LDAP made easy.
- [About](#about) - [Installation](#installation) - [With Docker](#with-docker) - [With Kubernetes](#with-kubernetes) - [From a package repository](#from-a-package-repository) - [With FreeBSD](#with-freebsd) - [From source](#from-source) - [Backend](#backend) - [Frontend](#frontend) - [Cross-compilation](#cross-compilation) - [Usage](#usage) - [Recommended architecture](#recommended-architecture) - [Client configuration](#client-configuration) - [Compatible services](#compatible-services) - [General configuration guide](#general-configuration-guide) - [Integration with OS's](#integration-with-oss) - [Sample client configurations](#sample-client-configurations) - [Incompatible services](#incompatible-services) - [Migrating from SQLite](#migrating-from-sqlite) - [Comparisons with other services](#comparisons-with-other-services) - [vs OpenLDAP](#vs-openldap) - [vs FreeIPA](#vs-freeipa) - [vs Kanidm](#vs-kanidm) - [I can't log in!](#i-cant-log-in) - [Contributions](#contributions) ## About This project is a lightweight authentication server that provides an opinionated, simplified LDAP interface for authentication. It integrates with many backends, from KeyCloak to Authelia to Nextcloud and [more](#compatible-services)! It comes with a frontend that makes user management easy, and allows users to edit their own details or reset their password by email. The goal is _not_ to provide a full LDAP server; if you're interested in that, check out OpenLDAP. This server is a user management system that is: - simple to setup (no messing around with `slapd`), - simple to manage (friendly web UI), - low resources, - opinionated with basic defaults so you don't have to understand the subtleties of LDAP. It mostly targets self-hosting servers, with open-source components like Nextcloud, Airsonic and so on that only support LDAP as a source of external authentication. For more features (OAuth/OpenID support, reverse proxy, ...) you can install other components (KeyCloak, Authelia, ...) using this server as the source of truth for users, via LDAP. By default, the data is stored in SQLite, but you can swap the backend with MySQL/MariaDB or PostgreSQL. ## Installation ### With Docker The image is available at `lldap/lldap`. You should persist the `/data` folder, which contains your configuration and the SQLite database (you can remove this step if you use a different DB and configure with environment variables only). Configure the server by copying the `lldap_config.docker_template.toml` to `/data/lldap_config.toml` and updating the configuration values (especially the `jwt_secret` and `ldap_user_pass`, unless you override them with env variables). Environment variables should be prefixed with `LLDAP_` to override the configuration. If the `lldap_config.toml` doesn't exist when starting up, LLDAP will use default one. The default admin password is `password`, you can change the password later using the web interface. Secrets can also be set through a file. The filename should be specified by the variables `LLDAP_JWT_SECRET_FILE` or `LLDAP_KEY_SEED_FILE`, and the file contents are loaded into the respective configuration parameters. Note that `_FILE` variables take precedence. Example for docker compose: - You can use either the `:latest` tag image or `:stable` as used in this example. - `:latest` tag image contains recently pushed code or feature tests, in which some instability can be expected. - If `UID` and `GID` no defined LLDAP will use default `UID` and `GID` number `1000`. - If no `TZ` is set, default `UTC` timezone will be used. - You can generate the secrets by running `./generate_secrets.sh` ```yaml version: "3" volumes: lldap_data: driver: local services: lldap: image: lldap/lldap:stable ports: # For LDAP, not recommended to expose, see Usage section. #- "3890:3890" # For LDAPS (LDAP Over SSL), enable port if LLDAP_LDAPS_OPTIONS__ENABLED set true, look env below #- "6360:6360" # For the web front-end - "17170:17170" volumes: - "lldap_data:/data" # Alternatively, you can mount a local folder # - "./lldap_data:/data" environment: - UID=#### - GID=#### - TZ=####/#### - LLDAP_JWT_SECRET=REPLACE_WITH_RANDOM - LLDAP_KEY_SEED=REPLACE_WITH_RANDOM - LLDAP_LDAP_BASE_DN=dc=example,dc=com # If using LDAPS, set enabled true and configure cert and key path # - LLDAP_LDAPS_OPTIONS__ENABLED=true # - LLDAP_LDAPS_OPTIONS__CERT_FILE=/path/to/certfile.crt # - LLDAP_LDAPS_OPTIONS__KEY_FILE=/path/to/keyfile.key # You can also set a different database: # - LLDAP_DATABASE_URL=mysql://mysql-user:password@mysql-server/my-database # - LLDAP_DATABASE_URL=postgres://postgres-user:password@postgres-server/my-database ``` Then the service will listen on two ports, one for LDAP and one for the web front-end. ### With Kubernetes See https://github.com/Evantage-WS/lldap-kubernetes for a LLDAP deployment for Kubernetes You can bootstrap your lldap instance (users, groups) using [bootstrap.sh](example_configs/bootstrap/bootstrap.md#kubernetes-job). It can be run by Argo CD for managing users in git-opt way, or as a one-shot job. ### From a package repository **Do not open issues in this repository for problems with third-party pre-built packages. Report issues downstream.** Depending on the distribution you use, it might be possible to install lldap from a package repository, officially supported by the distribution or community contributed. Each package offers a [systemd service](https://wiki.archlinux.org/title/systemd#Using_units) `lldap.service` to (auto-)start and stop lldap.Available packages: | lldap | Builds the latest stable version. |
lldap-bin | Uses the latest pre-compiled binaries from the releases in this repository. This package is recommended if you want to run lldap on a system with limited resources. |
|
lldap-git | Builds the latest main branch code. |
Available packages: | lldap | Light LDAP server for authentication. |
lldap-extras | Meta-Package for LLDAP and its tools and extensions. | |
lldap-migration-tool | CLI migration tool to go from OpenLDAP to LLDAP. | |
lldap-set-password | CLI tool to set a user password in LLDAP. | |
lldap-cli | LLDAP-CLI is an unofficial command line interface for LLDAP. |
Available packages: | lldap | Light LDAP server for authentication. |
lldap-extras | Meta-Package for LLDAP and its tools and extensions. | |
lldap-migration-tool | CLI migration tool to go from OpenLDAP to LLDAP. | |
lldap-set-password | CLI tool to set a user password in LLDAP. | |
lldap-cli | LLDAP-CLI is an unofficial command line interface for LLDAP. |
Available packages: | lldap | Light LDAP server for authentication. |
lldap-extras | Meta-Package for LLDAP and its tools and extensions. | |
lldap-migration-tool | CLI migration tool to go from OpenLDAP to LLDAP. | |
lldap-set-password | CLI tool to set a user password in LLDAP. | |
lldap-cli | LLDAP-CLI is an unofficial command line interface for LLDAP. |
Available packages: | lldap | Light LDAP server for authentication. |
lldap-extras | Meta-Package for LLDAP and its tools and extensions. | |
lldap-migration-tool | CLI migration tool to go from OpenLDAP to LLDAP. | |
lldap-set-password | CLI tool to set a user password in LLDAP. | |
lldap-cli | LLDAP-CLI is an unofficial command line interface for LLDAP. |
Available packages: | lldap | Light LDAP server for authentication. |
lldap-extras | Meta-Package for LLDAP and its tools and extensions. | |
lldap-migration-tool | CLI migration tool to go from OpenLDAP to LLDAP. | |
lldap-set-password | CLI tool to set a user password in LLDAP. | |
lldap-cli | LLDAP-CLI is an unofficial command line interface for LLDAP. |