REMOTE_USER auth prevents SuperAdmin access

[grandpaslab]

With REMOTE_USER/Kerberos auth enabled there's no way to log in as the SuperAdmin account. You can't assign the SuperAdmin role to LDAP authenticated users, and there's no way to log in with non-LDAP accounts when REMOTE _USER auth is enabled. Clicking the logout button has no effect, since the web auth just re-authenticates you. I suppose if you were running your own LDAP server you could create an 'admin' user, but I'm in an enterprise Active Directory environment.

[AltamashShaikh]

@grandpaslab I am able to login with my super user credentials, can you share the log file matomo/tmp/logs/matomo.log ?

[grandpaslab]

I don't think the logs will help. The issue is that there's no way to get to a login prompt that will let me log in as 'admin'.

I'm using Apache's mod_auth_mellon module to do SAML auth through Okta. That means I have no access to the site until I've authenticated through Okta and REMOTE_USER is set. With REMOTE_USER set, I'm logged by LoginLdap in as whatever Okta account I'm using. Logging out does not get me to a Matomo login prompt--since REMOTE_USER is set, I'm automatically logged right back in again.

The obvious fix for this is to allow SuperAdmin to be assigned to LDAP-provisioned users.

[AltamashShaikh]

@grandpaslab What do you see when you visit this url {YOUR_MATOMO_URL}/index.php?module=LoginLdap ?
Allowing super admin access via Ldap is a new feature which needs to be evaluated first and we can decide that.
I am just thinking visiting the login page and trying to login with a super admin user who is not in your Ldap directory should work

[grandpaslab]

I do get the login prompt, but when I try to log in as admin, it actually logs me back in using my REMOTE_USER username.

[AltamashShaikh]

Same behaviour in a incognito mode?

[grandpaslab]

No:

[AltamashShaikh]

Incognito would solve the issue right?

[grandpaslab]

No. The above screenshot is what I get after trying to log in as admin in incognito. Incognito=no cookies.

[AltamashShaikh]

@grandpaslab Is it possible to enable this when you start incognito mode ?

[grandpaslab]

Doesn't help. LoginLdap still consumes REMOTE_USER, even if I enable cookies and try to log in as admin. So login appears to succeed, but I'm actually logged in as my own account, not admin.

[AltamashShaikh]

@grandpaslab Is the same username present in Ldap too ?
If yes you need to create a user which do not exist in your Ldap directory and check