Authelia + OpenLDAP + Ldap User Manager

authelia-config.yml

ldap:
    ## The LDAP implementation, this affects elements like the attribute utilised for resetting a password.
    ## Acceptable options are as follows:
    ## - 'activedirectory' - For Microsoft Active Directory.
    ## - 'custom' - For custom specifications of attributes and filters.
    ## This currently defaults to 'custom' to maintain existing behaviour.
    ##
    ## Depending on the option here certain other values in this section have a default value, notably all of the
    ## attribute mappings have a default value that this config overrides, you can read more about these default values
    ## at https://www.authelia.com/docs/configuration/authentication/ldap.html#defaults
    implementation: custom

    ## The url to the ldap server. Format: <scheme>://<address>[:<port>].
    ## Scheme can be ldap or ldaps in the format (port optional).
    url: ldap://openldap

    ## Use StartTLS with the LDAP connection.
    start_tls: false

    tls:
      ## Server Name for certificate validation (in case it's not set correctly in the URL).
      # server_name: ldap.example.com

      ## Skip verifying the server certificate (to allow a self-signed certificate).
      ## In preference to setting this we strongly recommend you add the public portion of the certificate to the
      ## certificates directory which is defined by the `certificates_directory` option at the top of the config.
      skip_verify: false

      ## Minimum TLS version for either Secure LDAP or LDAP StartTLS.
      minimum_version: TLS1.2

    ## The distinguished name of the container searched for objects in the directory information tree.
    ## See also: additional_users_dn, additional_groups_dn.
    base_dn: dc=domain,dc=tld

    ## The attribute holding the username of the user. This attribute is used to populate the username in the session
    ## information. It was introduced due to #561 to handle case insensitive search queries. For you information,
    ## Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP usually uses 'uid'. Beware that this
    ## attribute holds the unique identifiers for the users binding the user and the configuration stored in database.
    ## Therefore only single value attributes are allowed and the value must never be changed once attributed to a user
    ## otherwise it would break the configuration for that user. Technically, non-unique attributes like 'mail' can also
    ## be used but we don't recommend using them, we instead advise to use the attributes mentioned above
    ## (sAMAccountName and uid) to follow https://www.ietf.org/rfc/rfc2307.txt.
    # username_attribute: uid

    ## The additional_users_dn is prefixed to base_dn and delimited by a comma when searching for users.
    ## i.e. with this set to OU=Users and base_dn set to DC=a,DC=com; OU=Users,DC=a,DC=com is searched for users.
    additional_users_dn: ou=people

    ## The users filter used in search queries to find the user profile based on input filled in login form.
    ## Various placeholders are available in the user filter:
    ## - {input} is a placeholder replaced by what the user inputs in the login form.
    ## - {username_attribute} is a mandatory placeholder replaced by what is configured in `username_attribute`.
    ## - {mail_attribute} is a placeholder replaced by what is configured in `mail_attribute`.
    ##
    ## Recommended settings are as follows:
    ## - Microsoft Active Directory: (&({username_attribute}={input})(objectCategory=person)(objectClass=user))
    ## - OpenLDAP:
    ##   - (&({username_attribute}={input})(objectClass=person))
    ##   - (&({username_attribute}={input})(objectClass=inetOrgPerson))
    ##
    ## To allow sign in both with username and email, one can use a filter like
    ## (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
    users_filter: (&({username_attribute}={input})(objectClass=person))

    ## The additional_groups_dn is prefixed to base_dn and delimited by a comma when searching for groups.
    ## i.e. with this set to OU=Groups and base_dn set to DC=a,DC=com; OU=Groups,DC=a,DC=com is searched for groups.
    additional_groups_dn: ou=groups

    ## The groups filter used in search queries to find the groups of the user.
    ## - {input} is a placeholder replaced by what the user inputs in the login form.
    ## - {username} is a placeholder replace by the username stored in LDAP (based on `username_attribute`).
    ## - {dn} is a matcher replaced by the user distinguished name, aka, user DN.
    ## - {username_attribute} is a placeholder replaced by what is configured in `username_attribute`.
    ## - {mail_attribute} is a placeholder replaced by what is configured in `mail_attribute`.
    ##
    ## If your groups use the `groupOfUniqueNames` structure use this instead:
    ##    (&(uniquemember={dn})(objectclass=groupOfUniqueNames))
    #groups_filter: (&(member={dn})(objectclass=groupOfNames))
    groups_filter: (&(uniquemember={dn})(objectclass=groupOfUniqueNames))
    ## The attribute holding the name of the group.
    group_name_attribute: cn

    ## The attribute holding the mail address of the user. If multiple email addresses are defined for a user, only the
    ## first one returned by the LDAP server is used.
    # mail_attribute: mail

    ## The attribute holding the display name of the user. This will be used to greet an authenticated user.
    # display_name_attribute: displayname

    ## The username and password of the admin user.
    user: cn=admin,dc=domain,dc=tld
    ## Password can also be set using a secret: https://www.authelia.com/docs/configuration/secrets.html
    password: adminpasswordsetvialdapusermanager

docker-compose.yaml

version: '3.3'
services:
  authelia:
    image: authelia/authelia
    container_name: authelia
    volumes:
      - ./authelia:/config
    networks:
      - default
    ports:
      - 9191:9091
    depends_on:
      - openldap
    restart: always
    environment:
      - TZ=Europe/London
  openldap:
    image: osixia/openldap:latest
    container_name: openldap
    hostname: #doesn't have to be accesible outside of docker network e.x ldap.example.com
    volumes:
      - ./ldap/db:/var/lib/ldap
      - ./ldap/conf:/etc/ldap/slapd.d
    networks:
      - default
    expose:
      - 389
      - 636
    restart: always
    environment:
      TZ: "Europe/London"
      LDAP_ORGANISATION: "" # Org name
      LDAP_DOMAIN: "" # domain.tld
      LDAP_BASE_DN: "dc=domain,dc=tld" # edit domain tld
      LDAP_ADMIN_PASSWORD: "" # password for [email protected]
      LDAP_CONFIG_PASSWORD: "" # password for config (not sure what this does)
      LDAP_TLS_VERIFY_CLIENT: "try"
      LDAP_READONLY_USER: "false"
      LDAP_READONLY_USER_USERNAME: "readonly"
      LDAP_READONLY_USER_PASSWORD: "readonly"
      LDAP_RFC2307BIS_SCHEMA: "true"
      LDAP_BACKEND: "mdb"
      LDAP_REPLICATION: "false"
      KEEP_EXISTING_CONFIG: "false"
      LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"

  ldap-user-manager:
    image: wheelybird/ldap-user-manager:latest
    container_name: ldap-user-manager
    networks:
      - default
    ports:
      - 8785:80
    restart: always
    depends_on:
      - openldap
    environment:
      TZ: "Europe/Lisbon"
      SERVER_HOSTNAME: "" # url for webui
      ORGANISATION_NAME: "" # Org name
      LDAP_URI: "ldap://openldap"
      LDAP_BASE_DN: "dc=hostanme,dc=tld" # edit domain tld same as above 
      LDAP_REQUIRE_STARTTLS: "FALSE"
      LDAP_ADMINS_GROUP: "admins" # admin group
      LDAP_ADMIN_BIND_DN: "cn=admin,dc=hostname,dc=tld" # edit domain tld
      LDAP_ADMIN_BIND_PWD: "" # admin password set above 
      LDAP_DEBUG: "true"
      LDAP_USES_NIS_SCHEMA: "false"
      LDAP_IGNORE_CERT_ERRORS: "true"
      LDAP_REQUIRE_STARTTLS: "false"
      EMAIL_DOMAIN: "" # email @this.part.here
      NO_HTTPS: "true"
      SMTP_HOSTNAME: "" # email SMTP 
      SMTP_HOST_PORT: 465
      SMTP_USERNAME: "" # email username (usually your email)
      SMTP_PASSWORD: "" #email password
      SMTP_USE_TLS: "true"
      EMAIL_FROM_ADDRESS: "" # your email address
      REMOTE_HTTP_HEADERS_LOGIN: "TRUE"

Very convenient reference and starting point. Thanks for sharing!

@cyqsimon just noticed that this is outdated and potentialy dangerous.
Make sure to use image: wheelybird/ldap-user-manager:latest instead of next_release

@cyqsimon just noticed that this is outdated and potentialy dangerous. Make sure to use image: wheelybird/ldap-user-manager:latest instead of next_release

Got it. Thanks for the heads-up!

ldap:
    address: 'ldap://openldap'
    implementation: 'custom'
    timeout: '5s'
    start_tls: false
    tls:
      skip_verify: false
      minimum_version: 'TLS1.2'
    base_dn: 'dc=example,dc=tld'
    additional_users_dn: 'ou=people'
    users_filter: '(&({username_attribute}={input})(objectClass=person))'
    additional_groups_dn: 'ou=groups'
    groups_filter: '(&(uniquemember={dn})(objectclass=groupOfUniqueNames))'
    user: 'cn=admin,dc=example,dc=tld'
    password: <secrect>
    attributes:
       distinguished_name: 'distinguishedName'
       username: 'uid'
       display_name: 'displayName'
       mail: 'mail'
       member_of: 'memberOf'
       group_name: 'cn'

above is my configuration.yml file for authelia. Everything works properly but the only issue I am facing is that it does not show any username or display name in authelia UI. Generally, it shows Hi 'USER'. Any Help? TIA