[GH-ISSUE #590] Use separate configuration options for database credentials #217

New issue

Closed

opened 2026-02-27 08:15:55 +03:00 by kerem · 1 comment

kerem commented

2026-02-27 08:15:55 +03:00

Owner

Originally created by @0hSnap on GitHub (May 21, 2023).
Original GitHub issue: https://github.com/lldap/lldap/issues/590

Currently, LLDAP requires the entire database url, including the username and password, to be provided in the LLDAP_DATABASE_URL configuration option. However, this poses an inconvenience when using docker secrets, as a new docker secret needs to be created specifically for the database url. To enhance security and convenience, I suggest adding two additional configuration options, LLDAP_DATABASE_USER and LLDAP_DATABASE_PASS, which would allow for the separation of the database credentials from the database url. With this change, it would be possible to use the same docker secrets used to set the username and password for the database user in the DBMS container within LLDAP.

Originally created by @0hSnap on GitHub (May 21, 2023). Original GitHub issue: https://github.com/lldap/lldap/issues/590 Currently, LLDAP requires the entire database url, including the username and password, to be provided in the LLDAP_DATABASE_URL configuration option. However, this poses an inconvenience when using docker secrets, as a new docker secret needs to be created specifically for the database url. To enhance security and convenience, I suggest adding two additional configuration options, LLDAP_DATABASE_USER and LLDAP_DATABASE_PASS, which would allow for the separation of the database credentials from the database url. With this change, it would be possible to use the same docker secrets used to set the username and password for the database user in the DBMS container within LLDAP.

kerem

2026-02-27 08:15:55 +03:00

closed this issue
added the
enhancement

wontfix

docker
labels

kerem commented

2026-02-27 08:15:56 +03:00

Author

Owner

@nitnelave commented on GitHub (May 21, 2023):

Handling the password separately from the URL is a big hassle compared to
what we do now. We'd have to have configuration options for database type,
host, port, username and password, and validate them (including the lack of
username password for SQLite), then reformat them into the existing
variable. All the while we have to keep supporting the URL to avoid
breaking people's config. That's a bit of a tall ask to deduplicate a
secret.

If you really want something like that, then I suggest you change the
startup script in the docker to load your secret and add it to the
environment variable for the database URL dynamically.

On Sun, 21 May 2023, 09:34 George Loukakis, @.***>
wrote:

Currently, LLDAP requires the entire database url, including the username
and password, to be provided in the LLDAP_DATABASE_URL configuration
option. However, this poses an inconvenience when using docker secrets, as
a new docker secret needs to be created specifically for the database url.
To enhance security and convenience, I suggest adding two additional
configuration options, LLDAP_DATABASE_USER and LLDAP_DATABASE_PASS, which
would allow for the separation of the database credentials from the
database url. With this change, it would be possible to use the same docker
secrets used to set the username and password for the database user in the
DBMS container within LLDAP.

—
Reply to this email directly, view it on GitHub
https://github.com/lldap/lldap/issues/590, or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAGCPWM5MYT2IB4NA7UUA7DXHFPI3ANCNFSM6AAAAAAYJBH5XA
.
You are receiving this because you are subscribed to this thread.Message
ID: @.***>

@nitnelave commented on GitHub (May 21, 2023): Handling the password separately from the URL is a big hassle compared to what we do now. We'd have to have configuration options for database type, host, port, username and password, and validate them (including the lack of username password for SQLite), then reformat them into the existing variable. All the while we have to keep supporting the URL to avoid breaking people's config. That's a bit of a tall ask to deduplicate a secret. If you really want something like that, then I suggest you change the startup script in the docker to load your secret and add it to the environment variable for the database URL dynamically. On Sun, 21 May 2023, 09:34 George Loukakis, ***@***.***> wrote: > Currently, LLDAP requires the entire database url, including the username > and password, to be provided in the LLDAP_DATABASE_URL configuration > option. However, this poses an inconvenience when using docker secrets, as > a new docker secret needs to be created specifically for the database url. > To enhance security and convenience, I suggest adding two additional > configuration options, LLDAP_DATABASE_USER and LLDAP_DATABASE_PASS, which > would allow for the separation of the database credentials from the > database url. With this change, it would be possible to use the same docker > secrets used to set the username and password for the database user in the > DBMS container within LLDAP. > > — > Reply to this email directly, view it on GitHub > <https://github.com/lldap/lldap/issues/590>, or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAGCPWM5MYT2IB4NA7UUA7DXHFPI3ANCNFSM6AAAAAAYJBH5XA> > . > You are receiving this because you are subscribed to this thread.Message > ID: ***@***.***> >

kerem referenced this issue

2026-02-27 08:18:13 +03:00

[PR #217] [MERGED] Update Dockerfile.ci #623