Skip to content

daemonless/lldap

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
.daemonless
.daemonless
 
 
.github/workflows
.github/workflows
 
 
root
root
 
 
Containerfile
Containerfile
 
 
Containerfile.j2
Containerfile.j2
 
 
README.md
README.md
 
 
compose.yaml
compose.yaml
 
 
sbom.json
sbom.json
 
 

Repository files navigation

lldap

Build Status Last Commit

This project is a lightweight authentication server that provides an opinionated, simplified LDAP interface for authentication.
Port 17170
Registry ghcr.io/daemonless/lldap
Source https://github.com/lldap/lldap
Website https://github.com/lldap/lldap

Version Tags

Tag Description Best For
pkg Upstream Binary. Built from official release. Most users. Matches Linux Docker behavior.
latest / pkg-latest FreeBSD Latest. Rolling package updates. Newest FreeBSD packages.

Prerequisites

Before deploying, ensure your host environment is ready. See the Quick Start Guide for host setup instructions.

Deployment

Podman Compose

services:
  lldap:
    image: ghcr.io/daemonless/lldap:latest
    container_name: lldap
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=UTC
      - LLDAP_LDAP_USER_PASS="path/to/secret"
      - LLDAP_LDAP_USER_EMAIL="path/to/secret"
      - LLDAP_JWT_SECRET_FILE="path/to/secret"
      - LLDAP_KEY_SEED_FILE="path/to/secret"
      - LLDAP_SMTP_OPTIONS__PASSWORD_FILE="path/to/secret"
    volumes:
      - "/path/to/containers/lldap:/config"
    ports:
      - 17170:17170
      - 3890:3890
    restart: unless-stopped

Podman CLI

podman run -d --name lldap \
  -p 17170:17170 \
  -p 3890:3890 \
  -e PUID=1000 \
  -e PGID=1000 \
  -e TZ=UTC \
  -e LLDAP_LDAP_USER_PASS="path/to/secret" \
  -e LLDAP_LDAP_USER_EMAIL="path/to/secret" \
  -e LLDAP_JWT_SECRET_FILE="path/to/secret" \
  -e LLDAP_KEY_SEED_FILE="path/to/secret" \
  -e LLDAP_SMTP_OPTIONS__PASSWORD_FILE="path/to/secret" \
  -v /path/to/containers/lldap:/config \
  ghcr.io/daemonless/lldap:latest

Ansible

- name: Deploy lldap
  containers.podman.podman_container:
    name: lldap
    image: ghcr.io/daemonless/lldap:latest
    state: started
    restart_policy: always
    env:
      PUID: "1000"
      PGID: "1000"
      TZ: "UTC"
      LLDAP_LDAP_USER_PASS: ""path/to/secret""
      LLDAP_LDAP_USER_EMAIL: ""path/to/secret""
      LLDAP_JWT_SECRET_FILE: ""path/to/secret""
      LLDAP_KEY_SEED_FILE: ""path/to/secret""
      LLDAP_SMTP_OPTIONS__PASSWORD_FILE: ""path/to/secret""
    ports:
      - "17170:17170"
      - "3890:3890"
    volumes:
      - "/path/to/containers/lldap:/config"

Parameters

Environment Variables

Variable Default Description
PUID 1000 User ID for the application process
PGID 1000 Group ID for the application process
TZ UTC Timezone for the container
LLDAP_LDAP_USER_PASS "path/to/secret"
LLDAP_LDAP_USER_EMAIL "path/to/secret"
LLDAP_JWT_SECRET_FILE "path/to/secret"
LLDAP_KEY_SEED_FILE "path/to/secret"
LLDAP_SMTP_OPTIONS__PASSWORD_FILE "path/to/secret"

Volumes

Path Description
/config Configuration directory

Ports

Port Protocol Description
17170 TCP Web UI
3890 TCP LDAP

First time setup

To configure the admin user with password and email address during the first startup, you can define some additional environment variables in your container file:

services:
  lldap:
    env:
      - LLDAP_LDAP_USER_EMAIL="admin@example.com"
      - LLDAP_LDAP_USER_PASS="very_secure_password"

Persistent secret values

To set crypto secrets persistently and securely it is best to provide them as secrets to the container.
Define the at the top level of your container file.

Define the secrets

You can either use podman managed secrets like this (assuming your created secrets in podman with the names lldap_jwt_secret, lldap_key_seed and lldap_smtp_password):

secrets:
  lldap_jwt_secret:
    external: true
  lldap_key_seed:
    external: true
  lldap_smtp_password:
    external: true

Or just write the secrets to files next to your container file and define them like shown below.
The files should be owned by $PUID:$PGID and have the appropriate permissions (like 0400).

secrets:
  lldap_jwt_secret:
    file: ./secrets/lldap_jwt_secret
  lldap_key_seed:
    file: ./secrets/lldap_key_seed
  lldap_smtp_password:
    file: ./secrets/lldap_smtp_password

Use the secrets in your service

If you use podman managed secrets, you need to make sure

services:
  lldap:
    secrets:
      - source: lldap_jwt_secret
          uid: 1000
          gid: 1000
          mode: "0400"
      - source: lldap_key_seed
          uid: 1000
          gid: 1000
          mode: "0400"
      - source: lldap_smtp_password
          uid: 1000
          gid: 1000
          mode: "0400"

If you provide the secrets directly from files using the second method from above and have set the owner and permissions appropriately, then you can simple do:

services:
  lldap:
    secrets:
      - lldap_jwt_secret
      - lldap_key_seed
      - lldap_smtp_password

Configure lldap to use your secrets

To configure lldap to use the secrets you can define a few environment variables:

service:
  env:
    - LLDAP_JWT_SECRET_FILE="/var/run/secrets/lldap_jwt_secret"
    - LLDAP_KEY_SEED_FILE="/var/run/secrets/lldap_key_seed"
    - LLDAP_SMTP_OPTIONS__PASSWORD_FILE="/var/run/secrets/lldap_smtp_password"

Architectures: amd64 User: bsd (UID/GID via PUID/PGID, defaults to 1000:1000) Base: FreeBSD 15.0

Need help? Join our Discord community.

About

Native FreeBSD OCI container image for lldap

daemonless.io

Topics

freebsd ldap self-hosted oci-image podman

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages