diff --git a/14.0/unit/Dockerfile b/14.0/unit/Dockerfile
index 5582298..fbac7cf 100644
--- a/14.0/unit/Dockerfile
+++ b/14.0/unit/Dockerfile
@@ -38,6 +38,7 @@ RUN set -ex; \
 	php-mbstring \
 	php-curl \
 	ssl-cert \
+	sudo \
     ; \
     \
     rm -rf /var/lib/apt/lists/*
@@ -194,6 +195,29 @@ RUN \
 	  rm /var/www/html/index.php /var/www/html/index.php.remove; \
 	}
 
+ENV LDAP_ENABLE=false
+ENV LDAP_HOST=
+ENV LDAP_PORT=389
+ENV LDAP_BACKUP_HOST=
+ENV LDAP_BACKUP_PORT=389
+ENV LDAP_DN=
+ENV LDAP_AGENT_PASSWORD=
+ENV LDAP_BASE=
+ENV LDAP_BASE_USERS
+ENV LDAP_BASE_GROUPS
+# space-separated objectclass values
+ENV LDAP_USERFILTER_OBJECTCLASS=inetOrgPerson
+ENV LDAP_USERLIST_FILTER
+ENV LDAP_LOGIN_FILTER
+ENV LDAP_GROUPFILTER_OBJECTCLASS=organizationalRole
+ENV LDAP_GROUP_FILTER
+ENV LDAP_GID_NUMBER=gidNumber
+ENV LDAP_DISPLAY_NAME=cn
+ENV LDAP_USER_DISPLAY_NAME_2=
+ENV LDAP_GROUP_DISPLAY_NAME=cn
+ENV LDAP_EMAIL_ATTR=mail
+ENV LDAP_GROUP_MEMBER_ASSOC_ATTRIBUTE=memberUid
+
 EXPOSE 9000 9001 9002 9003 9010 9011 9012 9013
 ENTRYPOINT ["/entrypoint.sh"]
 STOPSIGNAL SIGTERM
diff --git a/14.0/unit/entrypoint.sh b/14.0/unit/entrypoint.sh
index 1ca0675..501839b 100755
--- a/14.0/unit/entrypoint.sh
+++ b/14.0/unit/entrypoint.sh
@@ -142,4 +142,6 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "$1" = "unitd"
     fi
 fi
 
+sudo -u www-data -E /ldap_setup.sh
+
 exec "$@"
diff --git a/14.0/unit/ldap_setup.sh b/14.0/unit/ldap_setup.sh
new file mode 100755
index 0000000..980be92
--- /dev/null
+++ b/14.0/unit/ldap_setup.sh
@@ -0,0 +1,105 @@
+#!/bin/bash
+
+# setup LDAP authentication for nextcloud
+# this script must be run as www-data
+
+[[ ${LDAP_ENABLE,,} == "true" ]] || {
+    echo Skipping LDAP setup
+    exit 0
+}
+
+PREV_DIR=${PWD}
+cd /var/www/html
+php occ app:enable user_ldap
+
+[[ -z ${LDAP_HOST} ]] || {
+    php occ config:app:set user_ldap s01ldap_host --value ${LDAP_HOST}
+    php occ config:app:set user_ldap s01ldap_port --value ${LDAP_PORT:-389}
+}
+[[ -z ${LDAP_BACKUP_HOST} ]] || {
+    php occ config:app:set user_ldap s01ldap_backup_host --value ${LDAP_BACKUP_HOST}
+    php occ config:app:set user_ldap s01ldap_backup_port --value ${LDAP_BACKUP_PORT:-389}
+}
+
+# credentials for accessing LDAP directory
+[[ -z ${LDAP_DN} ]] || {
+    php occ config:app:set user_ldap s01ldap_dn --value ${LDAP_DN}
+}
+[[ -z ${LDAP_AGENT_PASSWORD} ]] || {
+    php occ config:app:set user_ldap s01ldap_agent_password --value ${LDAP_AGENT_PASSWORD}
+}
+
+# search base
+[[ -z ${LDAP_BASE} ]] || {
+    php occ config:app:set user_ldap s01ldap_base --value ${LDAP_BASE}
+    php occ config:app:set user_ldap s01ldap_base_users --value ${LDAP_BASE_USERS:-ou=People,${LDAP_BASE}}
+    php occ config:app:set user_ldap s01ldap_base_groups --value ${LDAP_BASE_GROUPS:-ou=Group,${LDAP_BASE}}
+}
+
+LDAP_USERFILTER_OBJECTCLASS=${LDAP_USERFILTER_OBJECTCLASS:-inetOrgPerson}
+php occ config:app:set user_ldap s01ldap_userfilter_objectclass --value "$(echo ${LDAP_USERFILTER_OBJECTCLASS} | tr ' ' '\n')"
+
+DEFAULT_FILTER="(|(objectclass=${LDAP_USERFILTER_OBJECTCLASS// /)(objectclass=}))"
+LDAP_USERLIST_FILTER="${LDAP_USERLIST_FILTER:-${DEFAULT_FILTER}}"
+php occ config:app:set user_ldap s01ldap_userlist_filter --value "${LDAP_USERLIST_FILTER}"
+
+# ldap_user_filter_mode|0
+# ldap_userfilter_groups|
+
+DEFAULT_LOGIN_FILTER="(&${DEFAULT_FILTER}(uid=%uid))"
+php occ config:app:set user_ldap s01ldap_login_filter --value "${LDAP_LOGIN_FILTER:-${DEFAULT_LOGIN_FILTER}}"
+
+# ldap_login_filter_mode|0
+# ldap_loginfilter_email|0
+# ldap_loginfilter_username|1
+# ldap_loginfilter_attributes|
+
+LDAP_GROUPFILTER_OBJECTCLASS=${LDAP_GROUPFILTER_OBJECTCLASS:-organizationalRole}
+php occ config:app:set user_ldap s01ldap_groupfilter_objectclass --value "$(echo ${LDAP_GROUPFILTER_OBJECTCLASS} | tr ' ' '\n')"
+
+DEFAULT_GFILTER="(|(objectclass=${LDAP_GROUPFILTER_OBJECTCLASS// /)(objectclass=}))"
+LDAP_GROUP_FILTER="${LDAP_GROUP_FILTER:-${DEFAULT_GFILTER}}"
+php occ config:app:set user_ldap s01ldap_group_filter --value "${LDAP_GROUP_FILTER}"
+
+# ldap_group_filter_mode|0
+# ldap_groupfilter_groups|
+
+php occ config:app:set user_ldap s01ldap_gid_number --value "${LDAP_GID_NUMBER:-gidNumber}"
+
+php occ config:app:set user_ldap s01ldap_display_name --value "${LDAP_DISPLAY_NAME:-cn}"
+[[ -z ${LDAP_USER_DISPLAY_NAME_2} ]] || {
+    php occ config:app:set user_ldap s01ldap_user_display_name_2 --value "${LDAP_USER_DISPLAY_NAME_2}"
+}
+php occ config:app:set user_ldap s01ldap_group_display_name --value "${LDAP_GROUP_DISPLAY_NAME:-cn}"
+
+# ldap_tls|0
+# ldap_quota_def|
+# ldap_quota_attr|
+
+php occ config:app:set user_ldap s01ldap_email_attr --value "${LDAP_EMAIL_ATTR:-mail}"
+php occ config:app:set user_ldap s01ldap_group_member_assoc_attribute --value "${LDAP_GROUP_MEMBER_ASSOC_ATTRIBUTE:-memberUid}"
+
+# ldap_cache_ttl|600
+
+# home_folder_naming_rule|
+# ldap_turn_off_cert_check|0
+# ldap_attributes_for_user_search|
+# ldap_attributes_for_group_search|
+# ldap_expert_username_attr|
+# ldap_expert_uuid_user_attr|
+# ldap_expert_uuid_group_attr|
+# has_memberof_filter_support|0
+# use_memberof_to_detect_membership|1
+
+# last_jpegPhoto_lookup|0
+# ldap_nested_groups|0
+# ldap_paging_size|500
+# ldap_turn_on_pwd_change|0
+# ldap_experienced_admin|0
+# ldap_dynamic_group_member_url|
+# ldap_default_ppolicy_dn|
+# ldap_user_avatar_rule|default
+# ldap_ext_storage_home_attribute|
+# _lastChange|1570896933
+
+cd ${PREV_DIR}
diff --git a/15.0/unit/Dockerfile b/15.0/unit/Dockerfile
index 5af0cfa..6bcae4f 100644
--- a/15.0/unit/Dockerfile
+++ b/15.0/unit/Dockerfile
@@ -38,6 +38,7 @@ RUN set -ex; \
 	php-mbstring \
 	php-curl \
 	ssl-cert \
+	sudo \
     ; \
     \
     rm -rf /var/lib/apt/lists/*
@@ -194,6 +195,29 @@ RUN \
 	  rm /var/www/html/index.php /var/www/html/index.php.remove; \
 	}
 
+ENV LDAP_ENABLE=false
+ENV LDAP_HOST=
+ENV LDAP_PORT=389
+ENV LDAP_BACKUP_HOST=
+ENV LDAP_BACKUP_PORT=389
+ENV LDAP_DN=
+ENV LDAP_AGENT_PASSWORD=
+ENV LDAP_BASE=
+ENV LDAP_BASE_USERS
+ENV LDAP_BASE_GROUPS
+# space-separated objectclass values
+ENV LDAP_USERFILTER_OBJECTCLASS=inetOrgPerson
+ENV LDAP_USERLIST_FILTER
+ENV LDAP_LOGIN_FILTER
+ENV LDAP_GROUPFILTER_OBJECTCLASS=organizationalRole
+ENV LDAP_GROUP_FILTER
+ENV LDAP_GID_NUMBER=gidNumber
+ENV LDAP_DISPLAY_NAME=cn
+ENV LDAP_USER_DISPLAY_NAME_2=
+ENV LDAP_GROUP_DISPLAY_NAME=cn
+ENV LDAP_EMAIL_ATTR=mail
+ENV LDAP_GROUP_MEMBER_ASSOC_ATTRIBUTE=memberUid
+
 EXPOSE 9000 9001 9002 9003 9010 9011 9012 9013
 ENTRYPOINT ["/entrypoint.sh"]
 STOPSIGNAL SIGTERM
diff --git a/15.0/unit/entrypoint.sh b/15.0/unit/entrypoint.sh
index 1ca0675..501839b 100755
--- a/15.0/unit/entrypoint.sh
+++ b/15.0/unit/entrypoint.sh
@@ -142,4 +142,6 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "$1" = "unitd"
     fi
 fi
 
+sudo -u www-data -E /ldap_setup.sh
+
 exec "$@"
diff --git a/15.0/unit/ldap_setup.sh b/15.0/unit/ldap_setup.sh
new file mode 100755
index 0000000..980be92
--- /dev/null
+++ b/15.0/unit/ldap_setup.sh
@@ -0,0 +1,105 @@
+#!/bin/bash
+
+# setup LDAP authentication for nextcloud
+# this script must be run as www-data
+
+[[ ${LDAP_ENABLE,,} == "true" ]] || {
+    echo Skipping LDAP setup
+    exit 0
+}
+
+PREV_DIR=${PWD}
+cd /var/www/html
+php occ app:enable user_ldap
+
+[[ -z ${LDAP_HOST} ]] || {
+    php occ config:app:set user_ldap s01ldap_host --value ${LDAP_HOST}
+    php occ config:app:set user_ldap s01ldap_port --value ${LDAP_PORT:-389}
+}
+[[ -z ${LDAP_BACKUP_HOST} ]] || {
+    php occ config:app:set user_ldap s01ldap_backup_host --value ${LDAP_BACKUP_HOST}
+    php occ config:app:set user_ldap s01ldap_backup_port --value ${LDAP_BACKUP_PORT:-389}
+}
+
+# credentials for accessing LDAP directory
+[[ -z ${LDAP_DN} ]] || {
+    php occ config:app:set user_ldap s01ldap_dn --value ${LDAP_DN}
+}
+[[ -z ${LDAP_AGENT_PASSWORD} ]] || {
+    php occ config:app:set user_ldap s01ldap_agent_password --value ${LDAP_AGENT_PASSWORD}
+}
+
+# search base
+[[ -z ${LDAP_BASE} ]] || {
+    php occ config:app:set user_ldap s01ldap_base --value ${LDAP_BASE}
+    php occ config:app:set user_ldap s01ldap_base_users --value ${LDAP_BASE_USERS:-ou=People,${LDAP_BASE}}
+    php occ config:app:set user_ldap s01ldap_base_groups --value ${LDAP_BASE_GROUPS:-ou=Group,${LDAP_BASE}}
+}
+
+LDAP_USERFILTER_OBJECTCLASS=${LDAP_USERFILTER_OBJECTCLASS:-inetOrgPerson}
+php occ config:app:set user_ldap s01ldap_userfilter_objectclass --value "$(echo ${LDAP_USERFILTER_OBJECTCLASS} | tr ' ' '\n')"
+
+DEFAULT_FILTER="(|(objectclass=${LDAP_USERFILTER_OBJECTCLASS// /)(objectclass=}))"
+LDAP_USERLIST_FILTER="${LDAP_USERLIST_FILTER:-${DEFAULT_FILTER}}"
+php occ config:app:set user_ldap s01ldap_userlist_filter --value "${LDAP_USERLIST_FILTER}"
+
+# ldap_user_filter_mode|0
+# ldap_userfilter_groups|
+
+DEFAULT_LOGIN_FILTER="(&${DEFAULT_FILTER}(uid=%uid))"
+php occ config:app:set user_ldap s01ldap_login_filter --value "${LDAP_LOGIN_FILTER:-${DEFAULT_LOGIN_FILTER}}"
+
+# ldap_login_filter_mode|0
+# ldap_loginfilter_email|0
+# ldap_loginfilter_username|1
+# ldap_loginfilter_attributes|
+
+LDAP_GROUPFILTER_OBJECTCLASS=${LDAP_GROUPFILTER_OBJECTCLASS:-organizationalRole}
+php occ config:app:set user_ldap s01ldap_groupfilter_objectclass --value "$(echo ${LDAP_GROUPFILTER_OBJECTCLASS} | tr ' ' '\n')"
+
+DEFAULT_GFILTER="(|(objectclass=${LDAP_GROUPFILTER_OBJECTCLASS// /)(objectclass=}))"
+LDAP_GROUP_FILTER="${LDAP_GROUP_FILTER:-${DEFAULT_GFILTER}}"
+php occ config:app:set user_ldap s01ldap_group_filter --value "${LDAP_GROUP_FILTER}"
+
+# ldap_group_filter_mode|0
+# ldap_groupfilter_groups|
+
+php occ config:app:set user_ldap s01ldap_gid_number --value "${LDAP_GID_NUMBER:-gidNumber}"
+
+php occ config:app:set user_ldap s01ldap_display_name --value "${LDAP_DISPLAY_NAME:-cn}"
+[[ -z ${LDAP_USER_DISPLAY_NAME_2} ]] || {
+    php occ config:app:set user_ldap s01ldap_user_display_name_2 --value "${LDAP_USER_DISPLAY_NAME_2}"
+}
+php occ config:app:set user_ldap s01ldap_group_display_name --value "${LDAP_GROUP_DISPLAY_NAME:-cn}"
+
+# ldap_tls|0
+# ldap_quota_def|
+# ldap_quota_attr|
+
+php occ config:app:set user_ldap s01ldap_email_attr --value "${LDAP_EMAIL_ATTR:-mail}"
+php occ config:app:set user_ldap s01ldap_group_member_assoc_attribute --value "${LDAP_GROUP_MEMBER_ASSOC_ATTRIBUTE:-memberUid}"
+
+# ldap_cache_ttl|600
+
+# home_folder_naming_rule|
+# ldap_turn_off_cert_check|0
+# ldap_attributes_for_user_search|
+# ldap_attributes_for_group_search|
+# ldap_expert_username_attr|
+# ldap_expert_uuid_user_attr|
+# ldap_expert_uuid_group_attr|
+# has_memberof_filter_support|0
+# use_memberof_to_detect_membership|1
+
+# last_jpegPhoto_lookup|0
+# ldap_nested_groups|0
+# ldap_paging_size|500
+# ldap_turn_on_pwd_change|0
+# ldap_experienced_admin|0
+# ldap_dynamic_group_member_url|
+# ldap_default_ppolicy_dn|
+# ldap_user_avatar_rule|default
+# ldap_ext_storage_home_attribute|
+# _lastChange|1570896933
+
+cd ${PREV_DIR}
diff --git a/16.0/unit/Dockerfile b/16.0/unit/Dockerfile
index 4365869..48e9c8e 100644
--- a/16.0/unit/Dockerfile
+++ b/16.0/unit/Dockerfile
@@ -38,6 +38,7 @@ RUN set -ex; \
 	php-mbstring \
 	php-curl \
 	ssl-cert \
+	sudo \
     ; \
     \
     rm -rf /var/lib/apt/lists/*
@@ -194,6 +195,29 @@ RUN \
 	  rm /var/www/html/index.php /var/www/html/index.php.remove; \
 	}
 
+ENV LDAP_ENABLE=false
+ENV LDAP_HOST=
+ENV LDAP_PORT=389
+ENV LDAP_BACKUP_HOST=
+ENV LDAP_BACKUP_PORT=389
+ENV LDAP_DN=
+ENV LDAP_AGENT_PASSWORD=
+ENV LDAP_BASE=
+ENV LDAP_BASE_USERS
+ENV LDAP_BASE_GROUPS
+# space-separated objectclass values
+ENV LDAP_USERFILTER_OBJECTCLASS=inetOrgPerson
+ENV LDAP_USERLIST_FILTER
+ENV LDAP_LOGIN_FILTER
+ENV LDAP_GROUPFILTER_OBJECTCLASS=organizationalRole
+ENV LDAP_GROUP_FILTER
+ENV LDAP_GID_NUMBER=gidNumber
+ENV LDAP_DISPLAY_NAME=cn
+ENV LDAP_USER_DISPLAY_NAME_2=
+ENV LDAP_GROUP_DISPLAY_NAME=cn
+ENV LDAP_EMAIL_ATTR=mail
+ENV LDAP_GROUP_MEMBER_ASSOC_ATTRIBUTE=memberUid
+
 EXPOSE 9000 9001 9002 9003 9010 9011 9012 9013
 ENTRYPOINT ["/entrypoint.sh"]
 STOPSIGNAL SIGTERM
diff --git a/16.0/unit/entrypoint.sh b/16.0/unit/entrypoint.sh
index 1ca0675..501839b 100755
--- a/16.0/unit/entrypoint.sh
+++ b/16.0/unit/entrypoint.sh
@@ -142,4 +142,6 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "$1" = "unitd"
     fi
 fi
 
+sudo -u www-data -E /ldap_setup.sh
+
 exec "$@"
diff --git a/16.0/unit/ldap_setup.sh b/16.0/unit/ldap_setup.sh
new file mode 100755
index 0000000..980be92
--- /dev/null
+++ b/16.0/unit/ldap_setup.sh
@@ -0,0 +1,105 @@
+#!/bin/bash
+
+# setup LDAP authentication for nextcloud
+# this script must be run as www-data
+
+[[ ${LDAP_ENABLE,,} == "true" ]] || {
+    echo Skipping LDAP setup
+    exit 0
+}
+
+PREV_DIR=${PWD}
+cd /var/www/html
+php occ app:enable user_ldap
+
+[[ -z ${LDAP_HOST} ]] || {
+    php occ config:app:set user_ldap s01ldap_host --value ${LDAP_HOST}
+    php occ config:app:set user_ldap s01ldap_port --value ${LDAP_PORT:-389}
+}
+[[ -z ${LDAP_BACKUP_HOST} ]] || {
+    php occ config:app:set user_ldap s01ldap_backup_host --value ${LDAP_BACKUP_HOST}
+    php occ config:app:set user_ldap s01ldap_backup_port --value ${LDAP_BACKUP_PORT:-389}
+}
+
+# credentials for accessing LDAP directory
+[[ -z ${LDAP_DN} ]] || {
+    php occ config:app:set user_ldap s01ldap_dn --value ${LDAP_DN}
+}
+[[ -z ${LDAP_AGENT_PASSWORD} ]] || {
+    php occ config:app:set user_ldap s01ldap_agent_password --value ${LDAP_AGENT_PASSWORD}
+}
+
+# search base
+[[ -z ${LDAP_BASE} ]] || {
+    php occ config:app:set user_ldap s01ldap_base --value ${LDAP_BASE}
+    php occ config:app:set user_ldap s01ldap_base_users --value ${LDAP_BASE_USERS:-ou=People,${LDAP_BASE}}
+    php occ config:app:set user_ldap s01ldap_base_groups --value ${LDAP_BASE_GROUPS:-ou=Group,${LDAP_BASE}}
+}
+
+LDAP_USERFILTER_OBJECTCLASS=${LDAP_USERFILTER_OBJECTCLASS:-inetOrgPerson}
+php occ config:app:set user_ldap s01ldap_userfilter_objectclass --value "$(echo ${LDAP_USERFILTER_OBJECTCLASS} | tr ' ' '\n')"
+
+DEFAULT_FILTER="(|(objectclass=${LDAP_USERFILTER_OBJECTCLASS// /)(objectclass=}))"
+LDAP_USERLIST_FILTER="${LDAP_USERLIST_FILTER:-${DEFAULT_FILTER}}"
+php occ config:app:set user_ldap s01ldap_userlist_filter --value "${LDAP_USERLIST_FILTER}"
+
+# ldap_user_filter_mode|0
+# ldap_userfilter_groups|
+
+DEFAULT_LOGIN_FILTER="(&${DEFAULT_FILTER}(uid=%uid))"
+php occ config:app:set user_ldap s01ldap_login_filter --value "${LDAP_LOGIN_FILTER:-${DEFAULT_LOGIN_FILTER}}"
+
+# ldap_login_filter_mode|0
+# ldap_loginfilter_email|0
+# ldap_loginfilter_username|1
+# ldap_loginfilter_attributes|
+
+LDAP_GROUPFILTER_OBJECTCLASS=${LDAP_GROUPFILTER_OBJECTCLASS:-organizationalRole}
+php occ config:app:set user_ldap s01ldap_groupfilter_objectclass --value "$(echo ${LDAP_GROUPFILTER_OBJECTCLASS} | tr ' ' '\n')"
+
+DEFAULT_GFILTER="(|(objectclass=${LDAP_GROUPFILTER_OBJECTCLASS// /)(objectclass=}))"
+LDAP_GROUP_FILTER="${LDAP_GROUP_FILTER:-${DEFAULT_GFILTER}}"
+php occ config:app:set user_ldap s01ldap_group_filter --value "${LDAP_GROUP_FILTER}"
+
+# ldap_group_filter_mode|0
+# ldap_groupfilter_groups|
+
+php occ config:app:set user_ldap s01ldap_gid_number --value "${LDAP_GID_NUMBER:-gidNumber}"
+
+php occ config:app:set user_ldap s01ldap_display_name --value "${LDAP_DISPLAY_NAME:-cn}"
+[[ -z ${LDAP_USER_DISPLAY_NAME_2} ]] || {
+    php occ config:app:set user_ldap s01ldap_user_display_name_2 --value "${LDAP_USER_DISPLAY_NAME_2}"
+}
+php occ config:app:set user_ldap s01ldap_group_display_name --value "${LDAP_GROUP_DISPLAY_NAME:-cn}"
+
+# ldap_tls|0
+# ldap_quota_def|
+# ldap_quota_attr|
+
+php occ config:app:set user_ldap s01ldap_email_attr --value "${LDAP_EMAIL_ATTR:-mail}"
+php occ config:app:set user_ldap s01ldap_group_member_assoc_attribute --value "${LDAP_GROUP_MEMBER_ASSOC_ATTRIBUTE:-memberUid}"
+
+# ldap_cache_ttl|600
+
+# home_folder_naming_rule|
+# ldap_turn_off_cert_check|0
+# ldap_attributes_for_user_search|
+# ldap_attributes_for_group_search|
+# ldap_expert_username_attr|
+# ldap_expert_uuid_user_attr|
+# ldap_expert_uuid_group_attr|
+# has_memberof_filter_support|0
+# use_memberof_to_detect_membership|1
+
+# last_jpegPhoto_lookup|0
+# ldap_nested_groups|0
+# ldap_paging_size|500
+# ldap_turn_on_pwd_change|0
+# ldap_experienced_admin|0
+# ldap_dynamic_group_member_url|
+# ldap_default_ppolicy_dn|
+# ldap_user_avatar_rule|default
+# ldap_ext_storage_home_attribute|
+# _lastChange|1570896933
+
+cd ${PREV_DIR}
diff --git a/17.0/unit/Dockerfile b/17.0/unit/Dockerfile
index 5a83edf..12b7659 100644
--- a/17.0/unit/Dockerfile
+++ b/17.0/unit/Dockerfile
@@ -38,6 +38,7 @@ RUN set -ex; \
 	php-mbstring \
 	php-curl \
 	ssl-cert \
+	sudo \
     ; \
     \
     rm -rf /var/lib/apt/lists/*
@@ -194,6 +195,29 @@ RUN \
 	  rm /var/www/html/index.php /var/www/html/index.php.remove; \
 	}
 
+ENV LDAP_ENABLE=false
+ENV LDAP_HOST=
+ENV LDAP_PORT=389
+ENV LDAP_BACKUP_HOST=
+ENV LDAP_BACKUP_PORT=389
+ENV LDAP_DN=
+ENV LDAP_AGENT_PASSWORD=
+ENV LDAP_BASE=
+ENV LDAP_BASE_USERS
+ENV LDAP_BASE_GROUPS
+# space-separated objectclass values
+ENV LDAP_USERFILTER_OBJECTCLASS=inetOrgPerson
+ENV LDAP_USERLIST_FILTER
+ENV LDAP_LOGIN_FILTER
+ENV LDAP_GROUPFILTER_OBJECTCLASS=organizationalRole
+ENV LDAP_GROUP_FILTER
+ENV LDAP_GID_NUMBER=gidNumber
+ENV LDAP_DISPLAY_NAME=cn
+ENV LDAP_USER_DISPLAY_NAME_2=
+ENV LDAP_GROUP_DISPLAY_NAME=cn
+ENV LDAP_EMAIL_ATTR=mail
+ENV LDAP_GROUP_MEMBER_ASSOC_ATTRIBUTE=memberUid
+
 EXPOSE 9000 9001 9002 9003 9010 9011 9012 9013
 ENTRYPOINT ["/entrypoint.sh"]
 STOPSIGNAL SIGTERM
diff --git a/17.0/unit/entrypoint.sh b/17.0/unit/entrypoint.sh
index 1ca0675..501839b 100755
--- a/17.0/unit/entrypoint.sh
+++ b/17.0/unit/entrypoint.sh
@@ -142,4 +142,6 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "$1" = "unitd"
     fi
 fi
 
+sudo -u www-data -E /ldap_setup.sh
+
 exec "$@"
diff --git a/17.0/unit/ldap_setup.sh b/17.0/unit/ldap_setup.sh
new file mode 100755
index 0000000..980be92
--- /dev/null
+++ b/17.0/unit/ldap_setup.sh
@@ -0,0 +1,105 @@
+#!/bin/bash
+
+# setup LDAP authentication for nextcloud
+# this script must be run as www-data
+
+[[ ${LDAP_ENABLE,,} == "true" ]] || {
+    echo Skipping LDAP setup
+    exit 0
+}
+
+PREV_DIR=${PWD}
+cd /var/www/html
+php occ app:enable user_ldap
+
+[[ -z ${LDAP_HOST} ]] || {
+    php occ config:app:set user_ldap s01ldap_host --value ${LDAP_HOST}
+    php occ config:app:set user_ldap s01ldap_port --value ${LDAP_PORT:-389}
+}
+[[ -z ${LDAP_BACKUP_HOST} ]] || {
+    php occ config:app:set user_ldap s01ldap_backup_host --value ${LDAP_BACKUP_HOST}
+    php occ config:app:set user_ldap s01ldap_backup_port --value ${LDAP_BACKUP_PORT:-389}
+}
+
+# credentials for accessing LDAP directory
+[[ -z ${LDAP_DN} ]] || {
+    php occ config:app:set user_ldap s01ldap_dn --value ${LDAP_DN}
+}
+[[ -z ${LDAP_AGENT_PASSWORD} ]] || {
+    php occ config:app:set user_ldap s01ldap_agent_password --value ${LDAP_AGENT_PASSWORD}
+}
+
+# search base
+[[ -z ${LDAP_BASE} ]] || {
+    php occ config:app:set user_ldap s01ldap_base --value ${LDAP_BASE}
+    php occ config:app:set user_ldap s01ldap_base_users --value ${LDAP_BASE_USERS:-ou=People,${LDAP_BASE}}
+    php occ config:app:set user_ldap s01ldap_base_groups --value ${LDAP_BASE_GROUPS:-ou=Group,${LDAP_BASE}}
+}
+
+LDAP_USERFILTER_OBJECTCLASS=${LDAP_USERFILTER_OBJECTCLASS:-inetOrgPerson}
+php occ config:app:set user_ldap s01ldap_userfilter_objectclass --value "$(echo ${LDAP_USERFILTER_OBJECTCLASS} | tr ' ' '\n')"
+
+DEFAULT_FILTER="(|(objectclass=${LDAP_USERFILTER_OBJECTCLASS// /)(objectclass=}))"
+LDAP_USERLIST_FILTER="${LDAP_USERLIST_FILTER:-${DEFAULT_FILTER}}"
+php occ config:app:set user_ldap s01ldap_userlist_filter --value "${LDAP_USERLIST_FILTER}"
+
+# ldap_user_filter_mode|0
+# ldap_userfilter_groups|
+
+DEFAULT_LOGIN_FILTER="(&${DEFAULT_FILTER}(uid=%uid))"
+php occ config:app:set user_ldap s01ldap_login_filter --value "${LDAP_LOGIN_FILTER:-${DEFAULT_LOGIN_FILTER}}"
+
+# ldap_login_filter_mode|0
+# ldap_loginfilter_email|0
+# ldap_loginfilter_username|1
+# ldap_loginfilter_attributes|
+
+LDAP_GROUPFILTER_OBJECTCLASS=${LDAP_GROUPFILTER_OBJECTCLASS:-organizationalRole}
+php occ config:app:set user_ldap s01ldap_groupfilter_objectclass --value "$(echo ${LDAP_GROUPFILTER_OBJECTCLASS} | tr ' ' '\n')"
+
+DEFAULT_GFILTER="(|(objectclass=${LDAP_GROUPFILTER_OBJECTCLASS// /)(objectclass=}))"
+LDAP_GROUP_FILTER="${LDAP_GROUP_FILTER:-${DEFAULT_GFILTER}}"
+php occ config:app:set user_ldap s01ldap_group_filter --value "${LDAP_GROUP_FILTER}"
+
+# ldap_group_filter_mode|0
+# ldap_groupfilter_groups|
+
+php occ config:app:set user_ldap s01ldap_gid_number --value "${LDAP_GID_NUMBER:-gidNumber}"
+
+php occ config:app:set user_ldap s01ldap_display_name --value "${LDAP_DISPLAY_NAME:-cn}"
+[[ -z ${LDAP_USER_DISPLAY_NAME_2} ]] || {
+    php occ config:app:set user_ldap s01ldap_user_display_name_2 --value "${LDAP_USER_DISPLAY_NAME_2}"
+}
+php occ config:app:set user_ldap s01ldap_group_display_name --value "${LDAP_GROUP_DISPLAY_NAME:-cn}"
+
+# ldap_tls|0
+# ldap_quota_def|
+# ldap_quota_attr|
+
+php occ config:app:set user_ldap s01ldap_email_attr --value "${LDAP_EMAIL_ATTR:-mail}"
+php occ config:app:set user_ldap s01ldap_group_member_assoc_attribute --value "${LDAP_GROUP_MEMBER_ASSOC_ATTRIBUTE:-memberUid}"
+
+# ldap_cache_ttl|600
+
+# home_folder_naming_rule|
+# ldap_turn_off_cert_check|0
+# ldap_attributes_for_user_search|
+# ldap_attributes_for_group_search|
+# ldap_expert_username_attr|
+# ldap_expert_uuid_user_attr|
+# ldap_expert_uuid_group_attr|
+# has_memberof_filter_support|0
+# use_memberof_to_detect_membership|1
+
+# last_jpegPhoto_lookup|0
+# ldap_nested_groups|0
+# ldap_paging_size|500
+# ldap_turn_on_pwd_change|0
+# ldap_experienced_admin|0
+# ldap_dynamic_group_member_url|
+# ldap_default_ppolicy_dn|
+# ldap_user_avatar_rule|default
+# ldap_ext_storage_home_attribute|
+# _lastChange|1570896933
+
+cd ${PREV_DIR}
diff --git a/Dockerfile-unit.template b/Dockerfile-unit.template
index 1381fbd..4055e7c 100644
--- a/Dockerfile-unit.template
+++ b/Dockerfile-unit.template
@@ -37,6 +37,7 @@ RUN set -ex; \
 	php-mbstring \
 	php-curl \
 	ssl-cert \
+	sudo \
     ; \
     \
     rm -rf /var/lib/apt/lists/*
@@ -193,6 +194,29 @@ RUN \
 	  rm /var/www/html/index.php /var/www/html/index.php.remove; \
 	}
 
+ENV LDAP_ENABLE=false
+ENV LDAP_HOST=
+ENV LDAP_PORT=389
+ENV LDAP_BACKUP_HOST=
+ENV LDAP_BACKUP_PORT=389
+ENV LDAP_DN=
+ENV LDAP_AGENT_PASSWORD=
+ENV LDAP_BASE=
+ENV LDAP_BASE_USERS
+ENV LDAP_BASE_GROUPS
+# space-separated objectclass values
+ENV LDAP_USERFILTER_OBJECTCLASS=inetOrgPerson
+ENV LDAP_USERLIST_FILTER
+ENV LDAP_LOGIN_FILTER
+ENV LDAP_GROUPFILTER_OBJECTCLASS=organizationalRole
+ENV LDAP_GROUP_FILTER
+ENV LDAP_GID_NUMBER=gidNumber
+ENV LDAP_DISPLAY_NAME=cn
+ENV LDAP_USER_DISPLAY_NAME_2=
+ENV LDAP_GROUP_DISPLAY_NAME=cn
+ENV LDAP_EMAIL_ATTR=mail
+ENV LDAP_GROUP_MEMBER_ASSOC_ATTRIBUTE=memberUid
+
 EXPOSE 9000 9001 9002 9003 9010 9011 9012 9013
 ENTRYPOINT ["/entrypoint.sh"]
 STOPSIGNAL SIGTERM
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
index 1ca0675..501839b 100755
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@@ -142,4 +142,6 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "$1" = "unitd"
     fi
 fi
 
+sudo -u www-data -E /ldap_setup.sh
+
 exec "$@"
diff --git a/docker-ldap_setup.sh b/docker-ldap_setup.sh
new file mode 100755
index 0000000..980be92
--- /dev/null
+++ b/docker-ldap_setup.sh
@@ -0,0 +1,105 @@
+#!/bin/bash
+
+# setup LDAP authentication for nextcloud
+# this script must be run as www-data
+
+[[ ${LDAP_ENABLE,,} == "true" ]] || {
+    echo Skipping LDAP setup
+    exit 0
+}
+
+PREV_DIR=${PWD}
+cd /var/www/html
+php occ app:enable user_ldap
+
+[[ -z ${LDAP_HOST} ]] || {
+    php occ config:app:set user_ldap s01ldap_host --value ${LDAP_HOST}
+    php occ config:app:set user_ldap s01ldap_port --value ${LDAP_PORT:-389}
+}
+[[ -z ${LDAP_BACKUP_HOST} ]] || {
+    php occ config:app:set user_ldap s01ldap_backup_host --value ${LDAP_BACKUP_HOST}
+    php occ config:app:set user_ldap s01ldap_backup_port --value ${LDAP_BACKUP_PORT:-389}
+}
+
+# credentials for accessing LDAP directory
+[[ -z ${LDAP_DN} ]] || {
+    php occ config:app:set user_ldap s01ldap_dn --value ${LDAP_DN}
+}
+[[ -z ${LDAP_AGENT_PASSWORD} ]] || {
+    php occ config:app:set user_ldap s01ldap_agent_password --value ${LDAP_AGENT_PASSWORD}
+}
+
+# search base
+[[ -z ${LDAP_BASE} ]] || {
+    php occ config:app:set user_ldap s01ldap_base --value ${LDAP_BASE}
+    php occ config:app:set user_ldap s01ldap_base_users --value ${LDAP_BASE_USERS:-ou=People,${LDAP_BASE}}
+    php occ config:app:set user_ldap s01ldap_base_groups --value ${LDAP_BASE_GROUPS:-ou=Group,${LDAP_BASE}}
+}
+
+LDAP_USERFILTER_OBJECTCLASS=${LDAP_USERFILTER_OBJECTCLASS:-inetOrgPerson}
+php occ config:app:set user_ldap s01ldap_userfilter_objectclass --value "$(echo ${LDAP_USERFILTER_OBJECTCLASS} | tr ' ' '\n')"
+
+DEFAULT_FILTER="(|(objectclass=${LDAP_USERFILTER_OBJECTCLASS// /)(objectclass=}))"
+LDAP_USERLIST_FILTER="${LDAP_USERLIST_FILTER:-${DEFAULT_FILTER}}"
+php occ config:app:set user_ldap s01ldap_userlist_filter --value "${LDAP_USERLIST_FILTER}"
+
+# ldap_user_filter_mode|0
+# ldap_userfilter_groups|
+
+DEFAULT_LOGIN_FILTER="(&${DEFAULT_FILTER}(uid=%uid))"
+php occ config:app:set user_ldap s01ldap_login_filter --value "${LDAP_LOGIN_FILTER:-${DEFAULT_LOGIN_FILTER}}"
+
+# ldap_login_filter_mode|0
+# ldap_loginfilter_email|0
+# ldap_loginfilter_username|1
+# ldap_loginfilter_attributes|
+
+LDAP_GROUPFILTER_OBJECTCLASS=${LDAP_GROUPFILTER_OBJECTCLASS:-organizationalRole}
+php occ config:app:set user_ldap s01ldap_groupfilter_objectclass --value "$(echo ${LDAP_GROUPFILTER_OBJECTCLASS} | tr ' ' '\n')"
+
+DEFAULT_GFILTER="(|(objectclass=${LDAP_GROUPFILTER_OBJECTCLASS// /)(objectclass=}))"
+LDAP_GROUP_FILTER="${LDAP_GROUP_FILTER:-${DEFAULT_GFILTER}}"
+php occ config:app:set user_ldap s01ldap_group_filter --value "${LDAP_GROUP_FILTER}"
+
+# ldap_group_filter_mode|0
+# ldap_groupfilter_groups|
+
+php occ config:app:set user_ldap s01ldap_gid_number --value "${LDAP_GID_NUMBER:-gidNumber}"
+
+php occ config:app:set user_ldap s01ldap_display_name --value "${LDAP_DISPLAY_NAME:-cn}"
+[[ -z ${LDAP_USER_DISPLAY_NAME_2} ]] || {
+    php occ config:app:set user_ldap s01ldap_user_display_name_2 --value "${LDAP_USER_DISPLAY_NAME_2}"
+}
+php occ config:app:set user_ldap s01ldap_group_display_name --value "${LDAP_GROUP_DISPLAY_NAME:-cn}"
+
+# ldap_tls|0
+# ldap_quota_def|
+# ldap_quota_attr|
+
+php occ config:app:set user_ldap s01ldap_email_attr --value "${LDAP_EMAIL_ATTR:-mail}"
+php occ config:app:set user_ldap s01ldap_group_member_assoc_attribute --value "${LDAP_GROUP_MEMBER_ASSOC_ATTRIBUTE:-memberUid}"
+
+# ldap_cache_ttl|600
+
+# home_folder_naming_rule|
+# ldap_turn_off_cert_check|0
+# ldap_attributes_for_user_search|
+# ldap_attributes_for_group_search|
+# ldap_expert_username_attr|
+# ldap_expert_uuid_user_attr|
+# ldap_expert_uuid_group_attr|
+# has_memberof_filter_support|0
+# use_memberof_to_detect_membership|1
+
+# last_jpegPhoto_lookup|0
+# ldap_nested_groups|0
+# ldap_paging_size|500
+# ldap_turn_on_pwd_change|0
+# ldap_experienced_admin|0
+# ldap_dynamic_group_member_url|
+# ldap_default_ppolicy_dn|
+# ldap_user_avatar_rule|default
+# ldap_ext_storage_home_attribute|
+# _lastChange|1570896933
+
+cd ${PREV_DIR}
diff --git a/update.sh b/update.sh
index f2c300a..8a36a92 100755
--- a/update.sh
+++ b/update.sh
@@ -128,7 +128,7 @@ function create_variant() {
 	fi
 
 	# Copy the shell scripts
-	for name in entrypoint cron; do
+	for name in entrypoint cron ldap_setup; do
 		cp "docker-$name.sh" "$dir/$name.sh"
 	done