Plugin does not work with php-fpm?
-
Hello, strange things happening – plugin and website working with apache, but does not work with php-fpm/nginx. Does anyone have any suggestions or hints?
-
That usbstrange. In general the plugin doesn’t care whether php is used as apache module or via fpm. I myself have it running via FPM in some installations.
could it be that the FPM installation is using either a different PHP installation without the LDAP extension or that the LDAP extension is configured differently for FPM?
Yeap. This is a strange “thing” to me too. PHP and libs (ldap) should be webserver agnostic. I was able to debug some traffic beetween wordpress server and LDAP server. Looks like apache with mod php is able to use starttls, and php-fpm with nginx not. I am thinking about trusted CAs or sertificate cn’s . php-fpm somehow does not use OS CAs or is unable to verify cert and then starttls while in the mean time apache does that perfectly fine.
If it’s a TLS issue, then nginx is the one that needs configuration as it is doing the TLS termination and delegates requests to the PHP backend as a proxy.
when that is working propperly we can figure out issues with PHP.
I’d search my favourite websearch engine for something like “TLS nginx apache” to find how to configure nginx using the same certificates as apache. This might be the wrong forum for that ??
Be aware that with mod_php you are effectively using PHP-CLI, not PHP-FPM. These two also load different php.ini files. You may want Apache to use mod_proxy_fpm instead of mod_php. I expect that in this case, the website will stop working with Apache, too. But then, obviously an extension is missing. So, most likely, the two php.ini files differ in loading the LDAP extension.
Also, beware that Apache loads additional configuration each time the website is loaded by parsing the file .htaccess. Nginx does not care about this file. The only alternative in Nginx is to put the relevant configuration into the virtual host configuration section.
- This reply was modified 1 year, 1 month ago by Robert Ehrenleitner.
thanks for the response. LDAP module (php) is enabled and working fine with php-fpm. The current issue is that plugin does not work nginx and php-fpm ONLY if starttls option is enabled. If option is disabled, ldap authentication with php-fpm works fine. But I’m not sure WHY mod_php is able to use OS CAs, or atleast certificate verification is not done and php-fpm don’t.
Ah! OK! Sorry. I misinterpreted your comment! So you configured STARTTLS within the plugins config and there it is not working!
Is the LDAP-Server using a self-signed certificate? Or is that a cert from one of the well known CAs?
In your case, it is also pretty sure that the web server has absolutely nothing to do with it. Most likely, it is due the different PHP environments you use. Note that they can be as different as they can even be different PHP versions, like PHP-CLI 7.4 and PHP-FPM 8.2 or whatever.
- This reply was modified 1 year, 1 month ago by Robert Ehrenleitner.
on the production server I have older php – 7.4. But tested and tried both – apache with mod_php, and nginx with php-fpm. They both use same php binary, there is slight possibility that somehow they use different php.ini files. But it shouldn’t. Cert is from well know CA. But you gave me an idea – I’ll try to check with a hostname, not the IP, maybe certificate validation is the problem. But I cannot understand how mod_php works – plugin config url is the same for both – with internal server IP. I think I need to disable certificate check in php-fpm case, but cannot think where to disable it, plugin does not have that option.
You should not disable the certificate checks ??
But your issue gives me an idea to extend the app so that you can easier use self-signed certificates.
BUt to solve your issue: Is the problem existing on one server and not on a different one? COuld it be that the list of root-CAs is different on the two machines? Or is that literally on the same server?
If it’S on 2 different machines, check out https://serverfault.com/a/747884 and see whether there is perhaps a msimatch in the files on those two machines.
- This reply was modified 1 year, 1 month ago by heiglandreas.
@heiglandreas very good idea to extend the app for self signed certificates! In the mean time – I found a workaround – edited /etc/hosts file for internal IP to match CN name in certificate – looks like plugin works now perfectly fine! Just have to check network traffic with tcpdump if connection to LDAP server is encrypted.
About my setup for this website – production server is an older one – centos 7.9, with php 7.4.x and apache+mod_php and nginx+php-fpm (same prod server both using same php environment). I want to migrate website to new server (Rocky Linux 9.2) with php 8.x. I had one problem – AuthLDAP was not working with php-fpm. If I will be able to confirm that traffic is encrypted to ldap server, then problem solved!
Thank you for a great plugin! Thank you everyone for comments and ideas.
- The topic ‘Plugin does not work with php-fpm?’ is closed to new replies.