Running OpenEMR with in-cluster LDAP authentication via lldap

Management and Administration
, ,
1

If you’re running OpenEMR on Red Hat OpenShift — particularly the free Developer Sandbox — you’ve probably run into the challenge of wanting LDAP authentication without the complexity of standing up a full directory service or depending on an external one.

I’ve been working on a container project that solves this: lldap-on-openshift deploys lldap, a lightweight Rust-based LDAP server, directly into the same namespace as OpenEMR. Authentication traffic stays on the pod network and never leaves the cluster.

Why lldap instead of OpenLDAP?

openldap-servers was removed from RHEL 8 and all downstream distributions. Getting OpenLDAP running under OpenShift’s restricted Security Context Constraints is a significant challenge — it requires runtime chown and gosu calls that the restricted SCC won’t allow. lldap’s binary runs natively as an arbitrary UID with no privilege escalation needed, and it includes a web UI for managing users without any LDIF files or command-line tools.

Connecting to OpenEMR 8.x

Navigate to Admin → Config → Security and set:

  • Use LDAP for Authentication — enabled

  • LDAP - Server Name or URIldap://lldap:3890

  • LDAP - Distinguished Name of Useruid={login},ou=people,dc=example,dc=com

One important note: OpenEMR validates the password against lldap but still requires the user to exist in its own database. Create the user in lldap first, then create a matching record in OpenEMR under Admin → User Administration with the same username. The OpenEMR password is ignored once LDAP is enabled.

Screenshot 2026-04-08 at 7.48.40 AM
Screenshot 2026-04-08 at 7.48.40 AM3248×2018 303 KB

Screenshot 2026-04-08 at 7.49.42 AM
Screenshot 2026-04-08 at 7.49.42 AM3248×2018 383 KB

Resources

The project includes an Ansible playbook that handles everything — TLS cert injection via OpenShift’s service cert controller, PVC provisioning, and deployment — in a single command:

ansible-playbook -i localhost, deploy.yml

Cleanup is equally simple:

ansible-playbook -i localhost, deploy.yml -e deploy_action=delete

GitHub: GitHub - ryannix123/lldap-on-openshift: Self contained openldap server for OpenShift projects · GitHub
Image: quay.io/ryan_nix/lldap-openshift:latest (multi-arch, rebuilt weekly)

Happy to answer questions from anyone running OpenEMR on Kubernetes or OpenShift.

1 Like