in the config.php.ini but it seems restarting the app immediately rewrites that file.

girish

Where do you see this? I am not seeing this in our instance atleast. Screenshot?

girish

Our LDAP is like this:

[LoginLdap]
servers[] = "cloudron"
ldap_user_id_field = "username"
ldap_last_name_field = "sn"
ldap_first_name_field = "givenName"
ldap_mail_field = "mail"
ldap_alias_field = "cn"
use_ldap_for_authentication = 1
new_user_default_sites_view_access = "all"
synchronize_users_after_login = 1

d19dotca

@girish Seems my config is the same (though oddly my "servers" field is at the bottom).

[LoginLdap]
ldap_user_id_field = "username"
ldap_last_name_field = "sn"
ldap_first_name_field = "givenName"
ldap_mail_field = "mail"
ldap_alias_field = "cn"
use_ldap_for_authentication = 1
new_user_default_sites_view_access = "all"
synchronize_users_after_login = "1"
servers[] = "cloudron"

Here's the screenshot I see every time I login:

girish

@d19dotca strange, I can't reproduce this on a new install either. I guess we need to wait for https://github.com/matomo-org/plugin-LoginLdap/issues/204 to be resolved or something . Cloudron LDAP server does not expose LDAP password for security reasons as well.

d19dotca

@girish If I understand that GitHub issue correctly though it seems one suggestion was to switch synchronize_users_after_login to a value of 0, however that isn't working for me because every time I restart Matomo it seems to override any config I put in there. Is this intended behaviour or do you think it should be changed? Essentially this limit in the package seems to prevent me from even testing that proposed solution from the GitHub issue.

girish

@d19dotca Maybe you can put the app into Repair mode. Then, you can edit /app/pkg/start.sh (the line where it sets that config variable to 0) and then start the app by running /app/pkg/start.sh .

d19dotca

@girish Ah okay, interesting, I can try that.

One latest attempt (haven't tried the repair mode yet though) as it was recommended upstream to change "warning" to "debug" on one of their lines of code in a particular file, but doesn't seem to save my changes from that either after restarting the app. I'm confused though because I thought items in /app/data were usually safe from overrides?

There will be a file called UserMapper.php in /path/to/your/matomo/plugins/plugins/LoginLdap/LdapInterop/UserMapper.php
You need to search for word warning which will look something like this $this->logger->warning just replace the warning word with debug

girish

@d19dotca I think LDAP plugin is overwritten on restart (this plugin is maintained by the package itself, so you don't have to update LDAP plugin manually). Are you restarting the app? If so, do not restart the app.

d19dotca

@girish Yeah I was restarting the app after making the changes, makes sense why that isn't saving then if the package itself is overwriting the LDAP-related config section and plugin.

girish

@d19dotca Did that work out? Would be good to get this sorted out upstream.

I am going to give this another shot now to see why new instances don't hit this code path.

girish

I have to say I debugged this a lot but can never get that error message to show! I enabled all sorts of syncing in the configs, but that error message never shows.

d19dotca

@girish thanks for trying so hard on this, Girish! It’s definitely an odd issue but thankfully doesn’t seem to have an impact beyond the nagging window when logging in each time. I can ignore it for now but I also haven’t had a chance to test with that repair mode so I may try that soon too.

d19dotca

Seems the latest release fixed the issue, I presume because they modified the plugin code for the LDAP access to Matomo. Can mark this as Solved I think.