LLDAP — Lightweight LDAP Server for Self-Hosted Authentication

Introduction

Traditional LDAP servers like OpenLDAP are powerful but complex to configure. LLDAP strips LDAP down to the essentials: user and group management with a clean web interface, targeting the common use case of centralizing authentication across self-hosted services without the overhead of a full directory server.

What LLDAP Does

• Implements the LDAP protocol for user and group queries and bind authentication
• Provides a web-based admin UI for creating and managing users and groups
• Stores data in SQLite or PostgreSQL with no schema configuration required
• Exposes a GraphQL API for programmatic user management
• Supports password hashing with Argon2, bcrypt, and SHA-512

Architecture Overview

LLDAP runs as a single Rust binary serving two ports: one for LDAP protocol queries (3890) and one for the web UI and GraphQL API (17170). User and group data is stored in a relational database (SQLite by default). The LDAP server implements the subset of operations needed for authentication: bind, search, and compare. Write operations happen through the web UI or GraphQL API rather than LDAP add/modify.

Self-Hosting & Configuration

• Deploy via Docker with two exposed ports for LDAP and the web UI
• Set the base DN, admin password, and JWT secret via environment variables
• Switch from SQLite to PostgreSQL by setting the LLDAP_DATABASE_URL variable
• Integrate with apps by pointing their LDAP settings at the LLDAP server and base DN
• User attributes like email, display name, and avatar are managed through the web UI

Key Features

• Minimal LDAP implementation that covers 90% of self-hosted auth needs
• Clean web UI for managing users, groups, and passwords without CLI tools
• GraphQL API for scripted user provisioning and automation
• SQLite-based storage by default with no separate database to manage
• Low resource usage: under 20 MB RAM at idle

Comparison with Similar Tools

• OpenLDAP — Full-featured directory server; LLDAP is simpler with a web UI but lacks advanced LDAP features
• FreeIPA — Enterprise identity management with Kerberos; LLDAP targets small self-hosted setups
• Authentik — Full SSO/IdP platform; LLDAP is a lighter LDAP-only backend for centralized auth
• Authelia — Authentication portal; LLDAP complements it as a user directory backend

FAQ

Q: Which apps work with LLDAP? A: Most apps that support LDAP authentication work, including Nextcloud, Gitea, Jellyfin, Authelia, Portainer, and many others. The documentation lists tested integrations.

Q: Can LLDAP replace Active Directory? A: For basic user and group authentication, yes. It does not support Kerberos, Group Policy, or other AD-specific features.

Q: Does it support LDAPS (LDAP over TLS)? A: Yes. Configure TLS certificates in the environment variables to enable encrypted LDAP connections.

Q: How do I back up LLDAP data? A: Back up the SQLite database file in the data volume. For PostgreSQL, use standard pg_dump.

Sources

• https://github.com/lldap/lldap
• https://github.com/lldap/lldap/blob/main/README.md