diff --git a/.ldap.cfg b/.ldap.cfg
new file mode 100644
index 000000000..5d66f1f3b
--- /dev/null
+++ b/.ldap.cfg
@@ -0,0 +1,41 @@
+debug = true
+[behaviors]
+  # Ignore all capabilities restrictions, for instance allowing every user to perform a search
+  IgnoreCapabilities = true
+[ldap]
+  enabled = true
+  listen = "0.0.0.0:389"
+[ldaps]
+  enabled = false
+  listen = "0.0.0.0:636"
+[api]
+  enabled = true
+  internals = true
+  tls = false
+  listen = "0.0.0.0:5555"
+[backend]
+  datastore = "config"
+  baseDN = "dc=localssl,dc=dev"
+[[users]]
+  name = "user"
+  givenname="John"
+  sn="Doe"
+  mail = "jdoe@example.com"
+  passsha256 = "4314c1fe282face45336b1422a3285c5ff31a39c8e24425615fa53a43b718493"   # photoprism
+    [[users.customattributes]]
+    photoprismRole = ["user"]
+    photoprismLogin = ["true"]
+    photoprismWebdav = ["true"]
+    [[users.capabilities]]
+    action = "search"
+    object = "*"
+[[users]]
+  name = "guest"
+  givenname="Guest"
+  mail = "guest@example.com"
+  passsha256 = "4314c1fe282face45336b1422a3285c5ff31a39c8e24425615fa53a43b718493"   # photoprism
+    [[users.customattributes]]
+    photoprismRole = ["guest"]
+    [[users.capabilities]]
+    action = "search"
+    object = "*"
diff --git a/docker-compose.yml b/docker-compose.yml
index c997397d2..09156a0f5 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -46,13 +46,18 @@ services:
       PHOTOPRISM_REGISTER_URI: "https://keycloak.localssl.dev/admin/"
       PHOTOPRISM_PASSWORD_RESET_URI: "https://keycloak.localssl.dev/realms/master/login-actions/reset-credentials"
       ## LDAP Authentication (pre-configured for local tests):
-      PHOTOPRISM_LDAP_URI: "ldaps://dummy-ldap:1636"
+      PHOTOPRISM_LDAP_URI: "ldap://dummy-ldap:389"
       PHOTOPRISM_LDAP_INSECURE: "true"
-      PHOTOPRISM_LDAP_ROLE: "user"
-      PHOTOPRISM_LDAP_WEBDAV: "true"
       PHOTOPRISM_LDAP_BIND: "simple"
       PHOTOPRISM_LDAP_BIND_DN: "cn"
       PHOTOPRISM_LDAP_BASE_DN: "dc=localssl,dc=dev"
+      PHOTOPRISM_LDAP_SYNC: "true"
+      PHOTOPRISM_LDAP_ROLE: "user"
+      PHOTOPRISM_LDAP_ROLE_DN: "photoprismRole"
+      PHOTOPRISM_LDAP_LOGIN: "true"
+      PHOTOPRISM_LDAP_LOGIN_DN: "photoprismLogin"
+      PHOTOPRISM_LDAP_WEBDAV: "false"
+      PHOTOPRISM_LDAP_WEBDAV_DN: "photoprismWebdav"
       ## OpenID Connect (pre-configured for local tests):
       PHOTOPRISM_OIDC_URI: "https://keycloak.localssl.dev/auth/realms/master"
       PHOTOPRISM_OIDC_INSECURE: "true"
@@ -162,7 +167,7 @@ services:
   ## Login: user / photoprism
   ## Admin: admin / photoprism
   keycloak:
-    image: quay.io/keycloak/keycloak:19.0
+    image: quay.io/keycloak/keycloak:20.0
     command: "start-dev" # development mode, do not use this in production!
     container_name: keycloak
     links:
@@ -188,27 +193,22 @@ services:
       KC_DB_USERNAME: "keycloak"
       KC_DB_PASSWORD: "keycloak"
 
-  ## Dummy LDAP Server
+  ## Dummy LDAP Directory Server
   dummy-ldap:
-    image: openidentityplatform/opendj:latest
+    image: glauth/glauth-plugins:latest
     container_name: dummy-ldap
-    expose:
-      - 1389
-      - 1636
-      - 4444
-    # ports:
-    #  - "1389:1389"
-    #  - "1636:1636"
-    #  - "4444:4444"
-    user: "1001:1000"
-    environment:
-      OPENDJ_USER: 1001
-      PORT: 1389
-      LDAPS_PORT: 1636
-      BASE_DN: "dc=localssl,dc=dev"
-      ADD_BASE_ENTRY: "--addBaseEntry"
-      ROOT_USER_DN: "cn=user"
-      ROOT_PASSWORD: "photoprism"
+    ports:
+      - "127.0.0.1:389:389"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.services.ldap.loadbalancer.server.port=5555"
+      - "traefik.http.routers.dummy-ldap.entrypoints=websecure"
+      - "traefik.http.routers.dummy-ldap.rule=Host(`dummy-ldap.localssl.dev`)"
+      - "traefik.http.routers.dummy-ldap.tls.domains[0].main=localssl.dev"
+      - "traefik.http.routers.dummy-ldap.tls.domains[0].sans=*.localssl.dev"
+      - "traefik.http.routers.dummy-ldap.tls=true"
+    volumes:
+      - "./.ldap.cfg:/app/config/config.cfg"
 
   ## Dummy OpenID Connect Provider
   dummy-oidc:
diff --git a/go.mod b/go.mod
index cb4ccef9d..a79c77810 100644
--- a/go.mod
+++ b/go.mod
@@ -41,7 +41,7 @@ require (
 	github.com/stretchr/testify v1.8.1
 	github.com/studio-b12/gowebdav v0.0.0-20211106090535-29e74efa701f
 	github.com/tensorflow/tensorflow v1.15.2
-	github.com/tidwall/gjson v1.14.3
+	github.com/tidwall/gjson v1.14.4
 	github.com/ulule/deepcopier v0.0.0-20200430083143-45decc6639b6
 	github.com/urfave/cli v1.22.10
 	go4.org v0.0.0-20201209231011-d4a079459e60 // indirect
@@ -147,7 +147,7 @@ require (
 	github.com/softlayer/softlayer-go v1.0.6 // indirect
 	github.com/softlayer/xmlrpc v0.0.0-20200409220501-5f089df7cb7e // indirect
 	github.com/tidwall/match v1.1.1 // indirect
-	github.com/tidwall/pretty v1.2.0 // indirect
+	github.com/tidwall/pretty v1.2.1 // indirect
 	github.com/ugorji/go/codec v1.2.7 // indirect
 	go.opencensus.io v0.23.0 // indirect
 	golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
diff --git a/go.sum b/go.sum
index 6218758c7..393aea421 100644
--- a/go.sum
+++ b/go.sum
@@ -936,12 +936,13 @@ github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.490/go.mod
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/dnspod v1.0.490/go.mod h1:l9q4vc1QiawUB1m3RU+87yLvrrxe54jc0w/kEl4DbSQ=
 github.com/tensorflow/tensorflow v1.15.2 h1:7/f/A664Tml/nRJg04+p3StcrsT53mkcvmxYHXI21Qo=
 github.com/tensorflow/tensorflow v1.15.2/go.mod h1:itOSERT4trABok4UOoG+X4BoKds9F3rIsySdn+Lvu90=
-github.com/tidwall/gjson v1.14.3 h1:9jvXn7olKEHU1S9vwoMGliaT8jq1vJ7IH/n9zD9Dnlw=
-github.com/tidwall/gjson v1.14.3/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
+github.com/tidwall/gjson v1.14.4 h1:uo0p8EbA09J7RQaflQ1aBRffTR7xedD2bcIVSYxLnkM=
+github.com/tidwall/gjson v1.14.4/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
 github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
 github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
-github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs=
 github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
+github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4=
+github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/transip/gotransip/v6 v6.17.0/go.mod h1:pQZ36hWWRahCUXkFWlx9Hs711gLd8J4qdgLdRzmtY+g=
 github.com/ugorji/go v1.1.7/go.mod h1:kZn38zHttfInRq0xu/PH0az30d+z6vm202qpg1oXVMw=