# LLDAP — Lightweight LDAP Server for Self-Hosted Authentication > LLDAP is a minimal LDAP server written in Rust designed for small self-hosted setups. It provides a web UI for managing users and groups and implements just enough of the LDAP protocol to work with common apps like Nextcloud, Gitea, Authelia, and Jellyfin. ## Install Save as a script file and run: # LLDAP — Lightweight LDAP Server for Self-Hosted Authentication ## Quick Use ```bash docker run -d --name lldap -p 3890:3890 -p 17170:17170 -e LLDAP_LDAP_BASE_DN=dc=example,dc=com -e LLDAP_JWT_SECRET=$(openssl rand -hex 32) -v ./lldap_data:/data lldap/lldap:latest # Web UI at http://localhost:17170 (admin / password) ``` ## Introduction Traditional LDAP servers like OpenLDAP are powerful but complex to configure. LLDAP strips LDAP down to the essentials: user and group management with a clean web interface, targeting the common use case of centralizing authentication across self-hosted services without the overhead of a full directory server. ## What LLDAP Does - Implements the LDAP protocol for user and group queries and bind authentication - Provides a web-based admin UI for creating and managing users and groups - Stores data in SQLite or PostgreSQL with no schema configuration required - Exposes a GraphQL API for programmatic user management - Supports password hashing with Argon2, bcrypt, and SHA-512 ## Architecture Overview LLDAP runs as a single Rust binary serving two ports: one for LDAP protocol queries (3890) and one for the web UI and GraphQL API (17170). User and group data is stored in a relational database (SQLite by default). The LDAP server implements the subset of operations needed for authentication: bind, search, and compare. Write operations happen through the web UI or GraphQL API rather than LDAP add/modify. ## Self-Hosting & Configuration - Deploy via Docker with two exposed ports for LDAP and the web UI - Set the base DN, admin password, and JWT secret via environment variables - Switch from SQLite to PostgreSQL by setting the `LLDAP_DATABASE_URL` variable - Integrate with apps by pointing their LDAP settings at the LLDAP server and base DN - User attributes like email, display name, and avatar are managed through the web UI ## Key Features - Minimal LDAP implementation that covers 90% of self-hosted auth needs - Clean web UI for managing users, groups, and passwords without CLI tools - GraphQL API for scripted user provisioning and automation - SQLite-based storage by default with no separate database to manage - Low resource usage: under 20 MB RAM at idle ## Comparison with Similar Tools - **OpenLDAP** — Full-featured directory server; LLDAP is simpler with a web UI but lacks advanced LDAP features - **FreeIPA** — Enterprise identity management with Kerberos; LLDAP targets small self-hosted setups - **Authentik** — Full SSO/IdP platform; LLDAP is a lighter LDAP-only backend for centralized auth - **Authelia** — Authentication portal; LLDAP complements it as a user directory backend ## FAQ **Q: Which apps work with LLDAP?** A: Most apps that support LDAP authentication work, including Nextcloud, Gitea, Jellyfin, Authelia, Portainer, and many others. The documentation lists tested integrations. **Q: Can LLDAP replace Active Directory?** A: For basic user and group authentication, yes. It does not support Kerberos, Group Policy, or other AD-specific features. **Q: Does it support LDAPS (LDAP over TLS)?** A: Yes. Configure TLS certificates in the environment variables to enable encrypted LDAP connections. **Q: How do I back up LLDAP data?** A: Back up the SQLite database file in the data volume. For PostgreSQL, use standard pg_dump. ## Sources - https://github.com/lldap/lldap - https://github.com/lldap/lldap/blob/main/README.md --- Source: https://tokrepo.com/en/workflows/40422f99-4106-11f1-9bc6-00163e2b0d79 Author: Script Depot