lldap

Description / name	Input element
Container Registry	GitHub Container Registry
Container Configuration Root Path
Timezone	UTC
User ID
Group ID
lldap Host Port
lldap /config Path

This project is a lightweight authentication server that provides an opinionated, simplified LDAP interface for authentication.

Port	17170
Registry	ghcr.io/daemonless/lldap
Daemonless	daemonless/lldap
Source	lldap/lldap
Website	github.com/lldap/lldap

Version Tags

Tag	Description	Best For
pkg	Upstream Binary. Built from official release.	Most users. Matches Linux Docker behavior.
latest / pkg-latest	FreeBSD Latest. Rolling package updates.	Newest FreeBSD packages.
Podman on FreeBSD currently requires root. All commands must be run as root (or via doas/sudo).

Before deploying, ensure your host environment is ready. See the Quick Start Guide for host setup instructions.

Deployment

Podman Compose Podman CLI Ansible

services:
  lldap:
    image: ghcr.io/daemonless/lldap:latest
    container_name: lldap
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=UTC
      - LLDAP_LDAP_USER_PASS="path/to/secret"
      - LLDAP_LDAP_USER_EMAIL="path/to/secret"
      - LLDAP_JWT_SECRET_FILE="path/to/secret"
      - LLDAP_KEY_SEED_FILE="path/to/secret"
      - LLDAP_SMTP_OPTIONS__PASSWORD_FILE="path/to/secret"
    volumes:
      - "/path/to/containers/lldap:/config"
    ports:
      - 17170:17170
      - 3890:3890
    restart: unless-stopped

Download compose.yaml

podman run -d --name lldap \
  -p 17170:17170 \
  -p 3890:3890 \
  -e PUID=1000 \
  -e PGID=1000 \
  -e TZ=UTC \
  -e LLDAP_LDAP_USER_PASS="path/to/secret" \
  -e LLDAP_LDAP_USER_EMAIL="path/to/secret" \
  -e LLDAP_JWT_SECRET_FILE="path/to/secret" \
  -e LLDAP_KEY_SEED_FILE="path/to/secret" \
  -e LLDAP_SMTP_OPTIONS__PASSWORD_FILE="path/to/secret" \
  -v /path/to/containers/lldap:/config \
  ghcr.io/daemonless/lldap:latest

Download run.sh

- name: Deploy lldap
  containers.podman.podman_container:
    name: lldap
    image: ghcr.io/daemonless/lldap:latest
    state: started
    restart_policy: always
    env:
      PUID: "1000"
      PGID: "1000"
      TZ: "UTC"
      LLDAP_LDAP_USER_PASS: ""path/to/secret""
      LLDAP_LDAP_USER_EMAIL: ""path/to/secret""
      LLDAP_JWT_SECRET_FILE: ""path/to/secret""
      LLDAP_KEY_SEED_FILE: ""path/to/secret""
      LLDAP_SMTP_OPTIONS__PASSWORD_FILE: ""path/to/secret""
    ports:
      - "17170:17170"
      - "3890:3890"
    volumes:
      - "/path/to/containers/lldap:/config"

Download lldap-deploy.yaml

Interactive Configuration

Parameters

Environment Variables

Variable	Default	Description
PUID	1000	User ID for the application process
PGID	1000	Group ID for the application process
TZ	UTC	Timezone for the container
LLDAP_LDAP_USER_PASS	"path/to/secret"
LLDAP_LDAP_USER_EMAIL	"path/to/secret"
LLDAP_JWT_SECRET_FILE	"path/to/secret"
LLDAP_KEY_SEED_FILE	"path/to/secret"
LLDAP_SMTP_OPTIONS__PASSWORD_FILE	"path/to/secret"

Volumes

Path	Description
/config	Configuration directory

Ports

Port	Protocol	Description
17170	TCP	Web UI
3890	TCP	LDAP

First time setup

To configure the admin user with password and email address during the first startup, you can define some additional environment variables in your container file:

services:
  lldap:
    env:
      - LLDAP_LDAP_USER_EMAIL="admin@example.com"
      - LLDAP_LDAP_USER_PASS="very_secure_password"

Persistent secret values

To set crypto secrets persistently and securely it is best to provide them as secrets to the container.
Define the at the top level of your container file.

Define the secrets

You can either use podman managed secrets like this (assuming your created secrets in podman with the names lldap_jwt_secret, lldap_key_seed and lldap_smtp_password):

secrets:
  lldap_jwt_secret:
    external: true
  lldap_key_seed:
    external: true
  lldap_smtp_password:
    external: true

Or just write the secrets to files next to your container file and define them like shown below.
The files should be owned by $PUID:$PGID and have the appropriate permissions (like 0400).

secrets:
  lldap_jwt_secret:
    file: ./secrets/lldap_jwt_secret
  lldap_key_seed:
    file: ./secrets/lldap_key_seed
  lldap_smtp_password:
    file: ./secrets/lldap_smtp_password

Use the secrets in your service

If you use podman managed secrets, you need to make sure

services:
  lldap:
    secrets:
      - source: lldap_jwt_secret
          uid: 1000
          gid: 1000
          mode: "0400"
      - source: lldap_key_seed
          uid: 1000
          gid: 1000
          mode: "0400"
      - source: lldap_smtp_password
          uid: 1000
          gid: 1000
          mode: "0400"

If you provide the secrets directly from files using the second method from above and have set the owner and permissions appropriately, then you can simple do:

services:
  lldap:
    secrets:
      - lldap_jwt_secret
      - lldap_key_seed
      - lldap_smtp_password

Configure lldap to use your secrets

To configure lldap to use the secrets you can define a few environment variables:

service:
  env:
    - LLDAP_JWT_SECRET_FILE="/var/run/secrets/lldap_jwt_secret"
    - LLDAP_KEY_SEED_FILE="/var/run/secrets/lldap_key_seed"
    - LLDAP_SMTP_OPTIONS__PASSWORD_FILE="/var/run/secrets/lldap_smtp_password"

Implementation Details

• Architectures: amd64
• User: bsd (UID/GID set via PUID/PGID). Defaults to 1000:1000.
• Base: Built on ghcr.io/daemonless/base (FreeBSD 15.0).

---

Need help? Join our Discord community.