diff --git a/ldap/.env b/ldap/.env
new file mode 100644
index 0000000..9cc67ae
--- /dev/null
+++ b/ldap/.env
@@ -0,0 +1,11 @@
+BASE_URL=ldap.
+EMAIL=
+
+LDAP_LOG_LEVEL=0
+
+LDAP_DOMAIN=
+LDAP_ORGANIZATION=
+LDAP_ADMIN_PASSWORD=
+
+LDAPSIZELIMIT=1000
+LDAPTIMELIMIT=60
diff --git a/ldap/Dockerfile b/ldap/Dockerfile
new file mode 100644
index 0000000..99a8ad4
--- /dev/null
+++ b/ldap/Dockerfile
@@ -0,0 +1,11 @@
+FROM debian:12-slim
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt-get update                                \
+    && apt-get install -y --no-install-recommends \
+        ca-certificates                           \
+        ldap-utils                                \
+        slapd                                     \
+    && rm -rf /var/lib/apt/lists/*
+COPY entrypoint.sh /usr/local/bin/
+EXPOSE 389 636
+ENTRYPOINT ["entrypoint.sh"]
diff --git a/ldap/compose-dev.yaml b/ldap/compose-dev.yaml
new file mode 100644
index 0000000..08ecfc0
--- /dev/null
+++ b/ldap/compose-dev.yaml
@@ -0,0 +1,9 @@
+---
+services:
+  ldap:
+    build: .
+    ports:
+      - "389:389"
+      - "636:636"
+    env_file:
+      - .env
diff --git a/ldap/compose.yaml b/ldap/compose.yaml
new file mode 100644
index 0000000..cb5edfa
--- /dev/null
+++ b/ldap/compose.yaml
@@ -0,0 +1,24 @@
+---
+services:
+  install_site:
+    build: install_site
+    environment:
+      - BASE_URL
+      - EMAIL
+    volumes:
+      - certs:/etc/letsencrypt/
+      - certbotroot:/var/www/certbot/
+
+  ldap:
+    build: .
+    ports:
+      - "389:389"
+      - "636:636"
+    env_file:
+      .env
+    volumes:
+      - certs:/etc/letsencrypt/:ro
+
+volumes:
+  certs:
+    external: true
diff --git a/ldap/entrypoint.sh b/ldap/entrypoint.sh
new file mode 100755
index 0000000..a735bf1
--- /dev/null
+++ b/ldap/entrypoint.sh
@@ -0,0 +1,28 @@
+#!/bin/bash -e
+
+LDAPMODIFY=(ldapmodify -Q -YEXTERNAL -Hldapi:///)
+SLAPD=(su openldap -c "slapd '-hldap:/// ldaps:/// ldapi:///' -d$LDAP_LOG_LEVEL")
+
+# https://sources.debian.org/src/openldap/2.5.13+dfsg-5/debian/slapd.templates/
+cat <<EOF | debconf-set-selections && dpkg-reconfigure slapd
+slapd slapd/dump_database select always
+slapd slapd/domain string '$LDAP_DOMAIN'
+slapd shared/organization string '$LDAP_ORGANIZATION'
+slapd slapd/password1 string '$LDAP_ADMIN_PASSWORD'
+slapd slapd/password2 string '$LDAP_ADMIN_PASSWORD'
+EOF
+
+# start slapd
+"${SLAPD[@]}" &
+sleep 1
+
+# enable SHA2
+"${LDAPMODIFY[@]}" <<EOF
+dn: cn=module{0},cn=config
+changetype: modify
+add: olcModuleLoad
+olcModuleLoad: pw-sha2
+EOF
+
+/etc/init.d/slapd stop
+exec "${SLAPD[@]}"
diff --git a/ldap/install_site b/ldap/install_site
new file mode 120000
index 0000000..846f55c
--- /dev/null
+++ b/ldap/install_site
@@ -0,0 +1 @@
+../_nginx/install_site
\ No newline at end of file
diff --git a/ldap/user.ldif b/ldap/user.ldif
new file mode 100644
index 0000000..1a17fcf
--- /dev/null
+++ b/ldap/user.ldif
@@ -0,0 +1,15 @@
+dn: cn=firstname.lastname,dc=domain,dc=tld
+givenName: firstname
+cn: firstname.lastname
+sn: lastname
+uid: flastname
+homeDirectory: /home/flastname
+mail: flastname@domain.tld
+mail: first.lastname@domain.tld
+# slappasswd -h{SHA512} -omodule-load=pw-sha2 -s password
+userPassword: {SHA512}sQnzu7wkTrgkQZF+0G1hi5AI3Qmzvv0bXgc5THBqi7mAsdd4Xll27ASbRt9fEyavWi6m0QP9B8lThf+rDKy8hg==
+loginShell: /bin/bash
+uidNumber: 5001
+gidNumber: 0
+objectClass: inetOrgPerson
+objectClass: posixAccount