start-codex · llulioscesar · Apr 13, 2026 · Apr 13, 2026 · Apr 13, 2026 · Apr 13, 2026
diff --git a/Chart.yaml b/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: ldap-stack
 description: OpenLDAP + phpLDAPadmin + Keycloak stack for centralized identity management with SSO support
 type: application
-version: 1.4.1
+version: 1.4.2
 appVersion: "2.6.1"
 annotations:
   artifacthub.io/signKey: |

diff --git a/README.md b/README.md
@@ -123,7 +123,7 @@ helm install ldap ldap-stack/ldap-stack \
 | `phpldapadmin.enabled` | Enable phpLDAPadmin | `true` |
 | `phpldapadmin.image.repository` | Image repository | `phpldapadmin/phpldapadmin` |
 | `phpldapadmin.image.tag` | Image tag | `latest` |
-| `phpldapadmin.ldap.loginAttr` | Login attribute (`DN` for full DN, `uid` for username) | `DN` |
+| `phpldapadmin.ldap.loginAttr` | Login attribute (`uid` for username, `DN` for full DN) | `uid` |
 | `phpldapadmin.ldap.alertRootDN` | Block rootdn login | `false` |
 | `phpldapadmin.extraEnv` | Extra environment variables | `[]` |
 | `phpldapadmin.service.type` | Service type | `ClusterIP` |
@@ -292,6 +292,56 @@ metrics:
     interval: "30s"
 ```
 
+## Upgrading from osixia/phpldapadmin
+
+Chart 1.4.x replaces `osixia/phpldapadmin` (abandoned, Debian 10 EOL, 122 critical CVEs) with `phpldapadmin/phpldapadmin` (leenooks, Alpine, PHP 8.4, actively maintained).
+
+### Login changes
+
+The new phpLDAPadmin uses `uid` attribute for login by default. This means:
+
+- **Regular users**: Login with their `uid` (e.g., `julio.caicedo`) and LDAP password. Works out of the box.
+- **Admin (rootdn)**: The default `cn=admin,dc=example,dc=com` is a virtual rootdn with **no real LDAP entry**. The new phpLDAPadmin requires the DN to exist as an entry to complete login. Login with DN will authenticate but then fail with "DN doesn't exist".
+
+### Solution for admin access
+
+Create a real admin user entry in LDAP:
+
+```bash
+kubectl exec -i <openldap-pod> -- ldapadd -x -H ldap://localhost:389 \
+  -D "cn=admin,dc=example,dc=com" -w <admin-password> <<EOF
+dn: cn=LDAP Admin,ou=users,dc=example,dc=com
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: top
+cn: LDAP Admin
+sn: Admin
+givenName: LDAP
+uid: admin
+uidNumber: 999
+gidNumber: 999
+homeDirectory: /nonexistent
+loginShell: /usr/sbin/nologin
+EOF
+
+# Set the password (same as rootdn or a dedicated one)
+kubectl exec <openldap-pod> -- ldappasswd -x -H ldap://localhost:389 \
+  -D "cn=admin,dc=example,dc=com" -w <admin-password> \
+  -s <new-password> "cn=LDAP Admin,ou=users,dc=example,dc=com"
+```
+
+Then login with `admin` as USER ID and the password you set.
+
+### Port change
+
+The service port changes from `80` to `8080` (container port). If you expose phpLDAPadmin via LoadBalancer or Ingress on port 80, set:
+
+```yaml
+phpldapadmin:
+  service:
+    port: 80  # external port, maps to container 8080
+```
+
 ## Troubleshooting
 
 ### Check pod status

diff --git a/templates/phpldapadmin-deployment.yaml b/templates/phpldapadmin-deployment.yaml
@@ -44,7 +44,7 @@ spec:
                   name: {{ include "ldap-stack.openldap.secretName" . }}
                   key: {{ .Values.openldap.secretKeys.adminPassword | default "admin-password" }}
             - name: LDAP_LOGIN_ATTR
-              value: {{ .Values.phpldapadmin.ldap.loginAttr | default "DN" | quote }}
+              value: {{ .Values.phpldapadmin.ldap.loginAttr | default "uid" | quote }}
             - name: LDAP_ALERT_ROOTDN
               value: {{ .Values.phpldapadmin.ldap.alertRootDN | default "false" | quote }}
             {{- with .Values.phpldapadmin.extraEnv }}

diff --git a/values.yaml b/values.yaml
@@ -151,8 +151,8 @@ phpldapadmin:
 
   # LDAP login configuration
   ldap:
-    # Login attribute: "DN" for full DN login, or "uid" for username login
-    loginAttr: "DN"
+    # Login attribute: "uid" for username login, or "DN" for full DN login
+    loginAttr: "uid"
     # Allow rootdn login (set to "false" to allow admin DN login)
     alertRootDN: "false"