All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Emails and UUIDs are now enforced to be unique.
- If you have several users with the same email, you'll have to disambiguate
them. You can do that by either issuing SQL commands directly
(
UPDATE users SET email = 'x@x' WHERE user_id = 'bob';
), or by reverting to a 0.4.x version of LLDAP and editing the user through the web UI. An error will prevent LLDAP 0.5+ from starting otherwise. - This was done to prevent account takeover for systems that allow to login via email.
- If you have several users with the same email, you'll have to disambiguate
them. You can do that by either issuing SQL commands directly
(
- The server private key can be set as a seed from an env variable (#504).
- This is especially useful when you have multiple containers, they don't need to share a writeable folder.
- Added support for changing the password through a plain LDAP Modify operation (as opposed to an extended operation), to allow Jellyfin to change password (#620).
- Allow creating a user with multiple objectClass (#612).
- Emails now have a message ID (#608).
- Added a warning for browsers that have WASM/JS disabled (#639).
- Added support for querying OUs in LDAP (#669).
- Added a button to clear the avatar in the UI (#358).
- Groups are now sorted by name in the web UI (#623).
- ARM build now uses musl (#584).
- Improved logging.
- Default admin user is only created if there are no admins (#563).
- That allows you to remove the default admin, making it harder to bruteforce.
- Fixed URL parsing with a trailing slash in the password setting utility (#597).
In addition to all that, there was significant progress towards #67, user-defined attributes. That complex feature will unblock integration with many systems, including PAM authentication.
- Ejabberd
- Ergo
- LibreNMS
- Mealie
- MinIO
- OpnSense
- PfSense
- PowerDnsAdmin
- Proxmox
- Squid
- Tandoor recipes
- TheLounge
- Zabbix-web
- Zulip
The repository has changed from nitnelave/lldap
to lldap/lldap
, both on GitHub
and on DockerHub (although we will keep publishing the images to
nitnelave/lldap
for the foreseeable future). All data on GitHub has been
migrated, and the new docker images are available both on DockerHub and on the
GHCR under lldap/lldap
.
- EC private keys are not supported for LDAPS.
- SMTP user no longer has a default value (and instead defaults to unauthenticated).
- WASM payload is now delivered uncompressed to Safari due to a Safari bug.
- Password reset no longer redirects to login page.
- NextCloud config should add the "mail" attribute.
- GraphQL parameters are now urldecoded, to support special characters in usernames.
- Healthcheck correctly checks the server certificate.
- Home Assistant
- Shaarli
- Add support for MySQL/MariaDB/PostgreSQL, in addition to SQLite.
- Healthcheck command for docker setups.
- User creation through LDAP.
- IPv6 support.
- Dev container for VsCode.
- Add support for DN LDAP filters.
- Add support for SubString LDAP filters.
- Add support for LdapCompare operation.
- Add support for unencrypted/unauthenticated SMTP connection.
- Add a command to setup the database schema.
- Add a tool to set a user's password from the command line.
- Added consistent release artifacts.
- Payload is now compressed, reducing the size to 700kb.
- entryUUID is returned in the default LDAP fields.
- Slightly improved support for LDAP browsing tools.
- Password reset can be identified by email (instead of just username).
- Various front-end improvements, and support for dark mode.
- Add content-type header to the password reset email, fixing rendering issues in some clients.
- Identify groups with "cn" instead of "uid" in memberOf field.
- Removed dependency on nodejs/rollup.
- Email is now using the async API.
- Fix handling of empty/null names (display, first, last).
- Obscured old password field when changing password.
- Respect user setting to disable password resets.
- Fix handling of "present" filters with unknown attributes.
- Fix handling of filters that could lead to an ambiguous SQL query.
- Authentik
- Dell iDRAC
- Dex
- Kanboard
- NextCloud + OIDC or Authelia
- Nexus
- SUSE Rancher
- VaultWarden
- WeKan
- WikiJS
- ZendTo
- Upgraded Yew to 0.19
- Upgraded actix to 0.13
- Upgraded clap to 4
- Switched from sea-query to sea-orm 0.11
- Added support for STARTTLS for SMTP.
- Added support for user profile pictures, including importing them from OpenLDAP.
- Added support for every config value to be specified in a file.
- Added support for PKCS1 keys.
- The
dn
attribute is no longer returned as an attribute (it's still part of the response). - Empty attributes are no longer returned.
- The docker image now uses the locally-downloaded assets.
The lldap_readonly
group has been renamed lldap_password_manager
(migration happens automatically) and a new lldap_strict_readonly
group was introduced.
- A new
lldap_strict_readonly
group allows granting readonly rights to users (not able to change other's passwords, in particular).
- The
lldap_readonly
group is renamedlldap_password_manager
since it still allows users to change (non-admin) passwords.
- The
lldap_readonly
group was removed.
As part of the update, the database will do a one-time automatic migration to add UUIDs and group creation times.
- Added support and documentation for many services:
- Apache Guacamole
- Bookstack
- Calibre
- Dolibarr
- Emby
- Gitea
- Grafana
- Jellyfin
- Matrix Synapse
- NextCloud
- Organizr
- Portainer
- Seafile
- Syncthing
- WG Portal
- New migration tool from OpenLDAP.
- New docker images for alternate architectures (arm64, arm/v7).
- Added support for LDAPS.
- New readonly group.
- Added UUID attribute for users and groups.
- Frontend now uses the refresh tokens to reduce the number of logins needed.
- Much improved logging format.
- Simplified API login.
- Allowed non-admins to run search queries on the content they can see.
- "cn" attribute now returns the Full Name, not Username.
- Unknown attributes now warn instead of erroring.
- Introduced a list of attributes to silence those warnings.
- Deprecated "cn" as LDAP username, "uid" is the correct attribute.
- Usernames, objectclass and attribute names are now case insensitive.
- Handle "1.1" and other wildcard LDAP attributes.
- Handle "memberOf" attribute.
- Handle fully-specified scope.
- Prevent SQL injections due to interaction between two libraries.