This documents a working (LDAPS) configuration for using lldap in Open WebUI.
Environment Variables where directly taken from the logs.
The names of the GUI variables are taken from the UI.
Version v0.6.26.
The two configuration options are then put in a table and a small
elaboration + example values are provided.
Other then additionally mounting the ca chain into the container (with appropriate rights) there were not additional steps required.
The ownership of the ca chain will get changed to `chown 501:`.
Co-authored-by: Kumpelinus <kumpelinus@jat.de>
- Add Nix flake and lockfile for reproducible development environments
- Document Nix-based setup in `docs/nix-development.md`
- Add `.envrc` for direnv integration and update `.gitignore` for Nix/direnv artifacts
- Reference Nix setup in CONTRIBUTING.md
When querying for pwdChangedTime, the timestamp is returned in RFC3339 format instead of the expected LDAP GeneralizedTime format (YYYYMMDDHHMMSSZ). This causes issues when LLDAP is used with systems like Keycloak that expect proper LDAP timestamp formatting.
By making it a &'static, we can have a single allocation for all the threads/async contexts.
This also normalizes the whitespace from the user input; a trailing \n can cause weird issues with clients
Added instruction for using/not using Constraint Groups. This option is selected by default and the current instructions do not address it, but if it is left on and the Authentication Containers are not updated, the group sync will fail.
Add a modifyTimestamp attribute to LDAP entries for users and groups, and expose pwdChangedTime for users.
These attributes let clients track when an entry (or its password) was last changed.
- modifyTimestamp is a server-maintained attribute that updates on any write to user or group entries, including membership changes (on the group side).
- pwdChangedTime is set when a user’s password is created or changed.
Otherwise the bootstrap script tries to create the password_file
as a custom attribute which fails since it's not in the schema.
And anyway, it shouldn't be in the schema.
Add a subschema entry to the rootDSE, which shows all attributes and
objectclasses present on the LLDAP server, which is needed for some
applications that need to index the LDAP server. The current
implementation's goal is to have a bare minimum working subschema which
follows the LDAP RFC. It also updates the GraphQL interface to follow
the changes that have been made in actually separating out
objectclasses, instead of having them as an attribute.
Co-authored-by: nitnelave <valentin@tolmer.fr>
Authelia when installed via helm by default looks for users
in the `Users` OU. It supports changing this configuration via the
`additional_users_dn` property. Set this to match what lldap expects.
Any LLDAP user, not just members of nextcloud-users, could log in and get an instance. However, they weren't synchronized to the nextcloud admin view and thus were nearly invisible.
thchha