Skip to content

lldap lldap lldap

Description / nameInput element
Container Registry
Container Configuration Root Path
Timezone
User ID
Group ID
lldap Host Port
lldap /config Path

Build Status Last Commit

This project is a lightweight authentication server that provides an opinionated, simplified LDAP interface for authentication.
Port 17170
Registry ghcr.io/daemonless/lldap
Daemonless daemonless/lldap
Source lldap/lldap
Website github.com/lldap/lldap

Version Tags

Tag Description Best For
pkg Upstream Binary. Built from official release. Most users. Matches Linux Docker behavior.
latest / pkg-latest FreeBSD Latest. Rolling package updates. Newest FreeBSD packages.

Root Privileges Required

Podman on FreeBSD currently requires root. All commands must be run as root (or via doas/sudo).

Before deploying, ensure your host environment is ready. See the Quick Start Guide for host setup instructions.

Deployment

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
services:
  lldap:
    image: "ghcr.io/daemonless/lldap:latest"
    container_name: lldap
    environment:
      - PUID=1000  # User ID for the application process
      - PGID=1000  # Group ID for the application process
      - TZ=UTC  # Timezone for the container
      - LLDAP_LDAP_USER_PASS="path/to/secret"
      - LLDAP_LDAP_USER_EMAIL="path/to/secret"
      - LLDAP_JWT_SECRET_FILE="path/to/secret"
      - LLDAP_KEY_SEED_FILE="path/to/secret"
      - LLDAP_SMTP_OPTIONS__PASSWORD_FILE="path/to/secret"
    volumes:
      - "/path/to/containers/lldap:/config"
    ports:
      - "17170:17170"
      - "3890:3890"
    restart: unless-stopped

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
podman run -d --name lldap \
  -p 17170:17170 \
  -p 3890:3890 \
  -e PUID=1000 \
  -e PGID=1000 \
  -e TZ=UTC \
  -e LLDAP_LDAP_USER_PASS="path/to/secret" \
  -e LLDAP_LDAP_USER_EMAIL="path/to/secret" \
  -e LLDAP_JWT_SECRET_FILE="path/to/secret" \
  -e LLDAP_KEY_SEED_FILE="path/to/secret" \
  -e LLDAP_SMTP_OPTIONS__PASSWORD_FILE="path/to/secret" \
  -v /path/to/containers/lldap:/config \
  ghcr.io/daemonless/lldap:latest

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
- name: Deploy lldap
  containers.podman.podman_container:
    name: lldap
    image: "ghcr.io/daemonless/lldap:latest"
    state: started
    restart_policy: always
    env:
      PUID: "1000"
      PGID: "1000"
      TZ: "UTC"
      LLDAP_LDAP_USER_PASS: ""path/to/secret""
      LLDAP_LDAP_USER_EMAIL: ""path/to/secret""
      LLDAP_JWT_SECRET_FILE: ""path/to/secret""
      LLDAP_KEY_SEED_FILE: ""path/to/secret""
      LLDAP_SMTP_OPTIONS__PASSWORD_FILE: ""path/to/secret""
    ports:
      - "17170:17170"
      - "3890:3890"
    volumes:
      - "/path/to/containers/lldap:/config"

Access at: http://localhost:17170

Interactive Configuration

Parameters

Environment Variables

Variable Default Description
PUID 1000 User ID for the application process
PGID 1000 Group ID for the application process
TZ UTC Timezone for the container
LLDAP_LDAP_USER_PASS "path/to/secret"
LLDAP_LDAP_USER_EMAIL "path/to/secret"
LLDAP_JWT_SECRET_FILE "path/to/secret"
LLDAP_KEY_SEED_FILE "path/to/secret"
LLDAP_SMTP_OPTIONS__PASSWORD_FILE "path/to/secret"

Volumes

Path Description
/config Configuration directory

Ports

Port Protocol Description
17170 TCP Web UI
3890 TCP LDAP

First time setup

To configure the admin user with password and email address during the first startup, you can define some additional environment variables in your container file: 

1
2
3
4
5
services:
  lldap:
    env:
      - LLDAP_LDAP_USER_EMAIL="admin@example.com"
      - LLDAP_LDAP_USER_PASS="very_secure_password"

Persistent secret values

To set crypto secrets persistently and securely it is best to provide them as secrets to the container.
Define the at the top level of your container file.

Define the secrets

You can either use podman managed secrets like this (assuming your created secrets in podman with the names lldap_jwt_secret, lldap_key_seed and lldap_smtp_password): 

1
2
3
4
5
6
7
secrets:
  lldap_jwt_secret:
    external: true
  lldap_key_seed:
    external: true
  lldap_smtp_password:
    external: true
Or just write the secrets to files next to your container file and define them like shown below.
The files should be owned by $PUID:$PGID and have the appropriate permissions (like 0400). 
1
2
3
4
5
6
7
secrets:
  lldap_jwt_secret:
    file: ./secrets/lldap_jwt_secret
  lldap_key_seed:
    file: ./secrets/lldap_key_seed
  lldap_smtp_password:
    file: ./secrets/lldap_smtp_password

Use the secrets in your service

If you use podman managed secrets, you need to make sure that file ownership and permissions allow the app to access the secrets. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
services:
  lldap:
    secrets:
      - source: lldap_jwt_secret
          uid: 1000
          gid: 1000
          mode: "0400"
      - source: lldap_key_seed
          uid: 1000
          gid: 1000
          mode: "0400"
      - source: lldap_smtp_password
          uid: 1000
          gid: 1000
          mode: "0400"
If you provide the secrets directly from files using the second method from above and have set the owner and permissions appropriately, then you can simple do: 
1
2
3
4
5
6
services:
  lldap:
    secrets:
      - lldap_jwt_secret
      - lldap_key_seed
      - lldap_smtp_password

Configure lldap to use your secrets

To configure lldap to use the secrets you can define a few environment variables: 

1
2
3
4
5
service:
  env:
    - LLDAP_JWT_SECRET_FILE="/var/run/secrets/lldap_jwt_secret"
    - LLDAP_KEY_SEED_FILE="/var/run/secrets/lldap_key_seed"
    - LLDAP_SMTP_OPTIONS__PASSWORD_FILE="/var/run/secrets/lldap_smtp_password"

Implementation Details

  • Architectures: amd64
  • User: bsd (UID/GID set via PUID/PGID). Defaults to 1000:1000.
  • Base: Built on ghcr.io/daemonless/base (FreeBSD 15.0).

Need help? Join our Discord community.