[GH-ISSUE #1176] [FEATURE REQUEST] Enable providing storage password as secret #421

New issue

Closed

opened 2026-02-27 08:17:12 +03:00 by kerem · 1 comment

kerem commented

2026-02-27 08:17:12 +03:00

Owner

Originally created by @jochemvangrondelle on GitHub (May 17, 2025).
Original GitHub issue: https://github.com/lldap/lldap/issues/1176

Motivation
Unless I'm mistaken, currently the postgres password (if used) has to be provided through the LLDAP_DATABASE_URL environment variable. This is less secure than storing the secret as file.

Describe the solution you'd like
Could mimic similar behaviour from other Dockers (https://hub.docker.com/_/postgres) or the existing behaviour like LLDAP_JWT_SECRET_FILE
Add new optional environment variables LLDAP_DATABASE_PASSWORD and LLDAP_DATABASE_PASSWORD_FILE. If _FILE is there it will populate the LLDAP_DATABASE_PASSWORD var. If LLDAP_DATABASE_PASSWORD is set, use that for authentication with the DB OR enable the env to be used inside the connection string, e.g. LLDAP_DATABASE_URL="postgres://lldap:${LLDAP_DATABASE_PASSWORD}@lldap/lldap"

Describe alternatives you've considered
For now, I'm using the approach with the DB secret in lldap.env that is included in the docker-compose env_file.

Additional context
Thank for you considering my request. Apologies if I have overlooked anything and this feature already exists.

Originally created by @jochemvangrondelle on GitHub (May 17, 2025). Original GitHub issue: https://github.com/lldap/lldap/issues/1176 **Motivation** Unless I'm mistaken, currently the postgres password (if used) has to be provided through the LLDAP_DATABASE_URL environment variable. This is less secure than storing the secret as file. **Describe the solution you'd like** Could mimic similar behaviour from other Dockers (https://hub.docker.com/_/postgres) or the existing behaviour like LLDAP_JWT_SECRET_FILE Add new optional environment variables LLDAP_DATABASE_PASSWORD and LLDAP_DATABASE_PASSWORD_FILE. If _FILE is there it will populate the LLDAP_DATABASE_PASSWORD var. If LLDAP_DATABASE_PASSWORD is set, use that for authentication with the DB OR enable the env to be used inside the connection string, e.g. LLDAP_DATABASE_URL="postgres://lldap:${LLDAP_DATABASE_PASSWORD}@lldap/lldap" **Describe alternatives you've considered** For now, I'm using the approach with the DB secret in lldap.env that is included in the docker-compose env_file. **Additional context** Thank for you considering my request. Apologies if I have overlooked anything and this feature already exists.