starred/lldap-lldap
1
0
Fork 0
mirror of https://github.com/lldap/lldap.git synced 2026-04-25 08:15:52 +03:00
Code Issues 101 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #1211] [BUG] Disabling LDAP when using LDAPS or Allow Independent host Config. #431

New issue
Closed
opened 2026-02-27 08:17:16 +03:00 by kerem · 4 comments
kerem commented 2026-02-27 08:17:16 +03:00
Owner
Copy link

Originally created by @crazytimmy on GitHub (Jul 10, 2025).
Original GitHub issue: https://github.com/lldap/lldap/issues/1211

I may not fully understand LDAP and/or how LLDAP operates so this may be a non-issue/bug/feature request.

After getting LDAPS running I noticed LDAP is still running listening to 0.0.0.0. I tried setting LDAP_HOST to 127.0.0.1 but that changed the service listening on for LDAPS as well. Is there a way to control these individually? Since I want to use LDAPS I also don't want LDAP (unencrypted) still running and accessible and any connection to be forced over LDAPS.

environment:
- TZ=${TIMEZONE:-UTC}
- UID=${LLDAP_UID}
- GID=${LLDAP_GID}
- LLDAP_JWT_SECRET_FILE=/run/secrets/lldap_jwt_secret
- LLDAP_KEY_SEED_FILE=/run/secrets/lldap_key_seed
- LLDAP_HTTP_URL=${LLDAP_HTTP_URL}
- LLDAP_LDAP_BASE_DN=${LLDAP_BASE_DN}
- LLDAP_LDAP_USER_DN_FILE=/run/secrets/lldap_ldap_user_dn
- LLDAP_LDAP_USER_PASS_FILE=/run/secrets/lldap_ldap_user_pass
- LLDAP_LDAPS_OPTIONS__ENABLED=true
- LLDAP_LDAPS_OPTIONS__PORT=6360
- LLDAP_LDAPS_OPTIONS__CERT_FILE=/run/secrets/site.crt
- LLDAP_LDAPS_OPTIONS__KEY_FILE=/run/secrets/site.key
- SMTP_OPTIONS_ENABLE_PASSWORD_RESET=true
- SMTP_OPTIONS_SERVER=${LLDAP_SMTP_SERVER}
- SMTP_OPTIONS_PORT=${LLDAP_SMTP_PORT}
- SMTP_OPTIONS_SMTP_ENCRYPTION=${LLDAP_SMTP_ENCRYPTION}
- SMTP_OPTIONS_USER_FILE=/run/secrets/lldap_smtp_user
- SMTP_OPTIONS_PASSWORD_FILE=/run/secrets/lldap_smtp_password
- SMTP_OPTIONS_FROM=${LLDAP_SMTP_FROM}
- SMTP_OPTIONS_TO=${LLDAP_SMTP_TO}

I would expect to be able to disable either LDAP or LDAPS individually or at least be able to control the listening host individually.

Startup Logs:

Starting lldap..

Loading configuration from /data/lldap_config.toml
2025-07-10T19:56:40.907975850+00:00 INFO set_up_server [ 23.4ms | 100.00% ]
2025-07-10T19:56:40.907991680+00:00 INFO ┝━ i [info]: Starting LLDAP version 0.6.1
2025-07-10T19:56:40.959110505+00:00 INFO ┝━ i [info]: Starting the LDAP server on port 3890
2025-07-10T19:56:40.959610574+00:00 INFO ┝━ i [info]: Starting the LDAPS server on port 6360
2025-07-10T19:56:40.965591385+00:00 INFO ┕━ i [info]: Starting the API/web server on port 17170
2025-07-10T19:56:40.965820339+00:00 INFO i [info]: starting 1 workers
2025-07-10T19:56:40.965862629+00:00 INFO i [info]: Actix runtime found; starting in Actix runtime
2025-07-10T19:56:40.965910400+00:00 INFO i [info]: starting service: "ldap", workers: 1, listening on: 0.0.0.0:3890
2025-07-10T19:56:40.965951418+00:00 INFO i [info]: starting service: "ldaps", workers: 1, listening on: 0.0.0.0:6360
2025-07-10T19:56:40.965992766+00:00 INFO i [info]: starting service: "http", workers: 1, listening on: 0.0.0.0:17170
2025-07-10T19:56:40.967955792+00:00 INFO i [info]: DB Cleanup Cron started

Maybe I'm just missing something, but I went through the lldap_config.toml in the data folder and wasn't able to find a setting I believe would resolve my issue.

Originally created by @crazytimmy on GitHub (Jul 10, 2025). Original GitHub issue: https://github.com/lldap/lldap/issues/1211 I may not fully understand LDAP and/or how LLDAP operates so this may be a non-issue/bug/feature request. After getting LDAPS running I noticed LDAP is still running listening to 0.0.0.0. I tried setting LDAP_HOST to 127.0.0.1 but that changed the service listening on for LDAPS as well. Is there a way to control these individually? Since I want to use LDAPS I also don't want LDAP (unencrypted) still running and accessible and any connection to be forced over LDAPS. environment: - TZ=${TIMEZONE:-UTC} - UID=${LLDAP_UID} - GID=${LLDAP_GID} - LLDAP_JWT_SECRET_FILE=/run/secrets/lldap_jwt_secret - LLDAP_KEY_SEED_FILE=/run/secrets/lldap_key_seed - LLDAP_HTTP_URL=${LLDAP_HTTP_URL} - LLDAP_LDAP_BASE_DN=${LLDAP_BASE_DN} - LLDAP_LDAP_USER_DN_FILE=/run/secrets/lldap_ldap_user_dn - LLDAP_LDAP_USER_PASS_FILE=/run/secrets/lldap_ldap_user_pass - LLDAP_LDAPS_OPTIONS__ENABLED=true - LLDAP_LDAPS_OPTIONS__PORT=6360 - LLDAP_LDAPS_OPTIONS__CERT_FILE=/run/secrets/site.crt - LLDAP_LDAPS_OPTIONS__KEY_FILE=/run/secrets/site.key - SMTP_OPTIONS_ENABLE_PASSWORD_RESET=true - SMTP_OPTIONS_SERVER=${LLDAP_SMTP_SERVER} - SMTP_OPTIONS_PORT=${LLDAP_SMTP_PORT} - SMTP_OPTIONS_SMTP_ENCRYPTION=${LLDAP_SMTP_ENCRYPTION} - SMTP_OPTIONS_USER_FILE=/run/secrets/lldap_smtp_user - SMTP_OPTIONS_PASSWORD_FILE=/run/secrets/lldap_smtp_password - SMTP_OPTIONS_FROM=${LLDAP_SMTP_FROM} - SMTP_OPTIONS_TO=${LLDAP_SMTP_TO} I would expect to be able to disable either LDAP or LDAPS individually or at least be able to control the listening host individually. Startup Logs: > Starting lldap.. Loading configuration from /data/lldap_config.toml 2025-07-10T19:56:40.907975850+00:00 INFO set_up_server [ 23.4ms | 100.00% ] 2025-07-10T19:56:40.907991680+00:00 INFO ┝━ i [info]: Starting LLDAP version 0.6.1 2025-07-10T19:56:40.959110505+00:00 INFO ┝━ i [info]: Starting the LDAP server on port 3890 2025-07-10T19:56:40.959610574+00:00 INFO ┝━ i [info]: Starting the LDAPS server on port 6360 2025-07-10T19:56:40.965591385+00:00 INFO ┕━ i [info]: Starting the API/web server on port 17170 2025-07-10T19:56:40.965820339+00:00 INFO i [info]: starting 1 workers 2025-07-10T19:56:40.965862629+00:00 INFO i [info]: Actix runtime found; starting in Actix runtime 2025-07-10T19:56:40.965910400+00:00 INFO i [info]: starting service: "ldap", workers: 1, listening on: 0.0.0.0:3890 2025-07-10T19:56:40.965951418+00:00 INFO i [info]: starting service: "ldaps", workers: 1, listening on: 0.0.0.0:6360 2025-07-10T19:56:40.965992766+00:00 INFO i [info]: starting service: "http", workers: 1, listening on: 0.0.0.0:17170 2025-07-10T19:56:40.967955792+00:00 INFO i [info]: DB Cleanup Cron started Maybe I'm just missing something, but I went through the lldap_config.toml in the data folder and wasn't able to find a setting I believe would resolve my issue.
kerem 2026-02-27 08:17:16 +03:00
  • closed this issue
  • added the
    bug
         label
kerem commented 2026-02-27 08:17:17 +03:00
Author
Owner
Copy link

@nitnelave commented on GitHub (Jul 10, 2025):

I'm assuming you're running LLDAP in a container? Can you avoid exposing the LDAP port?

There is no way to disable the LDAP interface, and both it and LDAPS listen to the same address

<!-- gh-comment-id:3058935913 --> @nitnelave commented on GitHub (Jul 10, 2025): I'm assuming you're running LLDAP in a container? Can you avoid exposing the LDAP port? There is no way to disable the LDAP interface, and both it and LDAPS listen to the same address
kerem commented 2026-02-27 08:17:17 +03:00
Author
Owner
Copy link

@crazytimmy commented on GitHub (Jul 10, 2025):

Yes, sorry in a Docker container. I should also mention this is a home lab environment so not a high importance/security issue.

When you suggest avoid exposing the LDAP port are you suggesting setting the port through config.toml or environment in compose to blank or "0"? Or through Docker networks somehow? Nothing is exposed outside the host, all server-to-server communication is going through docker networks and doesn't leave the host network. Aside from Traefik/Cloudflare Tunnel as my entrypoint.

I have LDAP and (soon to be) Authelia sharing their own network they will use to communicate on and another separate network for LDAP and Traefik to communicate on. So again should be minimal exposure. But the way LLDAP is configured it's listening on 0.0.0.0 so all networks attached to the LLDAP container would technically have access to LDAP ports no?

Thanks for your response.

<!-- gh-comment-id:3058963241 --> @crazytimmy commented on GitHub (Jul 10, 2025): Yes, sorry in a Docker container. I should also mention this is a home lab environment so not a high importance/security issue. When you suggest avoid exposing the LDAP port are you suggesting setting the port through config.toml or environment in compose to blank or "0"? Or through Docker networks somehow? Nothing is exposed outside the host, all server-to-server communication is going through docker networks and doesn't leave the host network. Aside from Traefik/Cloudflare Tunnel as my entrypoint. I have LDAP and (soon to be) Authelia sharing their own network they will use to communicate on and another separate network for LDAP and Traefik to communicate on. So again should be minimal exposure. But the way LLDAP is configured it's listening on 0.0.0.0 so all networks attached to the LLDAP container would technically have access to LDAP ports no? Thanks for your response.
kerem commented 2026-02-27 08:17:17 +03:00
Author
Owner
Copy link

@nitnelave commented on GitHub (Jul 10, 2025):

It seems you already have it configured pretty well.

If LLDAP is only exposed through docker networks, then you're in control of all the software that has access to that port. What is the threat model exactly? What specifically are you worried about?

If you're worried that one of the containers might start acting against you, do a port scan and find the unencrypted LDAP connection, first of all containers are not much protection for running untrusted code. Secondly, they also have access to the encrypted connection, so you're not exposing new capabilities.
The only protection the feature would bring is against:

  • a misconfiguration on your part, pointing a service to the unencrypted port, plus
  • malicious code able to intercept traffic between your containers (but somehow not read their env variables to get access to the secrets)

That sounds very unlikely. You can make the first one even more unlikely by changing the LDAP port from the default to a random one.

<!-- gh-comment-id:3059217302 --> @nitnelave commented on GitHub (Jul 10, 2025): It seems you already have it configured pretty well. If LLDAP is only exposed through docker networks, then you're in control of all the software that has access to that port. What is the threat model exactly? What specifically are you worried about? If you're worried that one of the containers might start acting against you, do a port scan and find the unencrypted LDAP connection, first of all containers are not much protection for running untrusted code. Secondly, they also have access to the encrypted connection, so you're not exposing new capabilities. The only protection the feature would bring is against: - a misconfiguration on your part, pointing a service to the unencrypted port, plus - malicious code able to intercept traffic between your containers (but somehow not read their env variables to get access to the secrets) That sounds very unlikely. You can make the first one even more unlikely by changing the LDAP port from the default to a random one.
kerem commented 2026-02-27 08:17:17 +03:00
Author
Owner
Copy link

@crazytimmy commented on GitHub (Jul 11, 2025):

Thanks for your response, I really appreciate the time you took to provide feedback.

I think I was just trying to practice least privileged access model. In doing so, thought I was either missing something or found an opportunity to further secure the setup with additional settings.

But I understand what you're saying and appreciate the confirmation I'm likely setup well enough the way it is. I'm a bit of an over thinker 😄

<!-- gh-comment-id:3062582468 --> @crazytimmy commented on GitHub (Jul 11, 2025): Thanks for your response, I really appreciate the time you took to provide feedback. I think I was just trying to practice least privileged access model. In doing so, thought I was either missing something or found an opportunity to further secure the setup with additional settings. But I understand what you're saying and appreciate the confirmation I'm likely setup well enough the way it is. I'm a bit of an over thinker 😄
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dependabot/github_actions/codecov/codecov-action-6
copilot/fix-equality-filters-list-attributes
dependabot/github_actions/docker/build-push-action-7
dependabot/github_actions/docker/metadata-action-6
dependabot/github_actions/docker/setup-buildx-action-4
dependabot/github_actions/docker/login-action-4
copilot/update-download-artifact-action
copilot/fix-opensuse-warnings
copilot/fix-1268
copilot/fix-727
copilot/fix-898
copilot/fix-1256
copilot/fix-1251
copilot/fix-1249
copilot/fix-1206
user-attribute-form
user-ui
group-ui
server-user-attribute-schema
crates
haveibeenpwned
v0.6.2
v0.6.1
v0.6.0
v0.5.0
v0.4.3
v0.4.2
v0.4.1
v0.4.0
v0.3.0
v0.2.0
v0.0.1
Labels
Clear labels   
backend

   
blocked

   
bug

   
cleanup

   
dependencies

   
docker

   
documentation

   
duplicate

   
enhancement

   
enhancement

   
frontend

   
github_actions

   
good first issue

   
help wanted

   
help wanted

   
integration

   
invalid

   
ldap

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
rust

   
rust

   
tests

   
wontfix
No labels
backend
blocked
bug
cleanup
dependencies
docker
documentation
duplicate
enhancement
enhancement
frontend
github_actions
good first issue
help wanted
help wanted
integration
invalid
ldap
pull-request
question
rust
rust
tests
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/lldap-lldap#431
No description provided.