New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
when using LDAP authentication, tracking api fails to verify token_auth #8509
Comments
This reminds me of #7202 that we should not fallback to wrong data but instead not track at all in case the token_auth was not considered valid, this way such errors are detected earlier. Did you modify your token? If not, please change your password so a new token will be generated. I think we should first figure out whether really the bulk API is the problem or the importer. How did you execute the bulk request? I tried the following and it worked:
Are you using any custom plugins? |
The token was not modified, and it doesn't work with any superuser tokens. Apart from the default plugins, only the vanilla LdapLogin (v1.3.4) plugin was installed. When trying to reproduce the error, please assure to pass the Please use something like this to reproduce the error:
(Note: This is an extract of the request which I captured from the |
For reference, this is the original request sent from log-importer-py to PIWIK (URL was obfuscated):
|
I just mentioned to change the password and to generate a new token as anyone could otherwise log into your Piwik with this token.
I did and it works. I presume it is related to LoginLdap maybe. @diosmosis do you have LoginLdap setup? If so do you mind having a quick look and trying to do a bulk request with |
I don't have loginldap setup (also currently eating), but LoginLdap should be at 3.0+ so 1.3.4 is very old. Assuming everyone's talking about the same plugin though, 1.3.4 should not actually work with the latest piwik. |
The posted token is a fake, so no problem there. In my tests I replaced this with the real token, of course. The cause of the problem is obviously the LoginLdap plugin! So, either there is a bug in the LoginLdap plugin, not honoring the locally stored auth tokens, or it is a misconfiguration. |
Can you try to update the plugin? |
Sorry, that was a typo. |
ok, so it sounds like a bug. Thx! |
@1stone can you post your LoginLdap configuration (a screenshot of the settings page will do)? |
@1stone Thanks, I will try to reproduce and fix the issue over the weekend. Can you tell me if the token auths you tried to track with belonged to LDAP users or users only in the Piwik DB? |
The token auths I tried belonged to local as well as LDAP users (all with superuser_access=1). |
Refs matomo-org/matomo#8509, Only throw when LdapAuth::setPasswordHash() is called w/ non-null value. (fixes tracker authentication when LdapAuth strategy is used)
@1stone I believe I fixed the issue in the LoginLdap plugin. I will release a new version after looking at some other issues, in the meantime the fix for your specific problem is here: matomo-org/plugin-LoginLdap@360671c |
I applied the suggested changes and can confirm that it fixes the problem. Thanks for your support! |
Fixed in version 3.1.5 of LoginLdap. |
Since one of the last upgrades (I guess it started with the first 2.14 release) I noticed that the log-importer has failed to import any provided Apache logs.
After some tedious debugging, I believe I've tracked it down to a problem in the tracking api, which is not accepting the presented token_auth and thus does not honor the
cip
andcdt
attributes in the request.As a consequence of that, logs are handled with visitor_ip = local_ip, whereas the latter is contained in the exclusion list.
But back to the actual problem:
With tracking debug enabled, a request of
results in this response
The presented
token_auth
value is definitely a valid token from an user withsuperuser_access=1
.Testing it with other qualified tokens resulted in the same problem.
This is with Piwik 2.14.3. Please advise.
The text was updated successfully, but these errors were encountered: