+ )}
{mutation.error && {(mutation.error as ApiError).message}}
diff --git a/create-a-container/seeders/20260311000000-seed-wazuh-env-vars.js b/create-a-container/seeders/20260311000000-seed-wazuh-env-vars.js
index 19782412..7ef8fc13 100644
--- a/create-a-container/seeders/20260311000000-seed-wazuh-env-vars.js
+++ b/create-a-container/seeders/20260311000000-seed-wazuh-env-vars.js
@@ -12,7 +12,7 @@ const WAZUH_DEFAULTS = [
{
key: 'WAZUH_REGISTRATION_PASSWORD',
value: '',
- description: 'Enrollment password for Wazuh agent registration — deleted from /etc/environment inside the container immediately after first-boot enrollment completes'
+ description: 'Enrollment password for Wazuh agent registration'
}
];
diff --git a/create-a-container/seeders/20260604000000-seed-sssd-env-vars.js b/create-a-container/seeders/20260604000000-seed-sssd-env-vars.js
new file mode 100644
index 00000000..b317aea6
--- /dev/null
+++ b/create-a-container/seeders/20260604000000-seed-sssd-env-vars.js
@@ -0,0 +1,121 @@
+'use strict';
+
+// Variables seeded into the default_container_env_vars setting for the
+// base/sssd.conf.template. Only SSSD_LDAP_URI and SSSD_LDAP_TLS_REQCERT
+// carry default values; the remaining variables are intentionally left
+// blank so that sssd falls back to its builtin defaults.
+const SSSD_DEFAULTS = [
+ {
+ key: 'SSSD_LDAP_URI',
+ value: 'ldaps://ldap1:636, ldaps://ldap2:636',
+ description: 'Comma-separated list of LDAP server URIs sssd connects to'
+ },
+ {
+ key: 'SSSD_LDAP_TLS_REQCERT',
+ value: 'allow',
+ description: 'TLS certificate validation policy for LDAP connections (e.g. never, allow, try, demand)'
+ },
+ {
+ key: 'SSSD_LDAP_SCHEMA',
+ value: '',
+ description: 'LDAP schema type. Leave blank to use the sssd builtin default'
+ },
+ {
+ key: 'SSSD_LDAP_SEARCH_BASE',
+ value: '',
+ description: 'Base DN for LDAP searches. Leave blank to use the sssd builtin default'
+ },
+ {
+ key: 'SSSD_LDAP_USER_SEARCH_BASE',
+ value: '',
+ description: 'Base DN for LDAP user searches. Leave blank to use the sssd builtin default'
+ },
+ {
+ key: 'SSSD_LDAP_GROUP_SEARCH_BASE',
+ value: '',
+ description: 'Base DN for LDAP group searches. Leave blank to use the sssd builtin default'
+ },
+ {
+ key: 'SSSD_LDAP_DEFAULT_BIND_DN',
+ value: '',
+ description: 'DN used to bind to the LDAP server. Leave blank to use the sssd builtin default'
+ },
+ {
+ key: 'SSSD_DEFAULT_AUTHTOK_TYPE',
+ value: '',
+ description: 'Type of the LDAP bind authentication token. Leave blank to use the sssd builtin default'
+ },
+ {
+ key: 'SSSD_DEFAULT_AUTHTOK',
+ value: '',
+ description: 'LDAP bind authentication token. Leave blank to use the sssd builtin default'
+ }
+];
+
+/** @type {import('sequelize-cli').Migration} */
+module.exports = {
+ async up(queryInterface) {
+ const [rows] = await queryInterface.sequelize.query(
+ `SELECT value FROM "Settings" WHERE key = 'default_container_env_vars'`
+ );
+
+ let existing = [];
+ if (rows.length > 0) {
+ try {
+ const parsed = JSON.parse(rows[0].value);
+ if (Array.isArray(parsed)) {
+ existing = parsed;
+ } else if (typeof parsed === 'object' && parsed !== null) {
+ // Migrate from old flat-object format {KEY: value} to array format
+ existing = Object.entries(parsed).map(([key, value]) => ({ key, value, description: '' }));
+ }
+ } catch (_) {
+ existing = [];
+ }
+ }
+
+ const existingKeys = new Set(existing.map(e => e.key));
+ const toAdd = SSSD_DEFAULTS.filter(e => !existingKeys.has(e.key));
+ if (toAdd.length === 0) return; // all keys already present
+
+ const merged = [...existing, ...toAdd];
+ const now = new Date();
+
+ if (rows.length > 0) {
+ await queryInterface.sequelize.query(
+ `UPDATE "Settings" SET value = :value, "updatedAt" = :now WHERE key = 'default_container_env_vars'`,
+ { replacements: { value: JSON.stringify(merged), now } }
+ );
+ } else {
+ await queryInterface.bulkInsert('Settings', [{
+ key: 'default_container_env_vars',
+ value: JSON.stringify(merged),
+ createdAt: now,
+ updatedAt: now
+ }]);
+ }
+ },
+
+ async down(queryInterface) {
+ const [rows] = await queryInterface.sequelize.query(
+ `SELECT value FROM "Settings" WHERE key = 'default_container_env_vars'`
+ );
+ if (rows.length === 0) return;
+
+ let existing = [];
+ try {
+ const parsed = JSON.parse(rows[0].value);
+ existing = Array.isArray(parsed) ? parsed : [];
+ } catch (_) {
+ return;
+ }
+
+ const keysToRemove = new Set(SSSD_DEFAULTS.map(e => e.key));
+ const reverted = existing.filter(e => !keysToRemove.has(e.key));
+
+ await queryInterface.sequelize.query(
+ `UPDATE "Settings" SET value = :value, "updatedAt" = :now WHERE key = 'default_container_env_vars'`,
+ { replacements: { value: JSON.stringify(reverted), now: new Date() } }
+ );
+ }
+};
diff --git a/images/base/50-sssd-conf-template.conf b/images/base/50-sssd-conf-template.conf
new file mode 100644
index 00000000..9c617d9c
--- /dev/null
+++ b/images/base/50-sssd-conf-template.conf
@@ -0,0 +1,6 @@
+[Unit]
+ConditionPathExists=|/etc/sssd/sssd.conf.template
+
+[Service]
+EnvironmentFile=-/etc/environment
+ExecStartPre=+-/bin/sh -c "umask 0226 && /bin/envsubst /etc/sssd/sssd.conf"
diff --git a/images/base/Dockerfile b/images/base/Dockerfile
index 81f2b560..6e89cdfe 100644
--- a/images/base/Dockerfile
+++ b/images/base/Dockerfile
@@ -5,7 +5,7 @@ FROM debian:13 AS builder
RUN apt-get update && apt-get install -y \
curl tar zstd
ARG URL=http://download.proxmox.com/images/system/debian-13-standard_13.1-2_amd64.tar.zst
-RUN mkdir /rootfs && curl "$URL" | tar --zstd -x -C /rootfs
+RUN mkdir /rootfs && curl -fsSL --retry 10 "$URL" | tar --zstd -x -C /rootfs
# Stage 2 of the build uses the root filesystem built in stage 1. The rest of
# the Dockerfile builds from there.
@@ -23,7 +23,8 @@ RUN apt-get update && \
pam-auth-update --enable mkhomedir && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
-COPY --chmod=0440 sssd.conf /etc/sssd/sssd.conf
+COPY --chmod=0440 sssd.conf.template /etc/sssd/sssd.conf.template
+COPY --chmod=0440 50-sssd-conf-template.conf /etc/systemd/system/sssd.service.d/50-sssd-conf-template.conf
COPY --chmod=0440 ldapusers /etc/sudoers.d/ldapusers
COPY --chmod=0644 ldap.conf /etc/ldap/ldap.conf
COPY --chmod=0755 git-identity.sh /etc/profile.d/git-identity.sh
diff --git a/images/base/sssd.conf b/images/base/sssd.conf
deleted file mode 100644
index 73d486cf..00000000
--- a/images/base/sssd.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-[sssd]
-domains = default
-
-[domain/default]
-id_provider = ldap
-auth_provider = ldap
-ldap_uri = ldaps://ldap1:636, ldaps://ldap2:636
-ldap_tls_reqcert = allow
-
-# Map LDAP cn attribute to the NSS gecos field so that tools like getent,
-# finger, and the git-identity profile script can read the user's full name.
-ldap_user_gecos = cn
-
-# set a timeout long enough for a push notification to be responded to
-ldap_opt_timeout = 60
diff --git a/images/base/sssd.conf.template b/images/base/sssd.conf.template
new file mode 100644
index 00000000..f889f46e
--- /dev/null
+++ b/images/base/sssd.conf.template
@@ -0,0 +1,24 @@
+[sssd]
+domains = default
+
+[domain/default]
+id_provider = ldap
+auth_provider = ldap
+ldap_uri = ${SSSD_LDAP_URI}
+ldap_tls_reqcert = ${SSSD_LDAP_TLS_REQCERT}
+
+ldap_schema = ${SSSD_LDAP_SCHEMA}
+ldap_search_base = ${SSSD_LDAP_SEARCH_BASE}
+ldap_user_search_base = ${SSSD_LDAP_USER_SEARCH_BASE}
+ldap_group_search_base = ${SSSD_LDAP_GROUP_SEARCH_BASE}
+
+# Map LDAP cn attribute to the NSS gecos field so that tools like getent,
+# finger, and the git-identity profile script can read the user's full name.
+ldap_user_gecos = cn
+
+ldap_default_bind_dn = ${SSSD_LDAP_DEFAULT_BIND_DN}
+ldap_default_authtok_type = ${SSSD_DEFAULT_AUTHTOK_TYPE}
+ldap_default_authtok = ${SSSD_DEFAULT_AUTHTOK}
+
+# set a timeout long enough for a push notification to be responded to
+ldap_opt_timeout = 60
diff --git a/mie-opensource-landing/docs/admins/index.md b/mie-opensource-landing/docs/admins/index.md
index 9e227ff9..68482916 100644
--- a/mie-opensource-landing/docs/admins/index.md
+++ b/mie-opensource-landing/docs/admins/index.md
@@ -3,6 +3,6 @@
- **[Installation Guide →](installation.md)** — Deploy and configure the management system
- **[Core Concepts →](core-concepts/index.md)** — Cluster organization, user roles, container lifecycle
-- **[Deploying LDAP Servers →](ldap-servers.md)** — Set up ldap1/ldap2 for container authentication
+- **[LDAP Authentication →](ldap-servers.md)** — Link containers to your existing LDAP directory via SSSD environment variables
- **[Deploying Agents →](deploying-agents.md)** — Set up agent containers on remote Proxmox nodes
- **[Kernel Keyring Configuration →](kernel-keyring.md)** — Fix "disk quota exceeded" errors under nested Docker/LXC virtualization
diff --git a/mie-opensource-landing/docs/admins/ldap-servers.md b/mie-opensource-landing/docs/admins/ldap-servers.md
index 87849730..830fb9b7 100644
--- a/mie-opensource-landing/docs/admins/ldap-servers.md
+++ b/mie-opensource-landing/docs/admins/ldap-servers.md
@@ -1,103 +1,112 @@
-# Deploying LDAP Servers
+# LDAP Authentication
-The base container images authenticate users via LDAP against two servers named `ldap1` and `ldap2` (configured in SSSD at `ldaps://ldap1:636` and `ldaps://ldap2:636`). This guide covers deploying those servers, keeping them updated, and integrating them with Proxmox.
+The base container images authenticate users against an external LDAP directory using [SSSD](https://sssd.io/docs/). Rather than shipping its own directory, the platform connects containers to **your existing LDAP infrastructure** (Active Directory, OpenLDAP, FreeIPA, 389 Directory Server, etc.). This guide covers pointing containers at your servers via environment variables and, optionally, configuring Proxmox to authenticate against the same directory.
-## Prerequisites
+## How It Works
-- A running cluster with at least one [site](core-concepts/sites.md) configured
-- The management software deployed and accessible
-- Two available container slots for `ldap1` and `ldap2`
+Every base image runs **systemd as PID 1**. At boot, before SSSD starts, a oneshot unit renders the SSSD configuration from a template:
-## LDAP Gateway Image
+```
+/etc/sssd/sssd.conf.template --(envsubst, reads /etc/environment)--> /etc/sssd/sssd.conf
+```
-The LDAP servers use [`ghcr.io/mieweb/ldap-gateway`](https://github.com/mieweb/LDAPServer), a Node.js LDAP server that reads user and group data directly from the management database via SQL.
+The container's environment variables (written to `/etc/environment`) are substituted into the template, so the running SSSD config is built from the `SSSD_*` variables described below. Because the file is regenerated on every start, updating the variables and recreating the container is all that's needed to re-point authentication at a different directory.
-## Environment Variables
+The rendered `[domain/default]` section looks like this:
-| Variable | Value |
-|----------|-------|
-| `DIRECTORY_BACKEND` | `sql` |
-| `LDAP_COMMON_NAME` | Hostname of the container (e.g. `ldap1` or `ldap2`) |
-| `LDAP_BASE_DN` | Derived from the site's internal domain (e.g., `example.com` → `dc=example,dc=com`) |
-| `AUTH_BACKENDS` | `sql` or `sql,notification` (if push notifications are enabled) |
-| `NOTIFICATION_URL` | Push notification endpoint (only present if push notifications are enabled) |
-| `SQL_URI` | `postgres://username:password@hostname:port/database/ssl=true` — must point to the same database used by the manager |
-| `SQL_QUERY_ALL_USERS` | See [rendered queries](#sql-queries) below |
-| `SQL_QUERY_ONE_USER` | See [rendered queries](#sql-queries) below |
-| `SQL_QUERY_ALL_GROUPS` | See [rendered queries](#sql-queries) below |
-| `SQL_QUERY_GROUPS_BY_MEMBER` | See [rendered queries](#sql-queries) below |
-| `REQUIRE_AUTH_FOR_SEARCH` | `false` — allows unauthenticated LDAP searches |
-| `NODE_TLS_REJECT_UNAUTHORIZED` | `0` |
+```ini
+[sssd]
+domains = default
-### SQL Queries
+[domain/default]
+id_provider = ldap
+auth_provider = ldap
+ldap_uri = ${SSSD_LDAP_URI}
+ldap_tls_reqcert = ${SSSD_LDAP_TLS_REQCERT}
-The queries are generated by the manager using Sequelize's `quoteIdentifier()`. Rendered for PostgreSQL:
+ldap_schema = ${SSSD_LDAP_SCHEMA}
+ldap_search_base = ${SSSD_LDAP_SEARCH_BASE}
+ldap_user_search_base = ${SSSD_LDAP_USER_SEARCH_BASE}
+ldap_group_search_base = ${SSSD_LDAP_GROUP_SEARCH_BASE}
-**`SQL_QUERY_ALL_USERS`**
-```sql
-SELECT "uid" AS username, "uidNumber" AS uid_number, "gidNumber" AS gid_number,
- "givenName" AS first_name, "cn" AS full_name, "sn" AS last_name,
- "mail", "homeDirectory" AS home_directory, "userPassword" AS password
-FROM "Users"
-```
+# Map the LDAP cn attribute to the NSS gecos field so tools like getent,
+# finger, and the git-identity profile script can read the user's full name.
+ldap_user_gecos = cn
-**`SQL_QUERY_ONE_USER`**
-```sql
-SELECT "uid" AS username, "uidNumber" AS uid_number, "gidNumber" AS gid_number,
- "givenName" AS first_name, "cn" AS full_name, "sn" AS last_name,
- "mail", "homeDirectory" AS home_directory, "userPassword" AS password
-FROM "Users"
-WHERE "uid" = ?
-```
+ldap_default_bind_dn = ${SSSD_LDAP_DEFAULT_BIND_DN}
+ldap_default_authtok_type = ${SSSD_DEFAULT_AUTHTOK_TYPE}
+ldap_default_authtok = ${SSSD_DEFAULT_AUTHTOK}
-**`SQL_QUERY_ALL_GROUPS`**
-```sql
-SELECT g."cn" AS name, g."gidNumber" AS gid_number
-FROM "Groups" g
+# Long enough for a push notification to be responded to
+ldap_opt_timeout = 60
```
-**`SQL_QUERY_GROUPS_BY_MEMBER`**
-```sql
-SELECT g."cn" AS name, g."gidNumber" AS gid_number
-FROM "Groups" g
-INNER JOIN "UserGroups" ug ON g."gidNumber" = ug."gidNumber"
-INNER JOIN "Users" u ON ug."uidNumber" = u."uidNumber"
-WHERE u."uid" = ?
-```
+!!! note
+ Any `SSSD_*` variable left blank is substituted as an empty value, and SSSD falls back to its built-in default (for example, auto-detecting the search base from the directory's RootDSE). Only set the variables your directory actually requires.
+
+## Configuring the Connection
+
+The recommended way to link every container to your directory is to set the `SSSD_*` variables as **default container environment variables** in [**System Settings**](settings.md). These defaults are applied to every container created on the cluster, so authentication is configured once and inherited automatically.
-## Deploying ldap1 and ldap2
+In the admin UI: **Settings** → **Default Container Environment Variables**. The following keys are seeded for you — fill in the values for your environment:
-Create two LXC containers named exactly `ldap1` and `ldap2` using the `ghcr.io/mieweb/ldap-gateway` image. Both use identical configuration — the pair provides redundancy.
+| Variable | Default | Required | Description |
+|----------|---------|----------|-------------|
+| `SSSD_LDAP_URI` | `ldaps://ldap1:636, ldaps://ldap2:636` | Yes | Comma-separated list of LDAP server URIs. List two or more for automatic failover (e.g. `ldaps://dc1.example.com:636, ldaps://dc2.example.com:636`). |
+| `SSSD_LDAP_TLS_REQCERT` | `allow` | Yes | TLS certificate validation policy: `never`, `allow`, `try`, or `demand`. Use `demand` to require a valid, trusted server certificate. |
+| `SSSD_LDAP_SCHEMA` | *(blank)* | No | LDAP schema in use (e.g. `rfc2307`, `rfc2307bis`, `ad`). Leave blank to use the SSSD default. Set `ad` for Active Directory. |
+| `SSSD_LDAP_SEARCH_BASE` | *(blank)* | No | Base DN for all searches (e.g. `dc=example,dc=com`). Leave blank to let SSSD auto-detect it from the RootDSE. |
+| `SSSD_LDAP_USER_SEARCH_BASE` | *(blank)* | No | Base DN for user searches. Overrides `SSSD_LDAP_SEARCH_BASE` for users (e.g. `ou=people,dc=example,dc=com`). |
+| `SSSD_LDAP_GROUP_SEARCH_BASE` | *(blank)* | No | Base DN for group searches (e.g. `ou=groups,dc=example,dc=com`). |
+| `SSSD_LDAP_DEFAULT_BIND_DN` | *(blank)* | No | DN used to bind for lookups. Leave blank for anonymous bind; set it if your directory disallows anonymous searches (e.g. `cn=svc-sssd,ou=services,dc=example,dc=com`). |
+| `SSSD_DEFAULT_AUTHTOK_TYPE` | *(blank)* | No | Type of the bind credential, typically `password`. Required when `SSSD_LDAP_DEFAULT_BIND_DN` is set. |
+| `SSSD_DEFAULT_AUTHTOK` | *(blank)* | No | The bind credential (password) for the bind DN. Required when `SSSD_LDAP_DEFAULT_BIND_DN` is set. |
-For each server:
+!!! tip
+ `SSSD_LDAP_DEFAULT_BIND_DN`, `SSSD_DEFAULT_AUTHTOK_TYPE`, and `SSSD_DEFAULT_AUTHTOK` work as a set. Provide all three when your directory requires an authenticated bind to read users and groups; leave all three blank to bind anonymously. The service account only needs read access to the user and group subtrees — user passwords are verified by a separate bind as the authenticating user.
-1. Create a container with hostname `ldap1` (or `ldap2`) using the `ghcr.io/mieweb/ldap-gateway` image
-2. Set the environment variables from above
-3. Start the container
+!!! warning
+ `SSSD_DEFAULT_AUTHTOK` is a secret. The rendered `/etc/sssd/sssd.conf` is written with restrictive permissions (mode `0600`), but the value is also visible in the container's environment. Prefer a dedicated, least-privilege service account and rotate it like any other credential.
-Both servers will register in DNSMasq automatically, making them resolvable by name from all containers in the site.
+### Per-container overrides
-## Rolling Updates
+Because these are ordinary container environment variables, an individual container can override any `SSSD_*` value at creation time (in the **Environment Variables** section of the container form, or via the API). This is useful for connecting a specific container to a different directory or test environment without changing the cluster-wide defaults.
-To update the LDAP servers without downtime, replace them one at a time:
+### Requirements for your directory
-1. **Delete `ldap1`** — all containers fail over to `ldap2` via SSSD
-2. **Recreate `ldap1`** with the latest `ghcr.io/mieweb/ldap-gateway` image and the same environment variables
-3. **Verify `ldap1`** is running and responding on port 636
-4. **Delete `ldap2`** — traffic shifts to the updated `ldap1`
-5. **Recreate `ldap2`** with the latest image and same environment variables
-6. **Verify `ldap2`** is running
+- **LDAPS reachable from the cluster.** Containers connect over the URIs in `SSSD_LDAP_URI`; those hosts must be resolvable and reachable from the container network. If you use short names like `ldap1`, ensure they resolve via the site's DNS (DNSMasq); otherwise use fully-qualified domain names or IPs.
+- **POSIX attributes on users.** SSSD expects `uid`, `uidNumber`, `gidNumber`, `homeDirectory`, and `cn`. Active Directory installations typically need the POSIX/RFC 2307 attributes populated (or schema `ad`).
+- **Home directories** are created automatically on first login by PAM (`pam_mkhomedir`), so the directory itself only needs to supply the `homeDirectory` path.
+
+## Verifying
+
+SSH into any container and confirm the directory is reachable and users resolve:
+
+```bash
+# Show the rendered config (secrets included — handle with care)
+sudo cat /etc/sssd/sssd.conf
+
+# SSSD should be active
+systemctl status sssd
+
+# Look up a user that exists in your directory
+getent passwd
+id
+
+# Clear the cache and force a fresh lookup if results look stale
+sudo sss_cache -E
+```
-SSSD on the base images is configured with both servers (`ldaps://ldap1:636, ldaps://ldap2:636`) and will automatically fail over when one is unavailable.
+If `getent passwd ` returns the user, authentication and home-directory creation will work on first login.
-## Proxmox LDAP Realm
+## Proxmox LDAP Realm (Optional)
-Configure Proxmox to authenticate users against the same LDAP servers. This allows container ACLs to reference cluster users as `username@ldap`.
+To let container ACLs reference directory users as `username@ldap`, configure Proxmox to authenticate against the **same** directory the containers use.
### DNS Configuration
-First, configure Proxmox to use the same DNS server as the containers (the DNSMasq instance managed by the management software). This ensures Proxmox can resolve `ldap1` and `ldap2` by name.
+If your `SSSD_LDAP_URI` uses names that only the cluster DNS resolves, point Proxmox at the same DNS server (the DNSMasq instance managed by the management software) so it can resolve them too. If you use public FQDNs this step is unnecessary.
In the Proxmox web UI: **Node** → **System** → **DNS** → set the DNS server to the DNSMasq IP address.
@@ -108,14 +117,14 @@ In the Proxmox web UI: **Datacenter** → **Permissions** → **Realms** → **A
| Setting | Value |
|---------|-------|
| Realm | `ldap` |
-| Base Domain Name | Derived from internal domain (e.g., `example.com` → `dc=example,dc=com`) |
-| User Attribute Name | `uid` |
+| Base Domain Name | Your directory's base DN (e.g. `dc=example,dc=com`) |
+| User Attribute Name | `uid` (use `sAMAccountName` for Active Directory) |
| Default | ✅ (checked) |
-| Server | `ldap1` |
-| Fallback Server | `ldap2` |
-| Port | *(leave default)* |
+| Server | Your primary LDAP host |
+| Fallback Server | Your secondary LDAP host (optional) |
+| Port | `636` |
| Mode | LDAPS |
-| Verify Certificate | ❌ (unchecked) |
+| Verify Certificate | Match your `SSSD_LDAP_TLS_REQCERT` policy |
| Require TFA | none |
Under **Sync Options**:
@@ -133,4 +142,4 @@ After adding the realm, sync it to import users and groups:
**Datacenter** → **Permissions** → **Realms** → select `ldap` → **Sync**.
-The management software also triggers a sync automatically when creating containers (via `syncLdapRealm('ldap')`) to ensure new users are available for ACL assignment.
+The management software also triggers a sync automatically when creating containers (via `syncLdapRealm('ldap')`) so new users are available for ACL assignment.
diff --git a/mie-opensource-landing/docs/developers/docker-images.md b/mie-opensource-landing/docs/developers/docker-images.md
index 73769729..84a086b0 100644
--- a/mie-opensource-landing/docs/developers/docker-images.md
+++ b/mie-opensource-landing/docs/developers/docker-images.md
@@ -41,7 +41,7 @@ images/
├── docker-bake.hcl # Build config with dependency ordering
├── base/
│ ├── Dockerfile
-│ ├── sssd.conf
+│ ├── sssd.conf.template
│ └── ldapusers
├── nodejs/
│ └── Dockerfile # Extends base image
diff --git a/mie-opensource-landing/zensical.toml b/mie-opensource-landing/zensical.toml
index 2b98d857..639e85af 100644
--- a/mie-opensource-landing/zensical.toml
+++ b/mie-opensource-landing/zensical.toml
@@ -40,7 +40,7 @@ nav = [
{ "Users and Groups" = "admins/core-concepts/users-and-groups.md" },
] },
{ "Settings" = "admins/settings.md" },
- { "LDAP Servers" = "admins/ldap-servers.md" },
+ { "LDAP Authentication" = "admins/ldap-servers.md" },
{ "Deploying Agents" = "admins/deploying-agents.md" },
{ "Kernel Keyring" = "admins/kernel-keyring.md" },
{ "NVIDIA Container Toolkit" = "admins/nvidia-container-toolkit.md" },