diff --git a/roles/web-app-openwebui/config/main.yml b/roles/web-app-openwebui/config/main.yml
index 74d2b037..ed1b2ddf 100644
--- a/roles/web-app-openwebui/config/main.yml
+++ b/roles/web-app-openwebui/config/main.yml
@@ -7,6 +7,7 @@ features:
   javascript:       false
   local_ai:         true
   oidc:             true
+  ldap:             false # default deactivated because OIDC is sufficient
 server:
   domains:
     canonical:
diff --git a/roles/web-app-openwebui/templates/env.j2 b/roles/web-app-openwebui/templates/env.j2
index d801eeac..23d333b2 100644
--- a/roles/web-app-openwebui/templates/env.j2
+++ b/roles/web-app-openwebui/templates/env.j2
@@ -46,4 +46,40 @@ OAUTH_SCOPES=openid email profile
 # ENABLE_OAUTH_GROUP_MANAGEMENT=true
 # ENABLE_OAUTH_GROUP_CREATION=false
 # OAUTH_GROUP_CLAIM={{ RBAC.GROUP.CLAIM }}
+{% endif %}
+
+{% if OPENWEBUI_LDAP_ENABLED %}
+# =========================
+# LDAP Authentication
+# =========================
+# Enable LDAP login in parallel to OIDC (both can coexist)
+ENABLE_LDAP=true
+
+# --- Server Settings ---
+# Label shown in the UI (optional)
+LDAP_SERVER_LABEL=OpenLDAP
+# Hostname/IP and port from your global LDAP settings
+LDAP_SERVER_HOST={{ LDAP.SERVER.DOMAIN }}
+LDAP_SERVER_PORT={{ LDAP.SERVER.PORT }}
+
+# TLS: set to true for StartTLS or LDAPS (maps from your SECURITY setting)
+# SECURITY can be "", "TLS" or "SSL" in your mapping; treat TLS/SSL as true
+LDAP_USE_TLS={{ ('true' if (LDAP.SERVER.SECURITY | upper) in ['TLS','SSL'] else 'false') }}
+
+# Certificate validation (set to true if you use a proper CA; false for self-signed/dev)
+LDAP_VALIDATE_CERT={{ ('true' if (LDAP.SERVER.SECURITY | upper) in ['TLS','SSL'] else 'false') }}
+
+# --- Bind Credentials (app/service account) ---
+LDAP_APP_DN={{ LDAP.DN.ADMINISTRATOR.DATA }}
+LDAP_APP_PASSWORD={{ LDAP.BIND_CREDENTIAL }}
+
+# --- User Schema / Search ---
+# Base DN for user search
+LDAP_SEARCH_BASE={{ LDAP.DN.ROOT }}
+# Attribute used as login name (uid / sAMAccountName / mail, etc.)
+LDAP_ATTRIBUTE_FOR_USERNAME={{ LDAP.USER.ATTRIBUTES.ID }}
+# Attribute for email address
+LDAP_ATTRIBUTE_FOR_MAIL={{ LDAP.USER.ATTRIBUTES.MAIL }}
+# Search filter with placeholder for username
+LDAP_SEARCH_FILTER=({{ LDAP.USER.ATTRIBUTES.ID }}=%(user)s)
 {% endif %}
\ No newline at end of file
diff --git a/roles/web-app-openwebui/vars/main.yml b/roles/web-app-openwebui/vars/main.yml
index 8f2036c4..bcd510af 100644
--- a/roles/web-app-openwebui/vars/main.yml
+++ b/roles/web-app-openwebui/vars/main.yml
@@ -15,4 +15,5 @@ OPENWEBUI_OFFLINE_MODE:               "{{ applications | get_app_conf(applicatio
 OPENWEBUI_HF_HUB_OFFLINE:             "{{ applications | get_app_conf(application_id, 'docker.services.openwebui.hf_hub_offline') }}"
 OPENWEBUI_VOLUME:                     "{{ applications | get_app_conf(application_id, 'docker.volumes.openwebui') }}"
 OPENWEBUI_PORT_PUBLIC:                "{{ ports.localhost.http[application_id] }}"
-OPENWEBUI_OIDC_ENABLED:               "{{ applications | get_app_conf(application_id, 'features.oidc') }}"
\ No newline at end of file
+OPENWEBUI_OIDC_ENABLED:               "{{ applications | get_app_conf(application_id, 'features.oidc') }}"
+OPENWEBUI_LDAP_ENABLED:               "{{ applications | get_app_conf(application_id, 'features.ldap') }}"
\ No newline at end of file