lldap

A lightweight LDAP server for centralized user account management.

lldap is a simplified LDAP server designed for self-hosting that provides a clean web UI for managing users and groups. It supports a minimal but sufficient LDAP subset for use with compatible apps (Gitea, Nextcloud, Keycloak user federation, etc.). Self-hosting gives you a single source of truth for user identities without paying for a directory service.

Alternatives considered

Cloud Hosted

Tool	Open Source	Free Tier	Monthly Cost
Azure Entra ID	No	Limited	From $6/user

Self Hosted

Tool	Open Source	Full Features	Notes
OpenLDAP	Yes	Yes	More complete but much harder to configure
FreeIPA	Yes	Yes	Full identity stack; heavy for homelab
Active Directory	No	No	Windows-only; enterprise-grade complexity

Installation

Architecture

• Deployment: Single lldap deployment in the lldap namespace
• Image: nitnelave/lldap:v0.6.2-alpine (digest-pinned)
• Storage: Longhorn PVC (lldap-data, annotated k8up.io/backup: "true") for SQLite database and config
• Networking: ClusterIP service with separate ports for LDAP and web UI; HTTPRoute via public gateway

Security

• Runs as runAsUser: 0, runAsNonRoot: false
• Longhorn PVC encrypted at rest via SOPS-managed keys

Updates

Managed by Renovate. Image is digest-pinned.

Data Management

• Database: SQLite stored on lldap-data Longhorn PVC (annotated k8up.io/backup: "true")
• Backups: k8up Schedule backs up the Longhorn PVC to Hetzner S3 via restic.

User Management

lldap is an LDAP provider — it does not consume OIDC. Provides the user directory for Keycloak federation and other LDAP-compatible services. Users and groups managed via the lldap web UI.

Configuration Management

• Bind DN and password, JWT secret from SOPS-encrypted secret
• LDAP base DN and other settings configured in the Deployment env vars

Administration

Usage

Manage users and groups through the web UI. Connect applications via LDAP bind using the configured service account. lldap can feed into Keycloak's user federation to provide SSO backed by a central directory.

Cluster-specific deviations from the above live in the per-cluster README — see k8s/apps/talos/lldap/README.md.

Cluster Deployment

App URLs

• account.web.kueber.eu

Depends on

• Envoy Gateway
• k8up backups
• Longhorn

lldap — Talos cluster

Cluster-specific notes only. General product info, "why we use it", and alternatives live in docusaurus/docs/apps/lldap.mdx.

Deviations from defaults

Defaults live in docusaurus/docs/apps/lldap.mdx — document anything this cluster does differently here, with a one-line reason.

Kubernetes Metadata

• Image: nitnelave/lldap:v0.6.3-alpine@sha256:2a8454b668c1aba7157e832eab0e242e1e7eb5fb7591d7e7774ba05286511ca8

Rendered manifests (kustomize build)

apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    kustomize.toolkit.fluxcd.io/force: enabled
  labels:
    app: lldap
  name: lldap
  namespace: lldap
spec:
  replicas: 1
  selector:
    matchLabels:
      app: lldap
      ingress: public
  strategy:
    rollingUpdate: null
    type: Recreate
  template:
    metadata:
      labels:
        app: lldap
        ingress: public
    spec:
      containers:
        - envFrom:
            - secretRef:
                name: lldap
          image: nitnelave/lldap:v0.6.3-alpine@sha256:2a8454b668c1aba7157e832eab0e242e1e7eb5fb7591d7e7774ba05286511ca8
          name: lldap
          ports:
            - containerPort: 3890
            - containerPort: 17170
          volumeMounts:
            - mountPath: /data
              name: lldap-data
      restartPolicy: Always
      securityContext:
        seccompProfile:
          type: RuntimeDefault
      volumes:
        - name: lldap-data
          persistentVolumeClaim:
            claimName: lldap-data