Allows users in LDAP to log in to Piwik Analytics. Supports web server authentication (eg, for Kerberos SSO).

LoginLdap authenticates with an LDAP server and uses LDAP information to personalize Piwik.

Installation

To start using LoginLdap, follow these steps:

  1. Login as a superuser
  2. On the Manage > Marketplace admin page, install the LoginLdap plugin
  3. On the Manage > Plugins admin page, enable the LoginLdap plugin
  4. Navigate to the Settings > LDAP page
  5. Enter and save settings for your LDAP servers

    Note: You can test your servers by entering something into the 'Required User Group' and clicking the test link that appears. An error message will display if LoginLdap cannot connect to the LDAP server.

  6. You can now login with LDAP cedentials.

Note: LDAP users are not synchronized with Piwik until they are first logged in. This means you cannot access a token auth for an LDAP user until the user is synchronized. If you use the default LoginLdap configuration, you can synchronize all of your LDAP users at once using the ./console loginldap:synchronize-users command.

Troubleshooting

To troubleshoot any connectivity issues, read our troubleshooting guide.

Upgrading from 2.2.7

Version 3.0.0 is a major rewrite of the plugin, so if you are upgrading for 2.2.7 you will have to do some extra work when upgrading:

  • Navigate tothe Settings > LDAP admin page. If the configuration options look broken, make sure to reload your browser cache. You can do this by reloading the page, or through your browser's settings.

  • The admin user for servers must now be a full DN. In the LDAP settings page, change the admin name to be the full DN (ie, cn=...,dc=...).

  • Uncheck the Use LDAP for authentication checkbox

    Version 2.2.7 and below used an authentication strategy where user passwords were stored both in Piwik and in LDAP. In order to keep your current users' token auths from changing, that same strategy has to be used.

Configurations

LoginLdap supports three different LDAP authentication strategies:

  • using LDAP for authentication only
  • using LDAP for synchronization only
  • logging in with Kerberos SSO (or something similar)

Each strategy has advantages and disadvantages. What you should use depends on your needs.

Using LDAP for authentication only

This strategy is more secure than the one below, but it requires connecting to the LDAP server on each login attempt.

With this strategy, every time a user logs in, LoginLdap will connect to LDAP to authenticate. On successful login, the user can be synchronised, but the user's password is never stored in Piwik's DB, just in the LDAP server. Additionally, the token auth is generated using a hash of a hash of the password, or is generated randomly.

This means that if the Piwik DB is ever compromised, your LDAP users' passwords will still be safe.

Note: With this auth strategy, non-LDAP users are still allowed to login to Piwik. These users must be created through Piwik, not in LDAP.

Steps to enable

Note: this is the default configuration.

  1. Check the Use LDAP for authentication option and uncheck the Use Web Server Auth (e.g. Kerberos SSO) option.

Using LDAP for synchronization only

This strategy involves storing the user's passwords in the Piwik DB using Piwik's hashing. As a result, it is not as secure as the above method. If your Piwik DB is compromised, your LDAP users' passwords will be in greater danger of being cracked.

But, this strategy opens up the possibility of not communicating with LDAP servers at all during authentication, which may provide a better user experience.

Note: With this auth strategy, non-LDAP users can login to Piwik.

Steps to enable

  1. Uncheck the Use LDAP for authentication option and uncheck the Use Web Server Auth (e.g. Kerberos SSO) option.
  2. If you don't want to connect to LDAP while logging in, uncheck the Synchronize Users After Successful Login option.

    a. If you uncheck this option, make sure your users are synchronized in some other way (eg, by using the loginldap:synchronize-users command). Piwik still needs information about your LDAP users in order to let them authenticate.

Logging in with Kerberos SSO (or something similar)

This strategy delegates authentication to the webserver. You setup a system where the webserver authenticates the user and sets the $_SERVER['REMOTE_USER'] server variable, and LoginLdap will assume the user is already authenticated.

This strategy will still connect to an LDAP server in order to synchronize user information, unless configured not to.

Note: With this auth strategy, any user that appears as a REMOTE_USER can login, even if they are not in LDAP.

Steps to enable

  1. Check the Use Web Server Auth (e.g. Kerberos SSO) option.
  2. If you don't want to connect to LDAP while logging in, uncheck the Synchronize Users After Successful Login option.

    a. If you uncheck this option, make sure your users are synchronized in some other way (eg, by using the loginldap:synchronize-users command). Piwik still needs information about your LDAP users in order to let them authenticate.


View and download this plugin for a specific Piwik version:

  • LoginLdap Admin admin page

Please share