diff --git a/Chart.yaml b/Chart.yaml
index 74a2fe6..d8a1de1 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: ldap-stack
 description: OpenLDAP + phpLDAPadmin + Keycloak stack for centralized identity management with SSO support
 type: application
-version: 1.4.0
+version: 1.4.1
 appVersion: "2.6.1"
 annotations:
   artifacthub.io/signKey: |
@@ -21,11 +21,11 @@ annotations:
     - name: openldap
       image: startcodex/openldap:2.1.0
     - name: phpldapadmin
-      image: phpldapadmin/phpldapadmin:latest
+      image: phpldapadmin/phpldapadmin:2.3.9
     - name: keycloak
-      image: quay.io/keycloak/keycloak:latest
+      image: quay.io/keycloak/keycloak:26.6.0
     - name: ldap-sync-google
-      image: startcodex/ldap-sync-google:latest
+      image: startcodex/ldap-sync-google:0.3.0
   artifacthub.io/containsSecurityUpdates: "true"
   artifacthub.io/prerelease: "false"
   artifacthub.io/changes: |
@@ -37,6 +37,10 @@ annotations:
       description: Eliminate 122 critical CVEs by replacing abandoned phpldapadmin image
     - kind: security
       description: Patch OpenSSL, MariaDB, glibc, BIND CVEs in openldap image
+    - kind: fixed
+      description: "phpLDAPadmin now auto-configures LDAP connection, base DN, and admin login"
+    - kind: added
+      description: "phpLDAPadmin supports extraEnv, ldap.loginAttr, and ldap.alertRootDN configuration"
 keywords:
   - ldap
   - openldap
diff --git a/README.md b/README.md
index 4118dfd..fba07ab 100644
--- a/README.md
+++ b/README.md
@@ -121,6 +121,11 @@ helm install ldap ldap-stack/ldap-stack \
 | Parameter | Description | Default |
 |-----------|-------------|---------|
 | `phpldapadmin.enabled` | Enable phpLDAPadmin | `true` |
+| `phpldapadmin.image.repository` | Image repository | `phpldapadmin/phpldapadmin` |
+| `phpldapadmin.image.tag` | Image tag | `latest` |
+| `phpldapadmin.ldap.loginAttr` | Login attribute (`DN` for full DN, `uid` for username) | `DN` |
+| `phpldapadmin.ldap.alertRootDN` | Block rootdn login | `false` |
+| `phpldapadmin.extraEnv` | Extra environment variables | `[]` |
 | `phpldapadmin.service.type` | Service type | `ClusterIP` |
 | `phpldapadmin.service.port` | Service port | `8080` |
 | `phpldapadmin.ingress.enabled` | Enable Ingress | `false` |
diff --git a/templates/phpldapadmin-deployment.yaml b/templates/phpldapadmin-deployment.yaml
index 0405095..3c05799 100644
--- a/templates/phpldapadmin-deployment.yaml
+++ b/templates/phpldapadmin-deployment.yaml
@@ -28,12 +28,28 @@ spec:
               containerPort: 8080
               protocol: TCP
           env:
+            - name: APP_KEY
+              value: "base64:{{ randAlphaNum 32 | b64enc }}"
             - name: LDAP_HOST
               value: {{ include "ldap-stack.openldap.fullname" . }}
             - name: LDAP_PORT
               value: "389"
-            - name: APP_KEY
-              value: "base64:{{ randAlphaNum 32 | b64enc }}"
+            - name: LDAP_BASE_DN
+              value: {{ include "ldap-stack.openldap.baseDN" . | quote }}
+            - name: LDAP_USERNAME
+              value: {{ include "ldap-stack.openldap.adminDN" . | quote }}
+            - name: LDAP_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "ldap-stack.openldap.secretName" . }}
+                  key: {{ .Values.openldap.secretKeys.adminPassword | default "admin-password" }}
+            - name: LDAP_LOGIN_ATTR
+              value: {{ .Values.phpldapadmin.ldap.loginAttr | default "DN" | quote }}
+            - name: LDAP_ALERT_ROOTDN
+              value: {{ .Values.phpldapadmin.ldap.alertRootDN | default "false" | quote }}
+            {{- with .Values.phpldapadmin.extraEnv }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
           livenessProbe:
             httpGet:
               path: /
diff --git a/values.yaml b/values.yaml
index 70607d3..fbb486d 100644
--- a/values.yaml
+++ b/values.yaml
@@ -146,9 +146,19 @@ phpldapadmin:
 
   image:
     repository: phpldapadmin/phpldapadmin
-    tag: "latest"
+    tag: "2.3.9"
     pullPolicy: IfNotPresent
 
+  # LDAP login configuration
+  ldap:
+    # Login attribute: "DN" for full DN login, or "uid" for username login
+    loginAttr: "DN"
+    # Allow rootdn login (set to "false" to allow admin DN login)
+    alertRootDN: "false"
+
+  # Extra environment variables
+  extraEnv: []
+
   # Service configuration
   service:
     type: ClusterIP  # ClusterIP, NodePort, LoadBalancer
@@ -194,7 +204,7 @@ keycloak:
 
   image:
     repository: quay.io/keycloak/keycloak
-    tag: "latest"
+    tag: "26.6.0"
     pullPolicy: IfNotPresent
 
   # Keycloak admin credentials (REQUIRED)
@@ -399,7 +409,7 @@ googleSync:
 
   image:
     repository: startcodex/ldap-sync-google
-    tag: "latest"
+    tag: "0.3.0"
     pullPolicy: IfNotPresent
 
   # Sync interval (e.g., 1h, 30m, 2h30m). Set to "0" for single run (use with CronJob)