REMOTE_USER auth prevents SuperAdmin access #297
Comments
|
@grandpaslab I am able to login with my super user credentials, can you share the log file |
|
I don't think the logs will help. The issue is that there's no way to get to a login prompt that will let me log in as 'admin'. I'm using Apache's mod_auth_mellon module to do SAML auth through Okta. That means I have no access to the site until I've authenticated through Okta and REMOTE_USER is set. With REMOTE_USER set, I'm logged by LoginLdap in as whatever Okta account I'm using. Logging out does not get me to a Matomo login prompt--since REMOTE_USER is set, I'm automatically logged right back in again. The obvious fix for this is to allow SuperAdmin to be assigned to LDAP-provisioned users. |
|
@grandpaslab What do you see when you visit this url |
|
I do get the login prompt, but when I try to log in as admin, it actually logs me back in using my REMOTE_USER username. |
|
Same behaviour in a incognito mode? |
|
No: |
|
Incognito would solve the issue right? |
|
No. The above screenshot is what I get after trying to log in as admin in incognito. Incognito=no cookies. |
|
@grandpaslab Is it possible to enable this when you start incognito mode ? |
|
Doesn't help. LoginLdap still consumes REMOTE_USER, even if I enable cookies and try to log in as admin. So login appears to succeed, but I'm actually logged in as my own account, not admin. |
|
@grandpaslab Is the same username present in Ldap too ? |
With REMOTE_USER/Kerberos auth enabled there's no way to log in as the SuperAdmin account. You can't assign the SuperAdmin role to LDAP authenticated users, and there's no way to log in with non-LDAP accounts when REMOTE _USER auth is enabled. Clicking the logout button has no effect, since the web auth just re-authenticates you. I suppose if you were running your own LDAP server you could create an 'admin' user, but I'm in an enterprise Active Directory environment.
The text was updated successfully, but these errors were encountered: