LDAP Web administration

The sync-endpoint default setup (available at GitHub) comes with a web based LDAP administration utility called phpLDAPAdmin. However, by default it is not exposed directly outside of the docker stack since it is not relevant in all installation scenarios.

---

Enabling web access to phpLDAPAdmin In some scenarios it can be helpful to add remote web access to the user administration interface (PhpLdapAdmin) in order to facilitate user creation etc. This section will guide you to enabling access to the web administration interface at the web address https://<your server>/pla

Warning: Remember to change the default password for phpLDAPAdmin before enabling public access - this can preferably be changed as part of the setup wizard, or done manually in the file ldap.env (remember to restart/clear caches after modifying manually)

Note: While we consider PLA reasonably safe, exposing an extra public https endpoint always introduces security risks. Consider enabling the access only when it is needed and then leave it disabled the rest of the time (e.g. by #commenting the lines out in sync-endpoint-locations.conf). Also make sure to stay up to date on relevant security updates on e.g. CVE Details or the phpLdapAdmin project site

---

Customized files:

• config/nginx/sync-endpoint-locations.conf: This file controls what locations Nginx serves. To add access to https://your server/pla add a section like

  location ^~ /pla/ {
      proxy_pass https://phpldapadmin/;
  
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $remote_addr;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Forwarded-Port $server_port;
      proxy_set_header Host $host:$server_port;
  
      proxy_redirect default;
  }   
  

• docker-compose.yml: The phpldapadmin container needs access to the sync-network, and let's give it a hostname while we're at it (the added lines are marked with '<— MODIFIED HERE' - the marker itself should not be included in the yml file):

  phpldapadmin:
      image: odk/phpldapadmin
      deploy:
      replicas: 1
      ports:
      - "${PHP_LDAPADMIN_PORT:-40000}:443"
      networks:
      - ldap-network
      - sync-network            <--- MODIFIED HERE
      hostname: phpldapadmin    <--- MODIFIED HERE
      env_file:
      - ldap.env    
  

---

Closing remarks When all is said and done, a git status on the odk-x folder should reveal the following file changes

• config/https.env: (updated by the python setup wizard) updated domain and e-mail address (used to create the lets-encrypt SSL certs)

• config/nginx/sync-endpoint-locations.conf: (see above)

• docker-compose.yml: (see above)

• ldap.env: This file contains the admin password for PLA (only modified if it was selected during the setup wizard)