| Repos | \nlldap/lldap | \n
|---|---|
| Views | \n![\"views\"](\"https://views.whatilearened.today/views/github/lldap/lldap.svg\") | \n
| Stars | \n![\"stars\"](\"https://img.shields.io/github/stars/lldap/lldap?color=f2f08d&logo=Undertale&logoColor=eb4630\") | \n
| Forks | \n![\"forks\"](\"https://img.shields.io/github/forks/lldap/lldap?color=ba86eb&logo=Handshake&logoColor=ea6aa6\") | \n
| License | \n![\"license\"](\"https://img.shields.io/github/license/lldap/lldap?logo=data%3Aimage%2Fpng%3Bbase64%2CiVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAYAAABXAvmHAAAACXBIWXMAAAsTAAALEwEAmpwYAAAD3klEQVR4nO3YSUzUUBgH8JroWVrUGJfEm7sXNcSDFxMTL2pi4sHEgxeNRowXgpEWBDURR%2BNANOKOK66ooKJGBXeEGRcWAcEVFGQRHFwQmH5%2F0wHaeWHI9DUDU5L5knehdOb7zfe%2B19cnCJGIRCQiEYlQB7YJIyGL8aosulVZ6iRFQjiGKkudWg5aLlpOppNXnfPqw5U0DYRJmVxjCgFF3BLuZGmAoVUiKEArmX7D7USgsQporgGa3gHfK4H6cuBbCVD3Gqh1A5%2BLgE%2BFwIenQM0joDofqLoHVNwBym8CpTnAm2zQq0sgdxbIdQZUlAkqPAZ6dgj05ADoYRoofy%2FoXiro7k5QXjLopgzKiQNlLDaqoIguEwBjzqP5PfDjE9DyIXyI63FMTwQFMCVrqwNav4QfoRg58QF%2BfrMHQrEK8DToCMqNAyWNHfxmTRoLOrmSRVgGtDfqCEqZOHQrzo4pbCUsA3416Qi6EQ9KGjcEFRgHOrOKnU6WAb9bGETYekKxCvjTag9E4pje54Dk5QP8bbMHYv%2FC3ueAeJkP0OGxB%2BJpBnArYR8EYQQnoN1ANFaBnPP5l8SrseYQL06Adk0FJY8HOWaBMleAHjh0hPosIzlo8v0A%2F34ZiOeHra0qKRPMVSI7tv%2B92tw%2FvhxUeBRq4VELgM7fBqK5GpRmoQLXNpubTu6zoNRpgT8nPQbq84wd%2FICuvyxiKHqiNAfI3wM6uIhBqGkLiiwAOsKDqOht7Itr9Vy8SjRBEWfyAbr%2FhR1BfpVQFdHJB%2FB2hh7x7j6QpwCVeeYQ2krUB5Clcj6A2m0gWj%2BD0mL49zW5cQyCHLN7rjlmmatEyXX%2FCrTzA%2FoQxZkWl9GJTCVo%2ByTj87%2B4giPKcv0qIHo4AV4D0VZrrQI34pnpRM65xue%2FzAreE4%2FT%2FSoglfEByMsiQtATlL3RAJ5YHrSx6ZDfS70s7uMHhBpR%2FYB5s0PW6oERp1b6%2FfrRhK3SDL5Tie6OQUHQlQ3sVDu%2BzPck9vWE9str%2B6IjS9gHmWPahaDJ%2BwCK6NIBBXsHB9HykXsxwDphlCmAdvplabUJNnZPB94%2FNt6xOe8XzEbP2WhM3WAg1Gub6tH%2B3Q1Pg376R9q4uqlno6gdHGjDOQ90eb01AHM6rYiuUJ1Oq4r4FVuj5vR9BzM9WgNvOywDhiIYQFvgbcfwAfwMvHcaPgBPA%2FDyHGjPbN9A8amebcdwAdD5Nf375txqewNUReoyvwBIXYLdQpWlhwFWqtPaCPD3AsFuASV6qqqIlb0JvkVC1FL9WkLUUlUWK3zXZLFC%2B1%2FBroFto6OsXIuEYJP4DzzW2YFV1oJaAAAAAElFTkSuQmCC\") | \n
| UpdatedAt | \n![\"last-commit\"](\"https://img.shields.io/github/last-commit/lldap/lldap?display_timestamp=committer&logo=data%3Aimage%2Fpng%3Bbase64%2CiVBORw0KGgoAAAANSUhEUgAAAB4AAAAeCAYAAAA7MK6iAAAACXBIWXMAAAsTAAALEwEAmpwYAAAFHUlEQVR4nLVX7U9aVxwm26dlX%2Fdhbx%2B2%2FQnbkvUbrdUAQgJJIfUDNWDTTmOv1FQUFaPJ4kusrV01Jt1sNpctS2u3botZtmxd9tJSFSoqKqIF5bYDFLCovClefstzJ8wXRLDZLznkcO4557n3d3%2FneZ4rEOQZt1WqF%2B8XFr4%2BfOLEe2joY0zwf8ToyZPvjEgkLY%2Bk0mmrXO6dKinxzGk0fjT0x%2BRyr0UqncYczM1rc4tQ%2BIrp2LGXdo4NC4VvWqTS72wqlc%2Br13ORri6KdXdnbOHLlwlzJpRKn6W4%2BK6poOCNnIAfHj%2F%2BwahIZB4vKnqZf0qJpNIql%2Fv8TU0cNl5rbyc3w0QnTp3y2LTaJ7M1NaxDr2fRn1SpPG6Gia21tfE34TcaOay1iMUVOQFbFYqIWSo1W8TiAVanC0evXOEB7Wp14HFb22zE5fqLOC5ERLQWidNaNI4uEcc9i7hcJldHh2NWrQ5gDdbOlpaumIuLb2atAQDPnz0b8NbWcmxVVRJ3HmxpScwwzOJmKDRGe8LlCZDLG9g7TInV1Ql7dbXbV1e3gT0WKirCFomkPyvwXFlZGJOjV6%2BSt64uudDZOU5EUcox%2FMEQDVvt6MbcN27Y3Ayzhv3spaUrB6Z9qrJSO19ezj8p2pLBkJy%2BcCHJxWI5gW5tcfRRz1dU19GfGkou9PZO4smR9jGFwpex4Dy3bvnmKypotbU13VidjqYZhrj49rvMEt%2F%2FYqLz9d00NjW%2Fczgyo9O51zs6aNlo5FDtu0DZgQFhlGXJ0dBADoNhd6uvp6Whoayg7N9LVGH8mD4b%2FHnftUQoNG4vLQ0gixMqlW%2B4qOjtNHDg3r1f6YiRSGxRy7UvqLb9U4qkqnxPONva5lDpHr1%2ByyKRNKWBZy5edMUHB2m5ry%2B%2BEQw%2Bzgf4zo9%2F0ocN3WRzLBw4J%2BJyPWCrqmIgGYtUOsWD4oxZFQoPUjGpVHqI4%2FafkQPC6fZQeeM1%2BvLuIQnjuBWQDDCscrmHP9eoNPAtBqfOnXuaK%2Bh6JEbGrs%2BpvvMmxeIbh863abVPeYySEo9FJHpNMFJY%2BP5cWZkfg7O1tSwYCeSQLTY3E8Q09%2FBVPJUlxQjshT1BscCY02r9UDUBfvCHB66pcfPA3lyAe3ngr3%2F47XDgaJzsly7xwA6NZtlUUPCuAHqaSjUIP%2Bsue8BRWAC%2FNfQ7JZPZ59s0Gj7VtpISz4hQ%2BCpfXGMKhZcvLpUKxfWM8ohvf7p%2FODjHBfcVF8Isk82g1FHykcVFE%2BUZAAX47aE%2FMl4PO50Pnuh0%2Fx4nmcyWPsdwDhBx6CmkLV%2FgFDjYKxOJOFtb0wQyIhL9RyCwK3AOfIGp1YFEBhnMJcLRWEbKdKQoU6ncTZkIEDicAy%2F81dVuEM5RwPfey4xOx0Ik%2FI2NnFki%2BWafOoFIYFcgYZCyxd7eCUjbc4AmF65ft%2FkMhk3o%2B5hc7sMJyqjJEGvYFaQFIr7Y0wPw8BFAY%2B6%2Bvmk3w6zzRuDMmZVRsfh8RtA0uETSD7uCBT6DYQN6iveU0fpkYLjE6qrVrtOxeNKU9THLZJ9kBU2JBsBhV5AivB%2FoKaQNKgPCBwDYaIfZC4adThOqF4WENViLJwVoXobfLBKVw67AOaTsLc65TaVK21vQ4La99eKcYg5vbxsbObzTQ9N7UKDgUO1wDjiDIIBshh5ztg39nQMLSZBH4OzBOUDEQXm206d3fcLgswbXQA4PhcK3nhswU1Bz8wvQ09RHG%2FoYy3ejfwBNmtoYqLA0XgAAAABJRU5ErkJggg%3D%3D&label=UpdatedAt\") | \n
| CreatedAt | \n![\"create-at\"](\"https://img.shields.io/github/created-at/lldap/lldap?logo=data%3Aimage%2Fpng%3Bbase64%2CiVBORw0KGgoAAAANSUhEUgAAAB4AAAAeCAYAAAA7MK6iAAAACXBIWXMAAAsTAAALEwEAmpwYAAAFHUlEQVR4nLVX7U9aVxwm26dlX%2Fdhbx%2B2%2FQnbkvUbrdUAQgJJIfUDNWDTTmOv1FQUFaPJ4kusrV01Jt1sNpctS2u3botZtmxd9tJSFSoqKqIF5bYDFLCovClefstzJ8wXRLDZLznkcO4557n3d3%2FneZ4rEOQZt1WqF%2B8XFr4%2BfOLEe2joY0zwf8ToyZPvjEgkLY%2Bk0mmrXO6dKinxzGk0fjT0x%2BRyr0UqncYczM1rc4tQ%2BIrp2LGXdo4NC4VvWqTS72wqlc%2Br13ORri6KdXdnbOHLlwlzJpRKn6W4%2BK6poOCNnIAfHj%2F%2BwahIZB4vKnqZf0qJpNIql%2Fv8TU0cNl5rbyc3w0QnTp3y2LTaJ7M1NaxDr2fRn1SpPG6Gia21tfE34TcaOay1iMUVOQFbFYqIWSo1W8TiAVanC0evXOEB7Wp14HFb22zE5fqLOC5ERLQWidNaNI4uEcc9i7hcJldHh2NWrQ5gDdbOlpaumIuLb2atAQDPnz0b8NbWcmxVVRJ3HmxpScwwzOJmKDRGe8LlCZDLG9g7TInV1Ql7dbXbV1e3gT0WKirCFomkPyvwXFlZGJOjV6%2BSt64uudDZOU5EUcox%2FMEQDVvt6MbcN27Y3Ayzhv3spaUrB6Z9qrJSO19ezj8p2pLBkJy%2BcCHJxWI5gW5tcfRRz1dU19GfGkou9PZO4smR9jGFwpex4Dy3bvnmKypotbU13VidjqYZhrj49rvMEt%2F%2FYqLz9d00NjW%2Fczgyo9O51zs6aNlo5FDtu0DZgQFhlGXJ0dBADoNhd6uvp6Whoayg7N9LVGH8mD4b%2FHnftUQoNG4vLQ0gixMqlW%2B4qOjtNHDg3r1f6YiRSGxRy7UvqLb9U4qkqnxPONva5lDpHr1%2ByyKRNKWBZy5edMUHB2m5ry%2B%2BEQw%2Bzgf4zo9%2F0ocN3WRzLBw4J%2BJyPWCrqmIgGYtUOsWD4oxZFQoPUjGpVHqI4%2FafkQPC6fZQeeM1%2BvLuIQnjuBWQDDCscrmHP9eoNPAtBqfOnXuaK%2Bh6JEbGrs%2BpvvMmxeIbh863abVPeYySEo9FJHpNMFJY%2BP5cWZkfg7O1tSwYCeSQLTY3E8Q09%2FBVPJUlxQjshT1BscCY02r9UDUBfvCHB66pcfPA3lyAe3ngr3%2F47XDgaJzsly7xwA6NZtlUUPCuAHqaSjUIP%2Bsue8BRWAC%2FNfQ7JZPZ59s0Gj7VtpISz4hQ%2BCpfXGMKhZcvLpUKxfWM8ohvf7p%2FODjHBfcVF8Isk82g1FHykcVFE%2BUZAAX47aE%2FMl4PO50Pnuh0%2Fx4nmcyWPsdwDhBx6CmkLV%2FgFDjYKxOJOFtb0wQyIhL9RyCwK3AOfIGp1YFEBhnMJcLRWEbKdKQoU6ncTZkIEDicAy%2F81dVuEM5RwPfey4xOx0Ik%2FI2NnFki%2BWafOoFIYFcgYZCyxd7eCUjbc4AmF65ft%2FkMhk3o%2B5hc7sMJyqjJEGvYFaQFIr7Y0wPw8BFAY%2B6%2Bvmk3w6zzRuDMmZVRsfh8RtA0uETSD7uCBT6DYQN6iveU0fpkYLjE6qrVrtOxeNKU9THLZJ9kBU2JBsBhV5AivB%2FoKaQNKgPCBwDYaIfZC4adThOqF4WENViLJwVoXobfLBKVw67AOaTsLc65TaVK21vQ4La99eKcYg5vbxsbObzTQ9N7UKDgUO1wDjiDIIBshh5ztg39nQMLSZBH4OzBOUDEQXm206d3fcLgswbXQA4PhcK3nhswU1Bz8wvQ09RHG%2FoYy3ejfwBNmtoYqLA0XgAAAABJRU5ErkJggg%3D%3D&label=CreatedAt\") | \n
![](\"https://cdn.jsdelivr.net/gh/eryajf/tu@main/img/image_20240420_214408.gif\")
\n| Repos | \nlldap/lldap | \n
|---|---|
| Views | \n | \n
| Stars | \n | \n
| Forks | \n | \n
| License | \n | \n
| UpdatedAt | \n | \n
| CreatedAt | \n | \n
\n\nLDAP made easy.\n
\n\n \n ![\"Build\"](\"https://github.com/lldap/lldap/actions/workflows/rust.yml/badge.svg\"){kind=icon}
\n \n \n ![\"Discord\"](\"https://img.shields.io/discord/898492935446876200?label=discord&logo=discord\")
![\"Twitter](\"https://img.shields.io/twitter/follow/nitnelave1?style=social\")
![\"Unsafe](\"https://img.shields.io/badge/unsafe-forbidden-success.svg\"){kind=icon}
![\"Codecov\"](\"https://img.shields.io/codecov/c/github/lldap/lldap\")
\n \n ![\"Buy](\"https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png\")
This project is a lightweight authentication server that provides an
\nopinionated, simplified LDAP interface for authentication. It integrates with
\nmany backends, from KeyCloak to Authelia to Nextcloud and
\nmore!
![\"Screenshot](\"https://raw.githubusercontent.com/lldap/lldap/master/screenshot.png\")
It comes with a frontend that makes user management easy, and allows users to
\nedit their own details or reset their password by email.
The goal is not to provide a full LDAP server; if you're interested in that,
\ncheck out OpenLDAP. This server is a user management system that is:
slapd),It mostly targets self-hosting servers, with open-source components like
\nNextcloud, Airsonic and so on that only support LDAP as a source of external
\nauthentication.
For more features (OAuth/OpenID support, reverse proxy, ...) you can install
\nother components (KeyCloak, Authelia, ...) using this server as the source of
\ntruth for users, via LDAP.
By default, the data is stored in SQLite, but you can swap the backend with
\nMySQL/MariaDB or PostgreSQL.
The image is available at lldap/lldap. You should persist the /data
\nfolder, which contains your configuration and the SQLite database (you can
\nremove this step if you use a different DB and configure with environment
\nvariables only).
Configure the server by copying the lldap_config.docker_template.toml to
\n/data/lldap_config.toml and updating the configuration values (especially the
\njwt_secret and ldap_user_pass, unless you override them with env variables).
\nEnvironment variables should be prefixed with LLDAP_ to override the
\nconfiguration.
If the lldap_config.toml doesn't exist when starting up, LLDAP will use
\ndefault one. The default admin password is password, you can change the
\npassword later using the web interface.
Secrets can also be set through a file. The filename should be specified by the
\nvariables LLDAP_JWT_SECRET_FILE or LLDAP_KEY_SEED_FILE, and the file
\ncontents are loaded into the respective configuration parameters. Note that
\n_FILE variables take precedence.
Example for docker compose:
\n:latest tag image or :stable as used in this example.:latest tag image contains recently pushed code or feature tests, in which some instability can be expected.UID and GID no defined LLDAP will use default UID and GID number 1000.TZ is set, default UTC timezone will be used../generate_secrets.shversion: \"3\"\n\nvolumes:\n lldap_data:\n driver: local\n\nservices:\n lldap:\n image: lldap/lldap:stable\n ports:\n # For LDAP, not recommended to expose, see Usage section.\n #- \"3890:3890\"\n # For LDAPS (LDAP Over SSL), enable port if LLDAP_LDAPS_OPTIONS__ENABLED set true, look env below\n #- \"6360:6360\"\n # For the web front-end\n - \"17170:17170\"\n volumes:\n - \"lldap_data:/data\"\n # Alternatively, you can mount a local folder\n # - \"./lldap_data:/data\"\n environment:\n - UID=####\n - GID=####\n - TZ=####/####\n - LLDAP_JWT_SECRET=REPLACE_WITH_RANDOM\n - LLDAP_KEY_SEED=REPLACE_WITH_RANDOM\n - LLDAP_LDAP_BASE_DN=dc=example,dc=com\n - LLDAP_LDAP_USER_PASS=adminPas$word\n # If using LDAPS, set enabled true and configure cert and key path\n # - LLDAP_LDAPS_OPTIONS__ENABLED=true\n # - LLDAP_LDAPS_OPTIONS__CERT_FILE=/path/to/certfile.crt\n # - LLDAP_LDAPS_OPTIONS__KEY_FILE=/path/to/keyfile.key\n # You can also set a different database:\n # - LLDAP_DATABASE_URL=mysql://mysql-user:password@mysql-server/my-database\n # - LLDAP_DATABASE_URL=postgres://postgres-user:password@postgres-server/my-database\n # If using SMTP, set the following variables\n # - LLDAP_SMTP_OPTIONS__ENABLE_PASSWORD_RESET=true\n # - LLDAP_SMTP_OPTIONS__SERVER=smtp.example.com\n # - LLDAP_SMTP_OPTIONS__PORT=465 # Check your smtp providor's documentation for this setting\n # - LLDAP_SMTP_OPTIONS__SMTP_ENCRYPTION=TLS # How the connection is encrypted, either \"NONE\" (no encryption, port 25), \"TLS\" (sometimes called SSL, port 465) or \"STARTTLS\" (sometimes called TLS, port 587).\n # - LLDAP_SMTP_OPTIONS__USER=no-reply@example.com # The SMTP user, usually your email address\n # - LLDAP_SMTP_OPTIONS__PASSWORD=PasswordGoesHere # The SMTP password\n # - LLDAP_SMTP_OPTIONS__FROM=no-reply <no-reply@example.com> # The header field, optional: how the sender appears in the email. The first is a free-form name, followed by an email between <>.\n # - LLDAP_SMTP_OPTIONS__TO=admin <admin@example.com> # Same for reply-to, optional.Then the service will listen on two ports, one for LDAP and one for the web
\nfront-end.
LLDAP works well with rootless Podman either through command line deployment
\nor using quadlets. The example quadlets
\ninclude configuration with postgresql and file based secrets, but have comments
\nfor several other deployment strategies.
See https://github.com/Evantage-WS/lldap-kubernetes for a LLDAP deployment for Kubernetes
\nYou can bootstrap your lldap instance (users, groups)
\nusing bootstrap.sh.
\nIt can be run by Argo CD for managing users in git-opt way, or as a one-shot job.
Do not open issues in this repository for problems with third-party
\npre-built packages. Report issues downstream.
Depending on the distribution you use, it might be possible to install lldap
\nfrom a package repository, officially supported by the distribution or
\ncommunity contributed.
Each package offers a systemd service lldap.service or rc.d_lldap rc.d/lldap to (auto-)start and stop lldap.
\nWhen using the distributed packages, the default login is admin/password. You can change that from the web UI after starting the service.
| Package name | \nMaintainer | \nDescription | \n
| lldap | \n@Zepmann | \nBuilds the latest stable version. | \n
| lldap-bin | \n@Zepmann | \nUses the latest pre-compiled binaries from the releases in this repository. \n This package is recommended if you want to run LLDAP on a system with limited resources. | \n
| lldap-git | \n\n | Builds the latest main branch code. | \n
| Available packages: | \nlldap | \nLight LDAP server for authentication. | \n
| \n | lldap-extras | \nMeta-Package for LLDAP and its tools and extensions. | \n
| \n | lldap-migration-tool | \nCLI migration tool to go from OpenLDAP to LLDAP. | \n
| \n | lldap-set-password | \nCLI tool to set a user password in LLDAP. | \n
| \n | lldap-cli | \nLLDAP-CLI is an unofficial command line interface for LLDAP. | \n
| Available packages: | \nlldap | \nLight LDAP server for authentication. | \n
| \n | lldap-extras | \nMeta-Package for LLDAP and its tools and extensions. | \n
| \n | lldap-migration-tool | \nCLI migration tool to go from OpenLDAP to LLDAP. | \n
| \n | lldap-set-password | \nCLI tool to set a user password in LLDAP. | \n
| \n | lldap-cli | \nLLDAP-CLI is an unofficial command line interface for LLDAP. | \n
| Available packages: | \nlldap | \nLight LDAP server for authentication. | \n
| \n | lldap-extras | \nMeta-Package for LLDAP and its tools and extensions. | \n
| \n | lldap-migration-tool | \nCLI migration tool to go from OpenLDAP to LLDAP. | \n
| \n | lldap-set-password | \nCLI tool to set a user password in LLDAP. | \n
| \n | lldap-cli | \nLLDAP-CLI is an unofficial command line interface for LLDAP. | \n
| Available packages: | \nlldap | \nLight LDAP server for authentication. | \n
| \n | lldap-extras | \nMeta-Package for LLDAP and its tools and extensions. | \n
| \n | lldap-migration-tool | \nCLI migration tool to go from OpenLDAP to LLDAP. | \n
| \n | lldap-set-password | \nCLI tool to set a user password in LLDAP. | \n
| \n | lldap-cli | \nLLDAP-CLI is an unofficial command line interface for LLDAP. | \n
| Available packages: | \nlldap | \nLight LDAP server for authentication. | \n
| \n | lldap-extras | \nMeta-Package for LLDAP and its tools and extensions. | \n
| \n | lldap-migration-tool | \nCLI migration tool to go from OpenLDAP to LLDAP. | \n
| \n | lldap-set-password | \nCLI tool to set a user password in LLDAP. | \n
| \n | lldap-cli | \nLLDAP-CLI is an unofficial command line interface for LLDAP. | \n
| Available packages: | \nlldap | \nLight LDAP server for authentication. | \n
To compile the project, you'll need:
\nsudo apt install curl gzipThen you can compile the server (and the migration tool if you want):
\ncargo build --release -p lldap -p lldap_migration_toolThe resulting binaries will be in ./target/release/. Alternatively, you can
\njust run cargo run -- run to run the server.
To bring up the server, you'll need to compile the frontend. In addition to
\ncargo, you'll need WASM-pack, which can be installed by running cargo install wasm-pack.
Then you can build the frontend files with
\n./app/build.sh(you'll need to run this after every front-end change to update the WASM
\npackage served).
The default config is in src/infra/configuration.rs, but you can override it
\nby creating an lldap_config.toml, setting environment variables or passing
\narguments to cargo run. Have a look at the docker template:
\nlldap_config.docker_template.toml.
You can also install it as a systemd service, see
\nlldap.service.
Docker images are provided for AMD64, ARM64 and ARM/V7.
\nIf you want to cross-compile yourself, you can do so by installing
\ncross:
cargo install cross\ncross build --target=armv7-unknown-linux-musleabihf -p lldap --release\n./app/build.sh(Replace armv7-unknown-linux-musleabihf with the correct Rust target for your
\ndevice.)
You can then get the compiled server binary in
\ntarget/armv7-unknown-linux-musleabihf/release/lldap and the various needed files
\n(index.html, main.js, pkg folder) in the app folder. Copy them to the
\nRaspberry Pi (or other target), with the folder structure maintained (app
\nfiles in an app folder next to the binary).
The simplest way to use LLDAP is through the web front-end. There you can
\ncreate users, set passwords, add them to groups and so on. Users can also
\nconnect to the web UI and change their information, or request a password reset
\nlink (if you configured the SMTP client).
You can create and manage custom attributes through the Web UI, or through the
\ncommunity-contributed CLI frontend (
\nZepmann/lldap-cli). This is necessary
\nfor some service integrations.
The bootstrap.sh script can enforce a list of
\nusers/groups/attributes from a given file, reflecting it on the server.
To manage the user, group and membership lifecycle in an infrastructure-as-code
\nscenario you can use the unofficial LLDAP terraform provider in the terraform registry.
LLDAP is also very scriptable, through its GraphQL API. See the
\nScripting docs for more info.
If you are using containers, a sample architecture could look like this:
\n*-rootless version of the images to be able toUID/GID env vars to the uid docker-composeMost services that can use LDAP as an authentication provider should work out
\nof the box. For new services, it's possible that they require a bit of tweaking
\non LLDAP's side to make things work. In that case, just create an issue with
\nthe relevant details (logs of the service, LLDAP logs with verbose=true in
\nthe config).
To configure the services that will talk to LLDAP, here are the values:
\ncn=admin,ou=people,dc=example,dc=com.ou=people, + the base DN, so by default userbob is at cn=bob,ou=people,dc=example,dc=com.ou=groups, so the group familycn=family,ou=groups,dc=example,dc=com.Testing group membership through memberOf is supported, so you can have a
\nfilter like: (memberOf=cn=admins,ou=groups,dc=example,dc=com).
The administrator group for LLDAP is lldap_admin: anyone in this group has
\nadmin rights in the Web UI. Most LDAP integrations should instead use a user in
\nthe lldap_strict_readonly or lldap_password_manager group, to avoid granting full
\nadministration access to many services. To prevent privilege escalation users in the
\nlldap_password_manager group are not allowed to change passwords of admins in the
\nlldap_admin group.
Integration with Linux accounts is possible, through PAM and nslcd. See PAM
\nconfiguration guide.
Integration with Windows (e.g. Samba) is WIP.
\nSome specific clients have been tested to work and come with sample
\nconfiguration files, or guides. See the example_configs
\nfolder for help with:
Though we try to be maximally compatible, not every feature is supported; LLDAP
\nis not a fully-featured LDAP server, intentionally so.
LDAP browsing tools are generally not supported, though they could be. If you
\nneed to use one but it behaves weirdly, please file a bug.
Some services use features that are not implemented, or require specific
\nattributes. You can try to create those attributes (see custom attributes in
\nthe Usage section).
Finally, some services require password hashes so they can validate themselves
\nthe user's password without contacting LLDAP. This is not and will not be
\nsupported, it's incompatible with our password hashing scheme (a zero-knowledge
\nproof). Furthermore, it's generally not recommended in terms of security, since
\nit duplicates the places from which a password hash could leak.
In that category, the most prominent is Synology. It is, to date, the only
\nservice that seems definitely incompatible with LLDAP.
If you started with an SQLite database and would like to migrate to
\nMySQL/MariaDB or PostgreSQL, check out the DB
\nmigration docs.
OpenLDAP is a monster of a service that implements
\nall of LDAP and all of its extensions, plus some of its own. That said, if you
\nneed all that flexibility, it might be what you need! Note that installation
\ncan be a bit painful (figuring out how to use slapd) and people have mixed
\nexperiences following tutorials online. If you don't configure it properly, you
\nmight end up storing passwords in clear, so a breach of your server would
\nreveal all the stored passwords!
OpenLDAP doesn't come with a UI: if you want a web interface, you'll have to
\ninstall one (not that many look nice) and configure it.
LLDAP is much simpler to setup, has a much smaller image (10x smaller, 20x if
\nyou add PhpLdapAdmin), and comes packed with its own purpose-built web UI.
\nHowever, it's not as flexible as OpenLDAP.
FreeIPA is the one-stop shop for identity management:
\nLDAP, Kerberos, NTP, DNS, Samba, you name it, it has it. In addition to user
\nmanagement, it also does security policies, single sign-on, certificate
\nmanagement, linux account management and so on.
If you need all of that, go for it! Keep in mind that a more complex system is
\nmore complex to maintain, though.
LLDAP is much lighter to run (<10 MB RAM including the DB), easier to
\nconfigure (no messing around with DNS or security policies) and simpler to
\nuse. It also comes conveniently packed in a docker container.
Kanidm is an up-and-coming Rust identity management
\nplatform, covering all your bases: OAuth, Linux accounts, SSH keys, Radius,
\nWebAuthn. It comes with a (read-only) LDAPS server.
It's fairly easy to install and does much more; but their LDAP server is
\nread-only, and by having more moving parts it is inherently more complex. If
\nyou don't need to modify the users through LDAP and you're planning on
\ninstalling something like KeyCloak to provide
\nmodern identity protocols, check out Kanidm.
If you just set up the server, can get to the login page but the password you
\nset isn't working, try the following:
force_ldap_user_pass_reset)./data folder is persistent, either to alldap_config.toml file (either in /data for dockerlldap_config.docker_template.toml there, and fill in the various valuesusers.db file (either in /data for docker or where/data folder. If in doubt, youchmod 777 /data (or whatever the folder) to make it world-writeable.Use this bot to Automate discord role syncronization for paid memberships.
\n/register command.Contributions are welcome! Just fork and open a PR. Or just file a bug.
\nWe don't have a code of conduct, just be respectful and remember that it's just
\nnormal people doing this for free on their free time.
Make sure that you run cargo fmt from the root before creating the PR. And if
\nyou change the GraphQL interface, you'll need to regenerate the schema by
\nrunning ./export_schema.sh.
Join our Discord server if you have any
\nquestions!