Pantheon Community

Help needed: LDAP Debugging

Hi there! Alex here, one of Pantheon’s technical writers. I’ve been looking at this pull request to our documentation to update the LDAP integration debugging for WordPress and Drupal sites that use LDAP for authentication.

All docs updates go through both a technical and copy review. For the former, I would need a working LDAP authentication server to test against, which is not a simple thing to spin up. So I’m looking for help from anyone who’s using LDAP authentication on their Pantheon-hosted site.

Is this you? If so, please take a look at the PR, and give the troubleshooting code a spin. You can let me know here or in the PR thread how it works (or doesn’t for you).

Thanks in advance!

I would avoid a real LDAP server and leverage a local, Docker-based set up so it’s easy to provision and tear down.

This example is well documented: https://github.com/osixia/docker-openldap

And, offers a sister project for a GUI to manage LDAP: https://github.com/osixia/docker-phpLDAPadmin

This should help you rapidly set up a test environment to do this. Should you need this to be publicly accessible for Pantheon, Linode or Digital Ocean instances may be a good low-cost choice to load the Docker images.

If this looks like something that would work for you, I’m happy to set this up for you to get this effort moving.

Thanks @nerdstein! I had seen the openldap container, but not the one for phpLDAPadmin. I’m currently configuring a basic LDAP config to test against, using this guide.

Great - let me know if you need any further support

1 Like

Progress update:

  1. Configured a couple of groups (admin, user), and a user in the user group to connect as.
  2. Committed and exported the two docker containers to tar files.
  3. Currently copying them up to a Linode to run and connect to.

So I’m having trouble running the docker containers on the remote host in a way that I can access phpLDAPadmin from that host’s public IP address. @nerdstein any tips on how to bind a docker container (especially two that link) to a public port/IP?

@alex - im guessing it’s a port blocking issue. If you search around for “ufw” you will need to open up the specific ports of the UI, and likely the LDAP ports.

And, I think the docker binding happens with the “-p” flag, e.g. https://runnable.com/docker/binding-docker-ports

So there’s no firewall running on the host (fresh stock Debian 9), and I’m including the -p flag as -p 80:80.

Using --network=host I now get:

# Forbidden

You don't have permission to access / on this server.

And I’m unable to attach to a shell session in the docker container to edit the configuration.

So I ended up getting a working LDAP server without Docker, complete with a test user. The debug script in the PR still isn’t working for me, but at this point I’m not sure if it’s because there’s a problem with it, or because I’m missing a required server-side configuration.

Details on the PR.