Added LDAP draft for Open WebUI - Deactivated just PoC, because OIDC is anyhow prefered

roles/web-app-openwebui/templates/env.j2

@@ -46,4 +46,40 @@ OAUTH_SCOPES=openid email profile
 # ENABLE_OAUTH_GROUP_MANAGEMENT=true
 # ENABLE_OAUTH_GROUP_CREATION=false
 # OAUTH_GROUP_CLAIM={{ RBAC.GROUP.CLAIM }}
+{% endif %}
+
+{% if OPENWEBUI_LDAP_ENABLED %}
+# =========================
+# LDAP Authentication
+# =========================
+# Enable LDAP login in parallel to OIDC (both can coexist)
+ENABLE_LDAP=true
+
+# --- Server Settings ---
+# Label shown in the UI (optional)
+LDAP_SERVER_LABEL=OpenLDAP
+# Hostname/IP and port from your global LDAP settings
+LDAP_SERVER_HOST={{ LDAP.SERVER.DOMAIN }}
+LDAP_SERVER_PORT={{ LDAP.SERVER.PORT }}
+
+# TLS: set to true for StartTLS or LDAPS (maps from your SECURITY setting)
+# SECURITY can be "", "TLS" or "SSL" in your mapping; treat TLS/SSL as true
+LDAP_USE_TLS={{ ('true' if (LDAP.SERVER.SECURITY | upper) in ['TLS','SSL'] else 'false') }}
+
+# Certificate validation (set to true if you use a proper CA; false for self-signed/dev)
+LDAP_VALIDATE_CERT={{ ('true' if (LDAP.SERVER.SECURITY | upper) in ['TLS','SSL'] else 'false') }}
+
+# --- Bind Credentials (app/service account) ---
+LDAP_APP_DN={{ LDAP.DN.ADMINISTRATOR.DATA }}
+LDAP_APP_PASSWORD={{ LDAP.BIND_CREDENTIAL }}
+
+# --- User Schema / Search ---
+# Base DN for user search
+LDAP_SEARCH_BASE={{ LDAP.DN.ROOT }}
+# Attribute used as login name (uid / sAMAccountName / mail, etc.)
+LDAP_ATTRIBUTE_FOR_USERNAME={{ LDAP.USER.ATTRIBUTES.ID }}
+# Attribute for email address
+LDAP_ATTRIBUTE_FOR_MAIL={{ LDAP.USER.ATTRIBUTES.MAIL }}
+# Search filter with placeholder for username
+LDAP_SEARCH_FILTER=({{ LDAP.USER.ATTRIBUTES.ID }}=%(user)s)
 {% endif %}