Simple Docker/Apache/PHP Authentication with LDAP

Be forewarned, this post won’t help you set up an LDAP Active Directory. But if one is already established for you, we can get it working in a Docker container.

Recently I wanted to see if I could move a deployment from a virtual machine to a Docker container. However, I needed to keep the exact same authentication that it had on its original host. It seems like a simple want, but I found understanding Apache’s documentation to be like trying to find the beginning of a new roll of Scotch tape with the lights off.

To demonstrate the anatomy of how this Apache/Docker configuration works, we’ll be walking through this repo, so feel free to follow along if you need to make more sense of the architecture.

0 Install Docker — It’s worth mentioning that Docker must be installed on your system. If it’s not, Docker’s getting started section provides clear installation instructions.

1 ./index.php — It is a very elaborate file, so don’t feel like you need to get it all down. This is really just a stub for whatever your project might be.

<?php
echo 'Well, hello LDAP authenticated user!';

2 ./Docker/Dockerfile — If you’re not familiar with aDockerfile, it’s basically a set of instructions for Docker to build a container image. It starts by grabbing the php:7-apache image, then we customize it from there.

# ./Docker/Dockerfile
# Base image
FROM php:7-apache

# Enable Apache ldap auth module
RUN a2enmod authnz_ldap

# Add LDAP rules to apache's conf-enabled dir 
# (we'll make this file step 3)
COPY Docker/ldap-demo.conf /etc/apache2/conf-enabled/

# Add debugging help if you need it (currently commented out)
# RUN echo "LogLevel debug" >> apache2.conf

# Convenient working directory
WORKDIR /var/www/html/demo

# Configure apache to use the ldap configuration defined above
COPY Docker/.htaccess ./.htaccess

# Copy the project files we need (we'll be creating this in step 3)
COPY index.php ./

If you’re not interested in the the php part, you can try using the httpd:2.4 Apache image. Tweaks would be necessary, however, since a2enmod isn’t a part of the httpd:2.4 Apache image.

3 ./Docker/ldap-demo.conf — This is the LDAP configuration we’re adding. It specifies the LDAP binding criteria, password, and url (for more info on these checkout ldap.com). The PassEnv directives at the top allow you to omit committing the credentials to your repository. If you are not committing/feel weirdly secure about committing your ldap credentials, you can just hard-code them into place within the AuthnProviderAlias directive…but you should probably pass them in via environment variable when you run the image.

# ./Docker/ldap-demo.conf
PassEnv LDAP_BIND_ON
PassEnv LDAP_PASSWORD
PassEnv LDAP_URL
<AuthnProviderAlias ldap demo>
  AuthLDAPBindDN ${LDAP_BIND_ON}
  AuthLDAPBindPassword ${LDAP_PASSWORD}
  AuthLDAPURL ${LDAP_URL}
</AuthnProviderAlias>

4 .htaccess — Utilize the LDAP configuration made in step 3 with an .htaccess file that is at your project’s root.

# ./.htaccess
AuthBasicProvider demo
AuthType Basic
AuthName "Protected Area"
Require valid-user

5 Build it! From the terminal, that has cd’d into the project’s repo you can type something like this. Obviously feel free to change the name of the tag on the image.

docker build \
    -t docker-ldap \
    -f ./Docker/Dockerfile \
    .

6 Run it! Have Docker run the image you’ve built, passing in your credentials as environment variables using the -e flag.

docker run \
    -p 3000:80 \
    --name ldap_demo \
    -e LDAP_BIND_ON='"CN=example,OU=example,DC=example"' \
    -e LDAP_PASSWORD='"my_ldap_password"' \
    -e LDAP_URL='"my_ldap_url"' \
    docker-ldap

7 Visit the demo page at your localhost:3000/demo. If everything went perfectly, you should find yourself having to enter basic user credentials to access the site. If there is any trouble, I recommend uncommenting this line in the ./Docker/Dockerfile.

# back inside ./Docker/Dockerfile uncomment this line
RUN echo "LogLevel debug" >> /etc/apache2/apache2.conf

Then repeat steps 5 and 6. The container’s logs should give some useful feedback on what may be going wrong.

Good luck! If you’re not used to it, Apache is not the easiest server platform to configure, but hopefully this gives you a good starting off point for implementing LDAP in an Docker/Apache/PHP container.

Cheers!