PhotoPrism® Pro lets you authenticate users against a central Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) server so that users on the corporate network can sign in with their existing usernames and passwords. See Environment Variables and CLI Flags for more information on the configuration options.
Config Options
| Environment | CLI Flag | Default | Description |
|---|---|---|---|
| PHOTOPRISM_LDAP_URI | –ldap-uri | LDAP directory URI, e.g. ldaps://example.com:636 for LDAP over SSL/TLS | |
| PHOTOPRISM_LDAP_CERT | –ldap-cert | LDAP directory SSL/TLS certificate FILENAME (.pem) | |
| PHOTOPRISM_LDAP_INSECURE | –ldap-insecure | false | skips SSL/TLS certificate verification when using LDAPS |
| PHOTOPRISM_LDAP_CHASE | –ldap-chase | false | automatically chases referrals when there are multiple LDAP servers |
| PHOTOPRISM_LDAP_CHASE_INSECURE | –ldap-chase-insecure | false | skips SSL/TLS certificate verification when chasing referrals |
| PHOTOPRISM_LDAP_SYNC | –ldap-sync | false | updates name, email, role, and attributes from LDAP directory on login |
| PHOTOPRISM_LDAP_BIND | –ldap-bind | simple | LDAP authentication TYPE (simple, md5) |
| PHOTOPRISM_LDAP_BIND_DN | –ldap-bind-dn | userprincipalname | LDAP username attribute DN, e.g. cn or userprincipalname |
| PHOTOPRISM_LDAP_BASE_DN | –ldap-base-dn | LDAP directory base DN, e.g. dc=example,dc=com | |
| PHOTOPRISM_LDAP_ROLE | –ldap-role | LDAP default ROLE (admin, manager, user, viewer, contributor, guest), leave blank for none | |
| PHOTOPRISM_LDAP_ROLE_DN | –ldap-role-dn | custom LDAP group or attribute DN for specifying the role | |
| PHOTOPRISM_LDAP_NOLOGIN | –ldap-nologin | false | disables web login for new LDAP users by default |
| PHOTOPRISM_LDAP_NOLOGIN_DN | –ldap-nologin-dn | custom LDAP attribute DN to disable web login | |
| PHOTOPRISM_LDAP_WEBDAV | –ldap-webdav | false | allows new LDAP users to use WebDAV when they have a role that allows it |
| PHOTOPRISM_LDAP_WEBDAV_DN | –ldap-webdav-dn | custom LDAP attribute DN to enable WebDAV access | |
| PHOTOPRISM_LDAP_BASE_PATH_DN | –ldap-base-path-dn | user base path LDAP attribute DN | |
| PHOTOPRISM_LDAP_UPLOAD_PATH_DN | –ldap-upload-path-dn | user upload path LDAP attribute DN | |
| PHOTOPRISM_DISABLE_LDAP | –disable-ldap | false | disables authentication via LDAP |
Attributes in LDAP are not case sensitive, so it doesn’t matter if you use upper or lower case for them in the configuration.
Docker Compose Example
services:
photoprism:
...
environment:
## LDAP Authentication
PHOTOPRISM_LDAP_URI: "ldaps://ldap.example.com:636"
PHOTOPRISM_LDAP_INSECURE: "false"
PHOTOPRISM_LDAP_SYNC: "true"
PHOTOPRISM_LDAP_BIND: "simple"
PHOTOPRISM_LDAP_BIND_DN: "userprincipalname"
PHOTOPRISM_LDAP_BASE_DN: "dc=example,dc=com"
PHOTOPRISM_LDAP_ROLE: ""
PHOTOPRISM_LDAP_ROLE_DN: "ou=photoprism-*,ou=groups,dc=example,dc=com"
PHOTOPRISM_LDAP_NOLOGIN: "false"
PHOTOPRISM_LDAP_WEBDAV: "true"
Server URI & Certificate
The URI of the LDAP or Active Directory server must be specified in the format ldap://hostname:port for plain LDAP and ldaps://hostname:port for LDAPS (LDAP over SSL). For this, the default ports are 389 (LDAP) and 636 (LDAPS).
If the directory server does not have a certificate signed by a trusted certificate authority, you can either set PHOTOPRISM_LDAP_INSECURE to true to ignore SSL certificate errors, or trust a self-signed certificate by specifying a .pem file in the /config/certificates storage folder with PHOTOPRISM_LDAP_CERT.
User Bind DN
The Bind DN (Distinguished Name) is used to identify your account when you authenticate through the LDAP/AD directory server. PhotoPrism also uses it in combination with the Base DN to retrieve and synchronize user attributes such as the email address, display name, and role, if specified. It is usually set to the Common Name (CN) of the account or the UPN (UserPrincipalName) in Active Directory, which is an email-like identifier such as user@example.com. However, UPNs don’t necessarily require a valid domain.
Directory Base DN
The Base DN is the starting point when searching for users within the directory. It is commonly set to the domain components (DC) of your organization, for example dc=example,dc=com.
Specifying User Roles
The default role for users authenticated via LDAP/AD can be specified with PHOTOPRISM_LDAP_ROLE.
You can additionally specify a custom role attribute with PHOTOPRISM_LDAP_ROLE_DN, for example photoprismrole. To indicate the role, you can then map the attribute to the name of a valid role in lowercase, for example photoprismrole="viewer".
Note that the attribute name is not case sensitive, but the values should be lowercase, e.g. admin, true or false.
Alternatively, you can specify a group DN in PHOTOPRISM_LDAP_ROLE_DN and use * as a placeholder for the role name, e.g. ou=photoprism-*,ou=groups,dc=example,dc=com.
Custom Attributes
Additional custom user attributes can be specified with the PHOTOPRISM_LDAP_NOLOGIN_DN, PHOTOPRISM_LDAP_WEBDAV_DN, PHOTOPRISM_LDAP_BASE_PATH_DN and PHOTOPRISM_LDAP_UPLOAD_PATH_DN config options. Note that attribute names are not case sensitive in LDAP.
Instead of only providing an attribute name in PHOTOPRISM_LDAP_NOLOGIN_DN and PHOTOPRISM_LDAP_WEBDAV_DN, you can alternatively specifiy a key and value like primaryGroupID=500.
If no custom attribute has been configured or the attribute value is empty, the default will be used.
Command-Line Tools
Troubleshooting
To test the connection to your LDAP/AD server, view user attributes, and troubleshoot problems, you can use the built-in ldap search subcommand, as shown in this example:
docker compose exec photoprism photoprism ldap search -D bob@example.com cn=bob
Users of Red Hat-based Linux distributions can substitute Docker with Podman:
podman-compose exec photoprism photoprism ldap search -D bob@example.com cn=bob
You can combine it with these flags to change the output format, the maximum number of search results and the credentials used for authentication:
| Command Flag | Description |
|---|---|
--md, -m | format as machine-readable Markdown |
--csv, -c | export as semicolon separated values |
--tsv, -t | export as tab separated values |
-n LIMIT | LIMIT number of results (default: 100) |
-b DN | LDAP/AD directory base DN to search e.g. dc=example,dc=com |
-D DN | the DN to use to bind to the directory server when performing simple authentication |
-w PASSWORD | the PASSWORD to use to bind to the directory server when performing simple authentication |
If you need additional authentication or query options, we recommend using the freely available ldapsearch command, which is included in most Unix-like operating systems as part of the LDAP utilities package.
User accounts authenticated with LDAP/AD can be searched with the following command:
docker compose exec photoprism photoprism ldap ls
Viewing the Current Config Values
To view the current values of all config options, you can run the following:
docker compose exec photoprism photoprism show config
To display all supported config options and their default values:
docker compose exec photoprism photoprism show config-options
Note that our guides use the new docker compose command by default. If your server does not yet support it, the old docker-compose command will still work.
Users of Red Hat Enterprise Linux® and compatible Linux distributions such as CentOS, Fedora, AlmaLinux, and Rocky Linux can substitute the docker and docker compose commands with podman and podman-compose as drop-in replacements.
PhotoPrism® Documentation
For more information on specific features, services and related resources, please refer to the other documentation available in our Knowledge Base and User Guide:
