A web-based administration interface for managing Authelia authentication server with LLDAP.

• Management of users and groups in LLDAP
• View and manage TOTP configurations
• View TOTP history
• Management of banned users and IPs
• Dedicated role for management of regular users (user_manager)
• Dedicated role for management of passwords of regular users (password_manager)
• Internationalization
• Ability to add another directory system

• Management of attributes of users and groups
• PostgreSQL engine for Authelia
• Browsing and management of users in Authelia file provider

Configuration can be provided via YAML file or environment variables. Environment variables specific to the application use the AAD_ prefix and override YAML values.

Don't forget to configure your load balancer. Authelia Admin CP should be accessible at https://{{AAD_AUTHELIA_DOMAIN}}/auth-admin/.

You need to specify only the following environment variables for a minimal instance:

• AAD_AUTHELIA_DOMAIN - Domain of Authelia server for authentication of requests, e.g., auth.yourdomain.com
• TRUSTED_ORIGINS - Trusted origins for CSRF protection, e.g., https://auth.yourdomain.com

Example of config.yml for authelia-admin:

# Logging level (DEBUG, INFO, WARN, ERROR). Default: WARN
# Can be overridden by AAD_LOGLEVEL environment variable
logging_level: WARN

authelia:
  # Domain where Authelia is accessible
  domain: auth.localhost.test
  # Name of the session cookie used by Authelia
  cookie_name: authelia_session
  # Minimum authentication level required (1=password, 2=2FA)
  min_auth_level: 2
  # Optional: List of allowed users (if not set, all authenticated users are allowed)
  # allowed_users:
  #   - admin
  #   - user2

# Directory service configuration
directory:
  # Type of directory service (currently only lldap-graphql is supported)
  type: lldap-graphql
  # Configuration for LLDAP GraphQL backend
  lldap-graphql:
    endpoint: http://lldap:17170/api/graphql
    user: admin
    password: admin1234
    ldap_host: lldap
    ldap_port: 3890
    # LDAP base DN (required for password changes)
    ldap_base_dn: dc=example,dc=com

The application runs on port 9093 and expects the Authelia database to be mounted.

docker run -p 9093:9093 \
  -v /path/to/authelia/config:/config \
  -v /path/to/authelia/data:/data \
  -v /path/to/authelia-admin/config.yml:/opt/authelia-admin/config.yml:ro \
  -e AAD_LOGLEVEL=DEBUG \
  -e TRUSTED_ORIGINS=https://auth.yourdomain.com \
  ghcr.io/asalimonov/authelia-admin:latest

Alternatively, using environment variables instead of a config file:

docker run -p 9093:9093 \
  -v /path/to/authelia/config:/config \
  -v /path/to/authelia/data:/data \
  -e AAD_LOGLEVEL=DEBUG \
  -e AAD_AUTHELIA_DOMAIN=auth.yourdomain.com \
  -e AAD_DIRECTORY_LLDAP_GRAPHQL_ENDPOINT=http://lldap:17170/api/graphql \
  -e AAD_DIRECTORY_LLDAP_GRAPHQL_USER=admin \
  -e AAD_DIRECTORY_LLDAP_GRAPHQL_PASSWORD=secret \
  -e TRUSTED_ORIGINS=https://auth.yourdomain.com \
  ghcr.io/asalimonov/authelia-admin:latest

Note: When deploying with a reverse proxy, ensure the TRUSTED_ORIGINS matches your domain for CSRF protection.

See docker-compose.yml for a complete example with Authelia, LLDAP, and Traefik.

# Install dependencies and build docker image
make build-dev

# Run Authelia, LLDAP, and Traefik via Docker Compose
make run-docker-compose

# In a second terminal, run Docker with authelia-admin with hot-reload
make run-dev

Use admin user with admin1234 password. The confirmation code can be found in the ./test-data/authelia/notification.txt file.

• Node.js 22+
• Access to Authelia's configuration file
• Access to Authelia's SQLite database
• Access to GraphQL and LDAP interfaces of LLDAP

This application requires administrative access to Authelia's configuration and database. It should be deployed behind proper authentication and only accessible by authorized administrators.