「lldap」- Light LDAP | 轻量级的 LDAP Server 实现

认识

官网:https://github.com/lldap/lldap
文档:https://github.com/lldap/lldap
仓库:https://github.com/lldap/lldap

Light LDAP implementation. 简而言之,LLDAP 是个轻量级的 LDAP Server 实现,目标是简化安装、简化管理、降低资源消耗、屏蔽 LDAP 复杂性。

组成

配置文件

Configure the server by copying the lldap_config.docker_template.toml to /data/lldap_config.toml and updating the configuration values (especially the jwt_secret and ldap_user_pass, unless you override them with env variables). Environment variables should be prefixed with LLDAP_ to override the configuration.

If the lldap_config.toml doesn’t exist when starting up, LLDAP will use default one. The default admin password is password, you can change the password later using the web interface.

Secrets can also be set through a file. The filename should be specified by the variables LLDAP_JWT_SECRET_FILE or LLDAP_KEY_SEED_FILE, and the file contents are loaded into the respective configuration parameters. Note that _FILE variables take precedence.

Web UI

Database

By default, the data is stored in SQLite, but you can swap the backend with MySQL/MariaDB or PostgreSQL.

构建

low resources, 500m, 1Gi

参考 lldap/lldap/Installation/With Docker 文档,以实现通过 Docker Compose 部署。

镜像仓库 | https://hub.docker.com/r/lldap/lldap

# 05/25/2025 docker pull lldap/lldap:v0.6.1

日志等级

verbose=true,或通过 LLDAP_VERBOSE: true 环境变量

性质

LDAP and LDAPs

It provides an opinionated, simplified LDAP interface for authentication.

It integrates with many backends, from KeyCloak to Authelia to Nextcloud and more!

It comes with a frontend that makes user management easy, and allows users to edit their own details or reset their password by email.

This server is a user management system that is:

simple to setup (no messing around with slapd),

simple to manage (friendly web UI),

low resources,

opinionated with basic defaults so you don’t have to understand the subtleties of LDAP.

It mostly targets self-hosting servers, with open-source components like Nextcloud, Airsonic and so on that only support LDAP as a source of external authentication.

Client configuration | https://github.com/lldap/lldap?tab=readme-ov-file#client-configuration

Most services that can use LDAP as an authentication provider should work out of the box. For new services, it’s possible that they require a bit of tweaking on LLDAP’s side to make things work. In that case, just create an issue with the relevant details (logs of the service, LLDAP logs with verbose=true in the config).

To configure the services that will talk to LLDAP, here are the values:

The LDAP user DN is from the configuration. By default, cn=admin,ou=people,dc=example,dc=com.

The LDAP password is from the configuration (same as to log in to the web UI).

The users are all located in ou=people, + the base DN, so by default user bob is at cn=bob,ou=people,dc=example,dc=com.

Similarly, the groups are located in ou=groups, so the group family will be at cn=family,ou=groups,dc=example,dc=com.

Groups: lldap_admin, lldap_password_manager, lldap_strict_readonly

The administrator group for LLDAP is lldap_admin: anyone in this group has admin rights in the Web UI.

To prevent privilege escalation, users in the lldap_password_manager group are not allowed to change passwords of admins in the lldap_admin group.

Most LDAP integrations should instead use a user in the lldap_strict_readonly or lldap_password_manager group, to avoid granting full administration access to many services.

memberOf

在返回信息中,虽然不包含 memberOf 属性,但是根据官方文档:

Testing group membership through memberOf is supported, so you can have a filter like: (memberOf=cn=admins,ou=groups,dc=example,dc=com).

More Features …

For more features (OAuth/OpenID support, reverse proxy, …) you can install other components (KeyCloak, Authelia, …) using this server as the source of truth for users, via LDAP.

应用

服务使用

用户 | 群组 | 管理

1)通过 Web UI 管理

2)通过 Zepmann/lldap-cli 管理

改进

密码认证失败 

...  LDAP session [ 122ms | 0.05% / 100.00% ]
...  ┕━ LDAP request [ 121ms | 0.08% / 99.95% ]
...     ┝━ 🐛 [debug]:  | msg: LdapMsg { msgid: 1, op: BindRequest(LdapBindRequest { dn: "uid=k4nzdroid,ou=people,dc=d3rm,dc=com,dc=cn", cred: LdapBindCred::Simple }), ctrl: [] }
...     ┝━ do_bind [ 121ms | 0.02% / 99.87% ] dn: uid=k4nzdroid,ou=people,dc=d3rm,dc=com,dc=cn
...     │  ┕━ bind [ 121ms | 0.02% / 99.85% ]
...     │     ┝━ get_password_file_for_user [ 84.4µs | 0.07% ] user_id: UserId("k4nzdroid")
...     │     ┝━ passwords_match [ 121ms | 99.77% ] username: k4nzdroid
...     │     │  ┕━ 🚨 [error]:  | error: Authentication protocol error for `Protocol error: `This error results from an error during password verification``
...     │     ┝━ 🐛 [debug]: Invalid password for "k4nzdroid": Authentication protocol error for `Protocol error: `This error results from an error during password verification``
...     │     ┕━ 🚨 [error]:  | error: Authentication error: ` for user 'k4nzdroid'`
...     ┕━ 🐛 [debug]:  | response: BindResponse(LdapBindResponse { res: LdapResult { code: InvalidCredentials, matcheddn: "", message: "", referral: [] }, saslcreds: None })

密码认证成功 

... LDAP session [ 109ms | 0.07% / 100.00% ]
... ┝━ LDAP request [ 109ms | 0.07% / 99.92% ]
... │  ┝━ 🐛 [debug]:  | msg: LdapMsg { msgid: 1, op: BindRequest(LdapBindRequest { dn: "cn=admin,ou=people,dc=d3rm,dc=com,dc=cn", cred: LdapBindCred::Simple }), ctrl: [] }
... │  ┝━ do_bind [ 109ms | 0.03% / 99.85% ] dn: cn=admin,ou=people,dc=d3rm,dc=com,dc=cn
... │  │  ┝━ bind [ 109ms | 0.01% / 99.65% ]
... │  │  │  ┝━ get_password_file_for_user [ 95.6µs | 0.09% ] user_id: UserId("admin")
... │  │  │  ┕━ passwords_match [ 109ms | 99.55% ] username: admin
... │  │  ┝━ get_user_groups [ 198µs | 0.18% ] user_id: "admin"
... │  │  │  ┕━ 🐛 [debug]:  | return: {GroupDetails { group_id: GroupId(1), display_name: "lldap_admin", creation_date: 2024-03-26T07:50:28.714857181, uuid: Uuid("d2d1603f-cf9b-3adc-b321-b9c2784e42e0"), attributes: [] }}
... │  │  ┕━ 🐛 [debug]: Success!
... │  ┕━ 🐛 [debug]:  | response: BindResponse(LdapBindResponse { res: LdapResult { code: Success, matcheddn: "", message: "", referral: [] }, saslcreds: None })
... ┕━ LDAP request [ 7.26µs | 0.01% ]
...    ┕━ 🐛 [debug]:  | msg: LdapMsg { msgid: 2, op: UnbindRequest, ctrl: [LdapControl::ManageDsaIT { criticality: false }] }

... LDAP session [ 124ms | 0.07% / 100.00% ]
... ┝━ LDAP request [ 124ms | 0.03% / 99.93% ]
... │  ┝━ 🐛 [debug]:  | msg: LdapMsg { msgid: 1, op: BindRequest(LdapBindRequest { dn: "uid=k4nzdroid,ou=people,dc=d3rm,dc=com,dc=cn", cred: LdapBindCred::Simple }), ctrl: [] }
... │  ┝━ do_bind [ 124ms | 0.03% / 99.90% ] dn: uid=k4nzdroid,ou=people,dc=d3rm,dc=com,dc=cn
... │  │  ┝━ bind [ 123ms | 0.01% / 99.68% ]
... │  │  │  ┝━ get_password_file_for_user [ 42.8µs | 0.03% ] user_id: UserId("k4nzdroid")
... │  │  │  ┕━ passwords_match [ 123ms | 99.64% ] username: k4nzdroid
... │  │  ┝━ get_user_groups [ 233µs | 0.19% ] user_id: "k4nzdroid"
... │  │  │  ┕━ 🐛 [debug]:  | return: {GroupDetails { group_id: GroupId(12), display_name: "Role Operator", creation_date: 2024-07-10T16:37:30.965917578, uuid: Uuid("e9906d82-ca2c-35df-822c-d82026f3207e"), attributes: [] }}
... │  │  ┕━ 🐛 [debug]: Success!
... │  ┕━ 🐛 [debug]:  | response: BindResponse(LdapBindResponse { res: LdapResult { code: Success, matcheddn: "", message: "", referral: [] }, saslcreds: None })
... ┕━ LDAP request [ 4.80µs | 0.00% ]
...    ┕━ 🐛 [debug]:  | msg: LdapMsg { msgid: 2, op: UnbindRequest, ctrl: [] }

参考

lldap/lldap: Light LDAP implementation

Filed under: K4NZDROID - @ 9:07 PM