[GH-ISSUE #1180] [FEATURE REQUEST] Allow reading key_seed from file #419

New issue

Closed

opened 2026-02-27 08:17:12 +03:00 by kerem · 4 comments

kerem commented

2026-02-27 08:17:12 +03:00

Owner

Originally created by @TLATER on GitHub (May 25, 2025).
Original GitHub issue: https://github.com/lldap/lldap/issues/1180

Motivation
Hi, I'd like to declaratively configure my lldap configuration, and have that configuration in a git repository to track changes over time.

I'd prefer not to have the value my key is seeded from in what appears to be a deterministic RNG plaintext in a git repository.

Describe the solution you'd like
Much like the existing LLDAP_KEY_FILE, it'd be nice if I could specify an LLDAP_KEY_SEED_FILE so that the plaintext secret can be read from e.g. systemd credentials.

Describe alternatives you've considered
LLDAP_KEY_SEED already exists, of course, so I can read the secret from a file and insert it into the environment as part of a wrapping script. This exposes the secret as an env var, though, which isn't ideal.

I can also use LLDAP_KEY_FILE if I generate a key first, but #504 's outcome was basically saying that that is an awkward setup, which is why LLDAP_KEY_SEED even exists. Perhaps a subcommand to just generate a key file without doing anything else would be a nicer solution, though?

Alternatively I can turn the configuration file into a template, but managing this is quite a bit more awkward than even pre-generating a key.

I also worry slightly that the current configuration option itself is a footgun - unless I misunderstand the RNG docs and it isn't actually deterministic, I suspect many users are storing this secret in plaintext somewhere it should not be, unaware that it is supposed to be treated as a secret; the docs don't make this particularly clear.

Originally created by @TLATER on GitHub (May 25, 2025). Original GitHub issue: https://github.com/lldap/lldap/issues/1180 **Motivation** Hi, I'd like to declaratively configure my lldap configuration, and have that configuration in a git repository to track changes over time. I'd prefer not to have the value my key is seeded from in what *appears* to be a deterministic RNG plaintext in a git repository. **Describe the solution you'd like** Much like the existing `LLDAP_KEY_FILE`, it'd be nice if I could specify an `LLDAP_KEY_SEED_FILE` so that the plaintext secret can be read from e.g. systemd credentials. **Describe alternatives you've considered** `LLDAP_KEY_SEED` already exists, of course, so I can read the secret from a file and insert it into the environment as part of a wrapping script. This exposes the secret as an env var, though, which isn't ideal. I can also use `LLDAP_KEY_FILE` if I generate a key first, but #504 's outcome was basically saying that that is an awkward setup, which is why `LLDAP_KEY_SEED` even exists. Perhaps a subcommand to just generate a key file without doing anything else would be a nicer solution, though? Alternatively I can turn the configuration file into a template, but managing this is quite a bit more awkward than even pre-generating a key. I also worry slightly that the current configuration option itself is a footgun - unless I misunderstand the RNG docs and it isn't actually deterministic, I suspect many users are storing this secret in plaintext somewhere it should not be, unaware that it is supposed to be treated as a secret; the docs don't make this particularly clear.

kerem

2026-02-27 08:17:12 +03:00

closed this issue
added the
enhancement
label

kerem commented

2026-02-27 08:17:13 +03:00

Author

Owner

@nitnelave commented on GitHub (May 25, 2025):

You're in luck! You can already use LLDAP_KEY_SEED_FILE

@nitnelave commented on GitHub (May 25, 2025): You're in luck! You can already use `LLDAP_KEY_SEED_FILE`

kerem commented

2026-02-27 08:17:13 +03:00

Author

Owner

@TLATER commented on GitHub (May 25, 2025):

You're in luck! You can already use LLDAP_KEY_SEED_FILE

Ahhhh, sorry, I triple read the code around server creation to check if this exists and still missed it. In my defense, I'm waist-deep into figuring out the details of authelia configuration as well.

Thanks for the help :)

@TLATER commented on GitHub (May 25, 2025): > You're in luck! You can already use `LLDAP_KEY_SEED_FILE` Ahhhh, sorry, I triple read the code around server creation to check if this exists and *still* missed it. In my defense, I'm waist-deep into figuring out the details of authelia configuration as well. Thanks for the help :)

kerem commented

2026-02-27 08:17:13 +03:00

Author

Owner

@nitnelave commented on GitHub (May 25, 2025):

I admit that it's not the most obvious, either from the code or (with a second read) from the documentation (config template).

If you want to improve the docs, that would be very welcome! The gist of it is that every variable has a _FILE version.

@nitnelave commented on GitHub (May 25, 2025): I admit that it's not the most obvious, either from the code or (with a second read) from the documentation (config template). If you want to improve the docs, that would be very welcome! The gist of it is that every variable has a `_FILE` version.

kerem commented

2026-02-27 08:17:13 +03:00

Author

Owner

@TLATER commented on GitHub (May 25, 2025):

Not tonight (or tomorrow night), but I'll keep a browser tab with this open to shame me into doing so sometime over the next week or two so I didn't waste your time for nothing ;)

@TLATER commented on GitHub (May 25, 2025): Not tonight (or tomorrow night), but I'll keep a browser tab with this open to shame me into doing so sometime over the next week or two so I didn't waste your time for nothing ;)