{"id":13408810,"url":"https://github.com/lldap/lldap","last_synced_at":"2025-05-12T05:18:25.513Z","repository":{"id":36950548,"uuid":"343753772","full_name":"lldap/lldap","owner":"lldap","description":"Light LDAP implementation","archived":false,"fork":false,"pushed_at":"2025-05-09T13:03:37.000Z","size":3670,"stargazers_count":4993,"open_issues_count":74,"forks_count":251,"subscribers_count":23,"default_branch":"main","last_synced_at":"2025-05-12T02:43:20.499Z","etag":null,"topics":["authentication","ldap","opaque","rust","security","wasm","web-assembly"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lldap.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":["lldap"],"custom":["https://bmc.link/nitnelave"]}},"created_at":"2021-03-02T11:39:53.000Z","updated_at":"2025-05-12T01:36:25.000Z","dependencies_parsed_at":"2023-11-30T11:24:41.738Z","dependency_job_id":"922cb4da-5a89-4e99-a170-5e6ca5462328","html_url":"https://github.com/lldap/lldap","commit_stats":null,"previous_names":["nitnelave/lldap"],"tags_count":10,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lldap%2Flldap","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lldap%2Flldap/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lldap%2Flldap/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lldap%2Flldap/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lldap","download_url":"https://codeload.github.com/lldap/lldap/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253672696,"owners_count":21945480,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","ldap","opaque","rust","security","wasm","web-assembly"],"created_at":"2024-07-30T20:00:55.423Z","updated_at":"2025-05-12T05:18:25.461Z","avatar_url":"https://github.com/lldap.png","language":"Rust","readme":"\u003ch1 align=\"center\"\u003elldap - Light LDAP implementation for authentication\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n\u003ci style=\"font-size:24px\"\u003eLDAP made easy.\u003c/i\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/lldap/lldap/actions/workflows/rust.yml?query=branch%3Amain\"\u003e\n    \u003cimg\n      src=\"https://github.com/lldap/lldap/actions/workflows/rust.yml/badge.svg\"\n      alt=\"Build\"/\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://discord.gg/h5PEdRMNyP\"\u003e\n    \u003cimg alt=\"Discord\" src=\"https://img.shields.io/discord/898492935446876200?label=discord\u0026logo=discord\" /\u003e\n  \u003c/a\u003e\n\n  \u003ca href=\"https://twitter.com/nitnelave1?ref_src=twsrc%5Etfw\"\u003e\n    \u003cimg\n      src=\"https://img.shields.io/twitter/follow/nitnelave1?style=social\"\n      alt=\"Twitter Follow\"/\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://github.com/rust-secure-code/safety-dance/\"\u003e\n    \u003cimg\n      src=\"https://img.shields.io/badge/unsafe-forbidden-success.svg\"\n      alt=\"Unsafe forbidden\"/\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://app.codecov.io/gh/lldap/lldap\"\u003e\n    \u003cimg alt=\"Codecov\" src=\"https://img.shields.io/codecov/c/github/lldap/lldap\" /\u003e\n  \u003c/a\u003e\n  \u003cbr/\u003e\n  \u003ca href=\"https://www.buymeacoffee.com/nitnelave\" target=\"_blank\"\u003e\n    \u003cimg src=\"https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png\" alt=\"Buy Me A Coffee\" style=\"height: 41px !important;width: 174px !important;box-shadow: 0px 3px 2px 0px rgba(190, 190, 190, 0.5) !important;-webkit-box-shadow: 0px 3px 2px 0px rgba(190, 190, 190, 0.5) !important;\" \u003e\n  \u003c/a\u003e\n\u003c/p\u003e\n\n- [About](#about)\n- [Installation](#installation)\n  - [With Docker](#with-docker)\n  - [With Podman](#with-podman)\n  - [With Kubernetes](#with-kubernetes)\n  - [From a package repository](#from-a-package-repository)\n  - [With FreeBSD](#with-freebsd)\n  - [From source](#from-source)\n    - [Backend](#backend)\n    - [Frontend](#frontend)\n  - [Cross-compilation](#cross-compilation)\n- [Usage](#usage)\n  - [Recommended architecture](#recommended-architecture)\n- [Client configuration](#client-configuration)\n  - [Compatible services](#compatible-services)\n  - [General configuration guide](#general-configuration-guide)\n  - [Integration with OS's](#integration-with-oss)\n  - [Sample client configurations](#sample-client-configurations)\n  - [Incompatible services](#incompatible-services)\n- [Migrating from SQLite](#migrating-from-sqlite)\n- [Comparisons with other services](#comparisons-with-other-services)\n  - [vs OpenLDAP](#vs-openldap)\n  - [vs FreeIPA](#vs-freeipa)\n  - [vs Kanidm](#vs-kanidm)\n- [I can't log in!](#i-cant-log-in)\n- [Discord Integration](#discord-integration)\n- [Contributions](#contributions)\n\n## About\n\nThis project is a lightweight authentication server that provides an\nopinionated, simplified LDAP interface for authentication. It integrates with\nmany backends, from KeyCloak to Authelia to Nextcloud and\n[more](#compatible-services)!\n\n\u003cimg\n  src=\"https://raw.githubusercontent.com/lldap/lldap/master/screenshot.png\"\n  alt=\"Screenshot of the user list page\"\n  width=\"50%\"\n  align=\"right\"\n/\u003e\n\nIt comes with a frontend that makes user management easy, and allows users to\nedit their own details or reset their password by email.\n\nThe goal is _not_ to provide a full LDAP server; if you're interested in that,\ncheck out OpenLDAP. This server is a user management system that is:\n\n- simple to setup (no messing around with `slapd`),\n- simple to manage (friendly web UI),\n- low resources,\n- opinionated with basic defaults so you don't have to understand the\n  subtleties of LDAP.\n\nIt mostly targets self-hosting servers, with open-source components like\nNextcloud, Airsonic and so on that only support LDAP as a source of external\nauthentication.\n\nFor more features (OAuth/OpenID support, reverse proxy, ...) you can install\nother components (KeyCloak, Authelia, ...) using this server as the source of\ntruth for users, via LDAP.\n\nBy default, the data is stored in SQLite, but you can swap the backend with\nMySQL/MariaDB or PostgreSQL.\n\n## Installation\n\n### With Docker\n\nThe image is available at `lldap/lldap`. You should persist the `/data`\nfolder, which contains your configuration and the SQLite database (you can\nremove this step if you use a different DB and configure with environment\nvariables only).\n\nConfigure the server by copying the `lldap_config.docker_template.toml` to\n`/data/lldap_config.toml` and updating the configuration values (especially the\n`jwt_secret` and `ldap_user_pass`, unless you override them with env variables).\nEnvironment variables should be prefixed with `LLDAP_` to override the\nconfiguration.\n\nIf the `lldap_config.toml` doesn't exist when starting up, LLDAP will use\ndefault one. The default admin password is `password`, you can change the\npassword later using the web interface.\n\nSecrets can also be set through a file. The filename should be specified by the\nvariables `LLDAP_JWT_SECRET_FILE` or `LLDAP_KEY_SEED_FILE`, and the file\ncontents are loaded into the respective configuration parameters. Note that\n`_FILE` variables take precedence.\n\nExample for docker compose:\n\n- You can use either the `:latest` tag image or `:stable` as used in this example.\n- `:latest` tag image contains recently pushed code or feature tests, in which some instability can be expected.\n- If `UID` and `GID` no defined LLDAP will use default `UID` and `GID` number `1000`.\n- If no `TZ` is set, default `UTC` timezone will be used.\n- You can generate the secrets by running `./generate_secrets.sh`\n\n```yaml\nversion: \"3\"\n\nvolumes:\n  lldap_data:\n    driver: local\n\nservices:\n  lldap:\n    image: lldap/lldap:stable\n    ports:\n      # For LDAP, not recommended to expose, see Usage section.\n      #- \"3890:3890\"\n      # For LDAPS (LDAP Over SSL), enable port if LLDAP_LDAPS_OPTIONS__ENABLED set true, look env below\n      #- \"6360:6360\"\n      # For the web front-end\n      - \"17170:17170\"\n    volumes:\n      - \"lldap_data:/data\"\n      # Alternatively, you can mount a local folder\n      # - \"./lldap_data:/data\"\n    environment:\n      - UID=####\n      - GID=####\n      - TZ=####/####\n      - LLDAP_JWT_SECRET=REPLACE_WITH_RANDOM\n      - LLDAP_KEY_SEED=REPLACE_WITH_RANDOM\n      - LLDAP_LDAP_BASE_DN=dc=example,dc=com\n      - LLDAP_LDAP_USER_PASS=adminPas$word\n      # If using LDAPS, set enabled true and configure cert and key path\n      # - LLDAP_LDAPS_OPTIONS__ENABLED=true\n      # - LLDAP_LDAPS_OPTIONS__CERT_FILE=/path/to/certfile.crt\n      # - LLDAP_LDAPS_OPTIONS__KEY_FILE=/path/to/keyfile.key\n      # You can also set a different database:\n      # - LLDAP_DATABASE_URL=mysql://mysql-user:password@mysql-server/my-database\n      # - LLDAP_DATABASE_URL=postgres://postgres-user:password@postgres-server/my-database\n      # If using SMTP, set the following variables\n      # - LLDAP_SMTP_OPTIONS__ENABLE_PASSWORD_RESET=true\n      # - LLDAP_SMTP_OPTIONS__SERVER=smtp.example.com\n      # - LLDAP_SMTP_OPTIONS__PORT=465 # Check your smtp providor's documentation for this setting\n      # - LLDAP_SMTP_OPTIONS__SMTP_ENCRYPTION=TLS # How the connection is encrypted, either \"NONE\" (no encryption, port 25), \"TLS\" (sometimes called SSL, port 465) or \"STARTTLS\" (sometimes called TLS, port 587).\n      # - LLDAP_SMTP_OPTIONS__USER=no-reply@example.com # The SMTP user, usually your email address\n      # - LLDAP_SMTP_OPTIONS__PASSWORD=PasswordGoesHere # The SMTP password\n      # - LLDAP_SMTP_OPTIONS__FROM=no-reply \u003cno-reply@example.com\u003e # The header field, optional: how the sender appears in the email. The first is a free-form name, followed by an email between \u003c\u003e.\n      # - LLDAP_SMTP_OPTIONS__TO=admin \u003cadmin@example.com\u003e # Same for reply-to, optional.\n```\n\nThen the service will listen on two ports, one for LDAP and one for the web\nfront-end.\n\n### With Podman\n\nLLDAP works well with rootless Podman either through command line deployment\nor using [quadlets](example_configs/podman-quadlets/). The example quadlets\ninclude configuration with postgresql and file based secrets, but have comments\nfor several other deployment strategies.\n\n### With Kubernetes\n\nSee https://github.com/Evantage-WS/lldap-kubernetes for a LLDAP deployment for Kubernetes\n\nYou can bootstrap your lldap instance (users, groups)\nusing [bootstrap.sh](example_configs/bootstrap/bootstrap.md#kubernetes-job).\nIt can be run by Argo CD for managing users in git-opt way, or as a one-shot job.\n\n### From a package repository\n\n**Do not open issues in this repository for problems with third-party\npre-built packages. Report issues downstream.**\n\nDepending on the distribution you use, it might be possible to install lldap\nfrom a package repository, officially supported by the distribution or\ncommunity contributed.\n\nEach package offers a [systemd service](https://wiki.archlinux.org/title/systemd#Using_units) `lldap.service` to (auto-)start and stop lldap.\u003cbr\u003e\nWhen using the distributed packages, the default login is `admin/password`. You can change that from the web UI after starting the service.\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eArch Linux\u003c/b\u003e\u003c/summary\u003e\n\u003cbr\u003e\n  Arch Linux offers unofficial support through the \u003ca href=\"https://wiki.archlinux.org/title/Arch_User_Repository\"\u003eArch User Repository (AUR)\u003c/a\u003e.\u003cbr\u003e\n  The package descriptions can be used \u003ca href=\"https://wiki.archlinux.org/title/Arch_User_Repository#Getting_started\"\u003eto create and install packages\u003c/a\u003e.\u003cbr\u003e\u003cbr\u003e\n  Support: \u003ca href=\"https://github.com/lldap/lldap/discussions/1044\"\u003eDiscussions\u003c/a\u003e\u003cbr\u003e\n  Package repository: \u003ca href=\"https://aur.archlinux.org/packages\"\u003eArch User Repository\u003c/a\u003e\u003cbr\u003e\u003cbr\u003e\n\u003ctable\u003e\n  \u003ctr\u003e\n    \u003ctd\u003ePackage name\u003c/td\u003e\n    \u003ctd\u003eMaintainer\u003c/td\u003e\n    \u003ctd\u003eDescription\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd\u003e\u003ca href=\"https://aur.archlinux.org/packages/lldap\"\u003elldap\u003c/a\u003e\u003c/td\u003e\n    \u003ctd\u003e\u003ca href=\"https://github.com/Zepmann\"\u003e@Zepmann\u003c/a\u003e\u003c/td\u003e\n    \u003ctd\u003eBuilds the latest stable version.\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd\u003e\u003ca href=\"https://aur.archlinux.org/packages/lldap-bin\"\u003elldap-bin\u003c/a\u003e\u003c/td\u003e\n    \u003ctd\u003e\u003ca href=\"https://github.com/Zepmann\"\u003e@Zepmann\u003c/a\u003e\u003c/td\u003e\n    \u003ctd\u003eUses the latest pre-compiled binaries from the \u003ca href=\"https://github.com/lldap/lldap/releases\"\u003ereleases in this repository\u003c/a\u003e.\u003cbr\u003e\n        This package is recommended if you want to run LLDAP on a system with limited resources.\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd\u003e\u003ca href=\"https://aur.archlinux.org/packages/lldap-git\"\u003elldap-git\u003c/a\u003e\u003c/td\u003e\n    \u003ctd\u003e\u003c/td\u003e\n    \u003ctd\u003eBuilds the latest main branch code.\u003c/td\u003e\n  \u003c/tr\u003e\n\u003c/table\u003e\nLLDAP configuration file: /etc/lldap.toml\u003cbr\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eDebian\u003c/b\u003e\u003c/summary\u003e\n\u003cbr\u003e\n  Unofficial Debian support is offered through the \u003ca href=\"https://build.opensuse.org/\"\u003eopenSUSE Build Service\u003c/a\u003e.\u003cbr\u003e\u003cbr\u003e\n  Maintainer: \u003ca href=\"https://github.com/Masgalor\"\u003e@Masgalor\u003c/a\u003e\u003cbr\u003e\n  Support: \u003ca href=\"https://codeberg.org/Masgalor/LLDAP-Packaging/issues\"\u003eCodeberg\u003c/a\u003e, \u003ca href=\"https://github.com/lldap/lldap/discussions\"\u003eDiscussions\u003c/a\u003e\u003cbr\u003e\n  Package repository: \u003ca href=\"https://software.opensuse.org//download.html?project=home%3AMasgalor%3ALLDAP\u0026package=lldap\"\u003eSUSE openBuildService\u003c/a\u003e\u003cbr\u003e\n\u003ctable\u003e\n  \u003ctr\u003e\n    \u003ctd\u003eAvailable packages:\u003c/td\u003e\n    \u003ctd\u003elldap\u003c/td\u003e\n    \u003ctd\u003eLight LDAP server for authentication.\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd\u003e\u003c/td\u003e\n    \u003ctd\u003elldap-extras\u003c/td\u003e\n    \u003ctd\u003eMeta-Package for LLDAP and its tools and extensions.\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd\u003e\u003c/td\u003e\n    \u003ctd\u003elldap-migration-tool\u003c/td\u003e\n    \u003ctd\u003eCLI migration tool to go from OpenLDAP to LLDAP.\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd\u003e\u003c/td\u003e\n    \u003ctd\u003elldap-set-password\u003c/td\u003e\n    \u003ctd\u003eCLI tool to set a user password in LLDAP.\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd\u003e\u003c/td\u003e\n    \u003ctd\u003elldap-cli\u003c/td\u003e\n    \u003ctd\u003eLLDAP-CLI is an unofficial command line interface for LLDAP.\u003c/td\u003e\n  \u003c/tr\u003e\n\u003c/table\u003e\nLLDPA configuration file: /etc/lldap/lldap_config.toml\u003cbr\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eCentOS\u003c/b\u003e\u003c/summary\u003e\n\u003cbr\u003e\n  Unofficial CentOS support is offered through the \u003ca href=\"https://build.opensuse.org/\"\u003eopenSUSE Build Service\u003c/a\u003e.\u003cbr\u003e\u003cbr\u003e\n  Maintainer: \u003ca href=\"https://github.com/Masgalor\"\u003e@Masgalor\u003c/a\u003e\u003cbr\u003e\n  Support: \u003ca href=\"https://codeberg.org/Masgalor/LLDAP-Packaging/issues\"\u003eCodeberg\u003c/a\u003e, \u003ca href=\"https://github.com/lldap/lldap/discussions\"\u003eDiscussions\u003c/a\u003e\u003cbr\u003e\n  Package repository: \u003ca href=\"https://software.opensuse.org//download.html?project=home%3AMasgalor%3ALLDAP\u0026package=lldap\"\u003eSUSE openBuildService\u003c/a\u003e\u003cbr\u003e\n\u003ctable\u003e\n  \u003ctr\u003e\n    \u003ctd\u003eAvailable packages:\u003c/td\u003e\n    \u003ctd\u003elldap\u003c/td\u003e\n    \u003ctd\u003eLight LDAP server for authentication.\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd\u003e\u003c/td\u003e\n    \u003ctd\u003elldap-extras\u003c/td\u003e\n    \u003ctd\u003eMeta-Package for LLDAP and its tools and extensions.\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd\u003e\u003c/td\u003e\n    \u003ctd\u003elldap-migration-tool\u003c/td\u003e\n    \u003ctd\u003eCLI migration tool to go from OpenLDAP to LLDAP.\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd\u003e\u003c/td\u003e\n    \u003ctd\u003elldap-set-password\u003c/td\u003e\n    \u003ctd\u003eCLI tool to set a user password in LLDAP.\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd\u003e\u003c/td\u003e\n    \u003ctd\u003elldap-cli\u003c/td\u003e\n    \u003ctd\u003eLLDAP-CLI is an unofficial command line interface for LLDAP.\u003c/td\u003e\n  \u003c/tr\u003e\n\u003c/table\u003e\nLLDPA configuration file: /etc/lldap/lldap_config.toml\u003cbr\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eFedora\u003c/b\u003e\u003c/summary\u003e\n\u003cbr\u003e\n  Unofficial Fedora support is offered through the \u003ca href=\"https://build.opensuse.org/\"\u003eopenSUSE Build Service\u003c/a\u003e.\u003cbr\u003e\u003cbr\u003e\n  Maintainer: \u003ca href=\"https://github.com/Masgalor\"\u003e@Masgalor\u003c/a\u003e\u003cbr\u003e\n  Support: \u003ca href=\"https://codeberg.org/Masgalor/LLDAP-Packaging/issues\"\u003eCodeberg\u003c/a\u003e, \u003ca href=\"https://github.com/lldap/lldap/discussions\"\u003eDiscussions\u003c/a\u003e\u003cbr\u003e\n  Package repository: \u003ca href=\"https://software.opensuse.org//download.html?project=home%3AMasgalor%3ALLDAP\u0026package=lldap\"\u003eSUSE openBuildService\u003c/a\u003e\u003cbr\u003e\n\u003ctable\u003e\n  \u003ctr\u003e\n    \u003ctd\u003eAvailable packages:\u003c/td\u003e\n    \u003ctd\u003elldap\u003c/td\u003e\n    \u003ctd\u003eLight LDAP server for authentication.\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd\u003e\u003c/td\u003e\n    \u003ctd\u003elldap-extras\u003c/td\u003e\n    \u003ctd\u003eMeta-Package for LLDAP and its tools and extensions.\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd\u003e\u003c/td\u003e\n    \u003ctd\u003elldap-migration-tool\u003c/td\u003e\n    \u003ctd\u003eCLI migration tool to go from OpenLDAP to LLDAP.\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd\u003e\u003c/td\u003e\n    \u003ctd\u003elldap-set-password\u003c/td\u003e\n    \u003ctd\u003eCLI tool to set a user password in LLDAP.\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd\u003e\u003c/td\u003e\n    \u003ctd\u003elldap-cli\u003c/td\u003e\n    \u003ctd\u003eLLDAP-CLI is an unofficial command line interface for LLDAP.\u003c/td\u003e\n  \u003c/tr\u003e\n\u003c/table\u003e\nLLDPA configuration file: /etc/lldap/lldap_config.toml\u003cbr\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eOpenSUSE\u003c/b\u003e\u003c/summary\u003e\n\u003cbr\u003e\n  Unofficial OpenSUSE support is offered through the \u003ca href=\"https://build.opensuse.org/\"\u003eopenSUSE Build Service\u003c/a\u003e.\u003cbr\u003e\u003cbr\u003e\n  Maintainer: \u003ca href=\"https://github.com/Masgalor\"\u003e@Masgalor\u003c/a\u003e\u003cbr\u003e\n  Support: \u003ca href=\"https://codeberg.org/Masgalor/LLDAP-Packaging/issues\"\u003eCodeberg\u003c/a\u003e, \u003ca href=\"https://github.com/lldap/lldap/discussions\"\u003eDiscussions\u003c/a\u003e\u003cbr\u003e\n  Package repository: \u003ca href=\"https://software.opensuse.org//download.html?project=home%3AMasgalor%3ALLDAP\u0026package=lldap\"\u003eSUSE openBuildService\u003c/a\u003e\u003cbr\u003e\n\u003ctable\u003e\n  \u003ctr\u003e\n    \u003ctd\u003eAvailable packages:\u003c/td\u003e\n    \u003ctd\u003elldap\u003c/td\u003e\n    \u003ctd\u003eLight LDAP server for authentication.\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd\u003e\u003c/td\u003e\n    \u003ctd\u003elldap-extras\u003c/td\u003e\n    \u003ctd\u003eMeta-Package for LLDAP and its tools and extensions.\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd\u003e\u003c/td\u003e\n    \u003ctd\u003elldap-migration-tool\u003c/td\u003e\n    \u003ctd\u003eCLI migration tool to go from OpenLDAP to LLDAP.\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd\u003e\u003c/td\u003e\n    \u003ctd\u003elldap-set-password\u003c/td\u003e\n    \u003ctd\u003eCLI tool to set a user password in LLDAP.\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd\u003e\u003c/td\u003e\n    \u003ctd\u003elldap-cli\u003c/td\u003e\n    \u003ctd\u003eLLDAP-CLI is an unofficial command line interface for LLDAP.\u003c/td\u003e\n  \u003c/tr\u003e\n\u003c/table\u003e\nLLDPA configuration file: /etc/lldap/lldap_config.toml\u003cbr\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eUbuntu\u003c/b\u003e\u003c/summary\u003e\n\u003cbr\u003e\n  Unofficial Ubuntu support is offered through the \u003ca href=\"https://build.opensuse.org/\"\u003eopenSUSE Build Service\u003c/a\u003e.\u003cbr\u003e\u003cbr\u003e\n  Maintainer: \u003ca href=\"https://github.com/Masgalor\"\u003e@Masgalor\u003c/a\u003e\u003cbr\u003e\n  Support: \u003ca href=\"https://codeberg.org/Masgalor/LLDAP-Packaging/issues\"\u003eCodeberg\u003c/a\u003e, \u003ca href=\"https://github.com/lldap/lldap/discussions\"\u003eDiscussions\u003c/a\u003e\u003cbr\u003e\n  Package repository: \u003ca href=\"https://software.opensuse.org//download.html?project=home%3AMasgalor%3ALLDAP\u0026package=lldap\"\u003eSUSE openBuildService\u003c/a\u003e\u003cbr\u003e\n\u003ctable\u003e\n  \u003ctr\u003e\n    \u003ctd\u003eAvailable packages:\u003c/td\u003e\n    \u003ctd\u003elldap\u003c/td\u003e\n    \u003ctd\u003eLight LDAP server for authentication.\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd\u003e\u003c/td\u003e\n    \u003ctd\u003elldap-extras\u003c/td\u003e\n    \u003ctd\u003eMeta-Package for LLDAP and its tools and extensions.\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd\u003e\u003c/td\u003e\n    \u003ctd\u003elldap-migration-tool\u003c/td\u003e\n    \u003ctd\u003eCLI migration tool to go from OpenLDAP to LLDAP.\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd\u003e\u003c/td\u003e\n    \u003ctd\u003elldap-set-password\u003c/td\u003e\n    \u003ctd\u003eCLI tool to set a user password in LLDAP.\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd\u003e\u003c/td\u003e\n    \u003ctd\u003elldap-cli\u003c/td\u003e\n    \u003ctd\u003eLLDAP-CLI is an unofficial command line interface for LLDAP.\u003c/td\u003e\n  \u003c/tr\u003e\n\u003c/table\u003e\nLLDPA configuration file: /etc/lldap/lldap_config.toml\u003cbr\u003e\n\u003c/details\u003e\n\n### With FreeBSD\n\nYou can also install it as a rc.d service in FreeBSD, see\n[FreeBSD-install.md](example_configs/freebsd/freebsd-install.md).\n\nThe rc.d script file\n[rc.d_lldap](example_configs/freebsd/rc.d_lldap).\n\n### From source\n\n#### Backend\n\nTo compile the project, you'll need:\n\n- curl and gzip: `sudo apt install curl gzip`\n- Rust/Cargo: [rustup.rs](https://rustup.rs/)\n\nThen you can compile the server (and the migration tool if you want):\n\n```shell\ncargo build --release -p lldap -p lldap_migration_tool\n```\n\nThe resulting binaries will be in `./target/release/`. Alternatively, you can\njust run `cargo run -- run` to run the server.\n\n#### Frontend\n\nTo bring up the server, you'll need to compile the frontend. In addition to\n`cargo`, you'll need WASM-pack, which can be installed by running `cargo install wasm-pack`.\n\nThen you can build the frontend files with\n\n```shell\n./app/build.sh\n```\n\n(you'll need to run this after every front-end change to update the WASM\npackage served).\n\nThe default config is in `src/infra/configuration.rs`, but you can override it\nby creating an `lldap_config.toml`, setting environment variables or passing\narguments to `cargo run`. Have a look at the docker template:\n`lldap_config.docker_template.toml`.\n\nYou can also install it as a systemd service, see\n[lldap.service](example_configs/lldap.service).\n\n### Cross-compilation\n\nDocker images are provided for AMD64, ARM64 and ARM/V7.\n\nIf you want to cross-compile yourself, you can do so by installing\n[`cross`](https://github.com/rust-embedded/cross):\n\n```sh\ncargo install cross\ncross build --target=armv7-unknown-linux-musleabihf -p lldap --release\n./app/build.sh\n```\n\n(Replace `armv7-unknown-linux-musleabihf` with the correct Rust target for your\ndevice.)\n\nYou can then get the compiled server binary in\n`target/armv7-unknown-linux-musleabihf/release/lldap` and the various needed files\n(`index.html`, `main.js`, `pkg` folder) in the `app` folder. Copy them to the\nRaspberry Pi (or other target), with the folder structure maintained (`app`\nfiles in an `app` folder next to the binary).\n\n## Usage\n\nThe simplest way to use LLDAP is through the web front-end. There you can\ncreate users, set passwords, add them to groups and so on. Users can also\nconnect to the web UI and change their information, or request a password reset\nlink (if you configured the SMTP client).\n\nYou can create and manage custom attributes through the Web UI, or through the\ncommunity-contributed CLI frontend (\n[Zepmann/lldap-cli](https://github.com/Zepmann/lldap-cli)). This is necessary\nfor some service integrations.\n\nThe [bootstrap.sh](scripts/bootstrap.sh) script can enforce a list of\nusers/groups/attributes from a given file, reflecting it on the server.\n\nTo manage the user, group and membership lifecycle in an infrastructure-as-code\nscenario you can use the unofficial [LLDAP terraform provider in the terraform registry](https://registry.terraform.io/providers/tasansga/lldap/latest).\n\nLLDAP is also very scriptable, through its GraphQL API. See the\n[Scripting](docs/scripting.md) docs for more info.\n\n### Recommended architecture\n\nIf you are using containers, a sample architecture could look like this:\n\n- A reverse proxy (e.g. nginx or Traefik)\n- An authentication service (e.g. Authelia, Authentik or KeyCloak) connected to\n  LLDAP to provide authentication for non-authenticated services, or to provide\n  SSO with compatible ones.\n- The LLDAP service, with the web port exposed to Traefik.\n  - The LDAP port doesn't need to be exposed, since only the other containers\n    will access it.\n  - You can also set up LDAPS if you want to expose the LDAP port to the\n    internet (not recommended) or for an extra layer of security in the\n    inter-container communication (though it's very much optional).\n  - The default LLDAP container starts up as root to fix up some files'\n    permissions before downgrading the privilege to the given user. However,\n    you can (should?) use the `*-rootless` version of the images to be able to\n    start directly as that user, once you got the permissions right. Just don't\n    forget to change from the `UID/GID` env vars to the `uid` docker-compose\n    field.\n- Any other service that needs to connect to LLDAP for authentication (e.g.\n  NextCloud) can be added to a shared network with LLDAP. The finest\n  granularity is a network for each pair of LLDAP-service, but there are often\n  coarser granularities that make sense (e.g. a network for the \\*arr stack and\n  LLDAP).\n\n## Client configuration\n\n### Compatible services\n\nMost services that can use LDAP as an authentication provider should work out\nof the box. For new services, it's possible that they require a bit of tweaking\non LLDAP's side to make things work. In that case, just create an issue with\nthe relevant details (logs of the service, LLDAP logs with `verbose=true` in\nthe config).\n\n### General configuration guide\n\nTo configure the services that will talk to LLDAP, here are the values:\n\n- The LDAP user DN is from the configuration. By default,\n  `cn=admin,ou=people,dc=example,dc=com`.\n- The LDAP password is from the configuration (same as to log in to the web\n  UI).\n- The users are all located in `ou=people,` + the base DN, so by default user\n  `bob` is at `cn=bob,ou=people,dc=example,dc=com`.\n- Similarly, the groups are located in `ou=groups`, so the group `family`\n  will be at `cn=family,ou=groups,dc=example,dc=com`.\n\nTesting group membership through `memberOf` is supported, so you can have a\nfilter like: `(memberOf=cn=admins,ou=groups,dc=example,dc=com)`.\n\nThe administrator group for LLDAP is `lldap_admin`: anyone in this group has\nadmin rights in the Web UI. Most LDAP integrations should instead use a user in\nthe `lldap_strict_readonly` or `lldap_password_manager` group, to avoid granting full\nadministration access to many services. To prevent privilege escalation users in the\n`lldap_password_manager` group are not allowed to change passwords of admins in the\n`lldap_admin` group.\n\n### Integration with OS's\n\nIntegration with Linux accounts is possible, through PAM and nslcd. See [PAM\nconfiguration guide](example_configs/pam/README.md).\n\nIntegration with Windows (e.g. Samba) is WIP.\n\n### Sample client configurations\n\nSome specific clients have been tested to work and come with sample\nconfiguration files, or guides. See the [`example_configs`](example_configs)\nfolder for help with:\n\n- [Airsonic Advanced](example_configs/airsonic-advanced.md)\n- [Apache Guacamole](example_configs/apacheguacamole.md)\n- [Apereo CAS Server](example_configs/apereo_cas_server.md)\n- [Authelia](example_configs/authelia_config.yml)\n- [Authentik](example_configs/authentik.md)\n- [Bookstack](example_configs/bookstack.env.example)\n- [Calibre-Web](example_configs/calibre_web.md)\n- [Carpal](example_configs/carpal.md)\n- [Dell iDRAC](example_configs/dell_idrac.md)\n- [Dex](example_configs/dex_config.yml)\n- [Dokuwiki](example_configs/dokuwiki.md)\n- [Dolibarr](example_configs/dolibarr.md)\n- [Duo Auth Proxy](example_configs/duo_auth_proxy.md)\n- [Ejabberd](example_configs/ejabberd.md)\n- [Emby](example_configs/emby.md)\n- [Ergo IRCd](example_configs/ergo.md)\n- [Gitea](example_configs/gitea.md)\n- [GitLab](example_configs/gitlab.md)\n- [Grafana](example_configs/grafana_ldap_config.toml)\n- [Grocy](example_configs/grocy.md)\n- [Harbor](example_configs/harbor.md)\n- [HashiCorp Vault](example_configs/hashicorp-vault.md)\n- [Hedgedoc](example_configs/hedgedoc.md)\n- [Home Assistant](example_configs/home-assistant.md)\n- [Jellyfin](example_configs/jellyfin.md)\n- [Jenkins](example_configs/jenkins.md)\n- [Jitsi Meet](example_configs/jitsi_meet.conf)\n- [Kasm](example_configs/kasm.md)\n- [KeyCloak](example_configs/keycloak.md)\n- [Kimai](example_configs/kimai.yaml)\n- [LibreNMS](example_configs/librenms.md)\n- [Maddy](example_configs/maddy.md)\n- [Mastodon](example_configs/mastodon.env.example)\n- [Matrix](example_configs/matrix_synapse.yml)\n- [Mealie](example_configs/mealie.md)\n- [Metabase](example_configs/metabase.md)\n- [MegaRAC-BMC](example_configs/MegaRAC-SP-X-BMC.md)\n- [MinIO](example_configs/minio.md)\n- [Netbox](example_configs/netbox.md)\n- [Nextcloud](example_configs/nextcloud.md)\n- [Nexus](example_configs/nexus.md)\n- [OCIS (OwnCloud Infinite Scale)](example_configs/ocis.md)\n- [OneDev](example_configs/onedev.md)\n- [Organizr](example_configs/Organizr.md)\n- [Penpot](example_configs/penpot.md)\n- [pgAdmin](example_configs/pgadmin.md)\n- [Portainer](example_configs/portainer.md)\n- [PowerDNS Admin](example_configs/powerdns_admin.md)\n- [Prosody](example_configs/prosody.md)\n- [Proxmox VE](example_configs/proxmox.md)\n- [Quay](example_configs/quay.md)\n- [Radicale](example_configs/radicale.md)\n- [Rancher](example_configs/rancher.md)\n- [Seafile](example_configs/seafile.md)\n- [Shaarli](example_configs/shaarli.md)\n- [SonarQube](example_configs/sonarqube.md)\n- [Squid](example_configs/squid.md)\n- [Stalwart](example_configs/stalwart.md)\n- [Syncthing](example_configs/syncthing.md)\n- [TheLounge](example_configs/thelounge.md)\n- [Traccar](example_configs/traccar.xml)\n- [Vaultwarden](example_configs/vaultwarden.md)\n- [WeKan](example_configs/wekan.md)\n- [WG Portal](example_configs/wg_portal.env.example)\n- [WikiJS](example_configs/wikijs.md)\n- [XBackBone](example_configs/xbackbone_config.php)\n- [Zendto](example_configs/zendto.md)\n- [Zitadel](example_configs/zitadel.md)\n- [Zulip](example_configs/zulip.md)\n\n### Incompatible services\n\nThough we try to be maximally compatible, not every feature is supported; LLDAP\nis not a fully-featured LDAP server, intentionally so.\n\nLDAP browsing tools are generally not supported, though they could be. If you\nneed to use one but it behaves weirdly, please file a bug.\n\nSome services use features that are not implemented, or require specific\nattributes. You can try to create those attributes (see custom attributes in\nthe [Usage](#usage) section).\n\nFinally, some services require password hashes so they can validate themselves\nthe user's password without contacting LLDAP. This is not and will not be\nsupported, it's incompatible with our password hashing scheme (a zero-knowledge\nproof). Furthermore, it's generally not recommended in terms of security, since\nit duplicates the places from which a password hash could leak.\n\nIn that category, the most prominent is Synology. It is, to date, the only\nservice that seems definitely incompatible with LLDAP.\n\n## Migrating from SQLite\n\nIf you started with an SQLite database and would like to migrate to\nMySQL/MariaDB or PostgreSQL, check out the [DB\nmigration docs](/docs/database_migration.md).\n\n## Comparisons with other services\n\n### vs OpenLDAP\n\n[OpenLDAP](https://www.openldap.org) is a monster of a service that implements\nall of LDAP and all of its extensions, plus some of its own. That said, if you\nneed all that flexibility, it might be what you need! Note that installation\ncan be a bit painful (figuring out how to use `slapd`) and people have mixed\nexperiences following tutorials online. If you don't configure it properly, you\nmight end up storing passwords in clear, so a breach of your server would\nreveal all the stored passwords!\n\nOpenLDAP doesn't come with a UI: if you want a web interface, you'll have to\ninstall one (not that many look nice) and configure it.\n\nLLDAP is much simpler to setup, has a much smaller image (10x smaller, 20x if\nyou add PhpLdapAdmin), and comes packed with its own purpose-built web UI.\nHowever, it's not as flexible as OpenLDAP.\n\n### vs FreeIPA\n\n[FreeIPA](http://www.freeipa.org) is the one-stop shop for identity management:\nLDAP, Kerberos, NTP, DNS, Samba, you name it, it has it. In addition to user\nmanagement, it also does security policies, single sign-on, certificate\nmanagement, linux account management and so on.\n\nIf you need all of that, go for it! Keep in mind that a more complex system is\nmore complex to maintain, though.\n\nLLDAP is much lighter to run (\u003c10 MB RAM including the DB), easier to\nconfigure (no messing around with DNS or security policies) and simpler to\nuse. It also comes conveniently packed in a docker container.\n\n### vs Kanidm\n\n[Kanidm](https://kanidm.com) is an up-and-coming Rust identity management\nplatform, covering all your bases: OAuth, Linux accounts, SSH keys, Radius,\nWebAuthn. It comes with a (read-only) LDAPS server.\n\nIt's fairly easy to install and does much more; but their LDAP server is\nread-only, and by having more moving parts it is inherently more complex. If\nyou don't need to modify the users through LDAP and you're planning on\ninstalling something like [KeyCloak](https://www.keycloak.org) to provide\nmodern identity protocols, check out Kanidm.\n\n## I can't log in!\n\nIf you just set up the server, can get to the login page but the password you\nset isn't working, try the following:\n\n- If you have changed the admin password in the config after the first run, it\n  won't be used (unless you force its use with `force_ldap_user_pass_reset`).\n  The config password is only for the initial admin creation.\n- (For docker): Make sure that the `/data` folder is persistent, either to a\n  docker volume or mounted from the host filesystem.\n- Check if there is a `lldap_config.toml` file (either in `/data` for docker\n  or in the current directory). If there isn't, copy\n  `lldap_config.docker_template.toml` there, and fill in the various values\n  (passwords, secrets, ...).\n- Check if there is a `users.db` file (either in `/data` for docker or where\n  you specified the DB URL, which defaults to the current directory). If\n  there isn't, check that the user running the command (user with ID 10001\n  for docker) has the rights to write to the `/data` folder. If in doubt, you\n  can `chmod 777 /data` (or whatever the folder) to make it world-writeable.\n- Make sure you restart the server.\n- If it's still not working, join the\n  [Discord server](https://discord.gg/h5PEdRMNyP) to ask for help.\n\n## Discord Integration\n[Use this bot](https://github.com/JaidenW/LLDAP-Discord) to Automate discord role syncronization for paid memberships.\n- Allows users with the Subscriber role to self-serve create an LLDAP account based on their Discord username, using the `/register` command.\n\n## Contributions\n\nContributions are welcome! Just fork and open a PR. Or just file a bug.\n\nWe don't have a code of conduct, just be respectful and remember that it's just\nnormal people doing this for free on their free time.\n\nMake sure that you run `cargo fmt` from the root before creating the PR. And if\nyou change the GraphQL interface, you'll need to regenerate the schema by\nrunning `./export_schema.sh`.\n\nJoin our [Discord server](https://discord.gg/h5PEdRMNyP) if you have any\nquestions!\n","funding_links":["https://github.com/sponsors/lldap","https://bmc.link/nitnelave","https://www.buymeacoffee.com/nitnelave"],"categories":["Software","Rust","Applications","security","OpenLDAP"],"sub_categories":["Identity Management - LDAP","Productivity"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flldap%2Flldap","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flldap%2Flldap","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flldap%2Flldap/lists"}