0

I have a PHP web app that is built in a Docker Container, which runs on an Apache Webserver.

Everything works correctly when I deploy my Docker image on the webserver.

But now I added a LDAP check inside my Docker image using this module:

RUN a2enmod authnz_ldap

so what should happen is, when you start the Web app, it would prompt you a login popup, and then it will check the credentials with LDAP, if authorized, you proceed to the Web App.

If I run the docker image locally (with powershell, docker run -p 80:80), everything works correctly, I insert my credentials and I'm granted access, and also from the Docker logs I see everything is working without errors.

But when I deploy the same image to our webserver, as soon as you run it, the POD (we use phive to manage the images and push them online) goes offline because of an error, and from the logs I see this:

2019-06-18T12:26:19.482431730Z [Tue Jun 18 12:26:19.482096 2019] [authz_core:debug] [pid 19] mod_authz_core.c(809): [client 10.103.12.254:41962] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
2019-06-18T12:26:19.482532132Z 10.103.12.254 - - [18/Jun/2019:12:26:19 +0000] "GET / HTTP/1.1" 401 670 "-" "Go 1.1 package http"
2019-06-18T12:26:19.513800826Z [Tue Jun 18 12:26:19.513436 2019] [core:info] [pid 1] AH00096: removed PID file /var/run/apache2/apache2.pid (pid=1)
2019-06-18T12:26:19.513850727Z [Tue Jun 18 12:26:19.513481 2019] [mpm_prefork:notice] [pid 1] AH00169: caught SIGTERM, shutting down

this happens right after we publish the image, and I have no clue why, because if built locally, it works perfectly!

What could this be? The server we are deploying to is the same where our LDAP is (all internal networks), so it's not that the LDAP address cannot be reached from here.

AJ-
  • 1,638
  • 1
  • 24
  • 49
  • The target webserver may not be configured as the local one, check that Apache is actually built with mod_authz_core & mod_authnz_ldap (or can load it dynamically) - https://stackoverflow.com/questions/5259820/compiling-apache-web-server-with-dynamic-module-support – EricLavault Jun 28 '19 at 10:06
  • @EricLavault thank you for the answer! I'm pretty new to all this, could you help me out with more details? How can I check the difference on how is configured the Webserver and the Local one? For now, in the Dockerfile I added the line from first post (run a2enmod authnz_ldap) and passed the settings for my LDAP, and this works on local, should I also add "run a2enmod ldap" ? I'm not sure what this line is for, but in the ldap documentation for apache I read it a couple of times! – AJ- Jun 28 '19 at 11:09
  • I'm not expert in docker but as I understand `RUN a2enmod authnz_ldap` apache should be in the docker container (in this case forgot my previous comment and keep reading). Now if the issue is related to `` directive, it may be due to discrepancies (host/network) between the 2 machines running the image. authnz_ldap authorization and access control are based on hostname, IP address or characteristics of the request. You need to check that at least 1 `Require` directive in the `` block matches a sample request, regardless of the host machine that actually runs the app. – EricLavault Jun 28 '19 at 12:01
  • @EricLavault ok I'll check that in a sec, meanwhile the logs from the Local version adn the Web server one are identical at start, but as soon as I login with LDAP, on local it works, and on the web server it crashes and it shows those messages in the log, do you have any idea if they mean something? especially the second and third one, "GET / HTTP/1.1" 401 670 "-" "Go 1.1 package http" and removed PID file /var/run/apache2/apache2.pid (pid=1) ? meanwhile I ll check your answer to see if it helps me solve this! thank you – AJ- Jun 28 '19 at 12:21
  • @EricLavault I have only 1 Require directive, which is Require valid-user!from the localhost log, I get that same error once (the denied), but this log is from when the app is launched, as I put my credential in the login popup, on the webserver it crashes with the error mentioned before, but on local I get :AH01691: auth_ldap authenticate: using URL ldap://xx:389/DC=yyy-lan,DC=local?sAMAccountName, AH01697: auth_ldap authenticate: accepting AJ989, AH01626: authorization result of Require valid-user : granted, AH01626: authorization result of : granted – AJ- Jun 28 '19 at 12:27
  • Hello, do you know why ?, i have the same error with you, the images crash when i move to ECS – Bình Bùi Nov 17 '21 at 09:28

0 Answers0