diff --git a/Dockerfile b/Dockerfile
index a023345..2820994 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,9 +1,9 @@
-FROM ubuntu
+FROM ubuntu:14.04
 MAINTAINER Christian Lück <christian@lueck.tv>
 
 RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y \
-  nginx supervisor php5-fpm php5-cli php5-curl php5-gd php5-json \
-  php5-pgsql php5-mysql php5-mcrypt && apt-get clean && rm -rf /var/lib/apt/lists/*
+  git nginx supervisor php5-fpm php5-cli php5-curl php5-gd php5-json \
+  php5-pgsql php5-ldap php5-mysql php5-mcrypt && apt-get clean && rm -rf /var/lib/apt/lists/*
 
 # enable the mcrypt module
 RUN php5enmod mcrypt
@@ -19,6 +19,10 @@ RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y curl --n
     && curl -SL https://tt-rss.org/gitlab/fox/tt-rss/repository/archive.tar.gz?ref=master | tar xzC /var/www --strip-components 1 \
     && apt-get purge -y --auto-remove curl \
     && chown www-data:www-data -R /var/www
+
+RUN git clone https://github.com/hydrian/TTRSS-Auth-LDAP.git /TTRSS-Auth-LDAP && \
+    cp -r /TTRSS-Auth-LDAP/plugins/auth_ldap plugins/ && \
+    ls -la /var/www/plugins
 RUN cp config.php-dist config.php
 
 # expose only nginx HTTP port
@@ -32,7 +36,11 @@ ENV DB_NAME ttrss
 ENV DB_USER ttrss
 ENV DB_PASS ttrss
 
+# auth method, options are: internal, ldap
+ENV AUTH_METHOD internal
+
 # always re-configure database with current ENV when RUNning container, then monitor all services
 ADD configure-db.php /configure-db.php
 ADD supervisord.conf /etc/supervisor/conf.d/supervisord.conf
-CMD php /configure-db.php && supervisord -c /etc/supervisor/conf.d/supervisord.conf
+ADD entrypoint.sh /entrypoint.sh
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/README.md b/README.md
index a884f7c..806a8c9 100644
--- a/README.md
+++ b/README.md
@@ -164,6 +164,32 @@ For more information check out the [official documentation](https://github.com/g
 -e SELF_URL_PATH=https://example.org/ttrss
 ```
 
+### Authentication
+
+This container supports internal and ldap by setting `AUTH_METHOD` to `internal` or `ldap`. Default is `internal`.
+
+```
+-e AUTH_METHOD=internal
+```
+
+### LDAP
+
+If `AUTH_METHOD` is set to `ldap` you must/can set the following variables:
+
+- `LDAP_AUTH_SERVER_URI`. Default is `ldap://ldap`
+- `LDAP_AUTH_USETLS`. Default is `FALSE`
+- `LDAP_AUTH_ALLOW_UNTRUSTED_CERT`. Default is `TRUE`
+- `LDAP_AUTH_BASEDN`. Require
+- `LDAP_AUTH_ANONYMOUSBEFOREBIND`. Default `FALSE`
+- `LDAP_AUTH_SEARCHFILTER`. `???` is replaced by the login name. Default `(&(objectClass=user)(sAMAccountName=???))`
+- `LDAP_AUTH_BINDDN`. Required
+- `LDAP_AUTH_BINDPW`. Required
+- `LDAP_AUTH_LOGIN_ATTRIB`. Default is `sAMAccountName`
+- `LDAP_AUTH_LOG_ATTEMPTS`. Default is `FALSE`
+- `LDAP_AUTH_DEBUG`. Default is `FALSE`
+
+For more information consult https://github.com/hydrian/TTRSS-Auth-LDAP
+
 ### Testing ttrss in foreground
 
 For testing purposes it's recommended to initially start this container in foreground.
diff --git a/configure-db.php b/configure-db.php
index 8f9b1e3..1eb0744 100644
--- a/configure-db.php
+++ b/configure-db.php
@@ -101,9 +101,25 @@ catch (PDOException $e) {
 }
 
 $contents = file_get_contents($confpath);
+if(getenv('AUTH_METHOD') == "ldap") {
+    $config['PLUGINS'] = 'auth_ldap, note';
+    $contents .= "define('LDAP_AUTH_SERVER_URI', '" . env("LDAP_AUTH_SERVER_URI", "ldap://ldap") . "');\n";
+    $contents .= "define('LDAP_AUTH_USETLS', " . env("LDAP_AUTH_USETLS", "FALSE") . "); \n";
+    $contents .= "define('LDAP_AUTH_ALLOW_UNTRUSTED_CERT', " . env("LDAP_AUTH_ALLOW_UNTRUSTED_CERT", "TRUE") . ");\n";
+    $contents .= "define('LDAP_AUTH_BASEDN', '" . env("LDAP_AUTH_BASEDN") . "');\n";
+    $contents .= "define('LDAP_AUTH_ANONYMOUSBEFOREBIND', " . env("LDAP_AUTH_ANONYMOUSBEFOREBIND", "FALSE") . ");\n";
+    // ??? will be replaced with the entered username(escaped) at login 
+    $contents .= "define('LDAP_AUTH_SEARCHFILTER', '" .env("LDAP_AUTH_SEARCHFILTER", "(&(objectClass=user)(sAMAccountName=???))") . "');\n";
+    $contents .= "define('LDAP_AUTH_BINDDN', '" . env("LDAP_AUTH_BINDDN") . "');\n";
+    $contents .= "define('LDAP_AUTH_BINDPW', '" . env("LDAP_AUTH_BINDPW") . "');\n";
+    $contents .= "define('LDAP_AUTH_LOGIN_ATTRIB', '" . env("LDAP_AUTH_LOGIN_ATTRIB", "sAMAccountName") . "');\n";
+    $contents .= "define('LDAP_AUTH_LOG_ATTEMPTS', " . env("LDAP_AUTH_LOG_ATTEMPTS", "FALSE") . ");\n";
+    $contents .= "define('LDAP_AUTH_DEBUG', " . env("LDAP_AUTH_DEBUG", "FALSE") . ");\n";
+}
 foreach ($config as $name => $value) {
     $contents = preg_replace('/(define\s*\(\'' . $name . '\',\s*)(.*)(\);)/', '$1"' . $value . '"$3', $contents);
 }
+
 file_put_contents($confpath, $contents);
 
 function env($name, $default = null)
diff --git a/entrypoint.sh b/entrypoint.sh
new file mode 100755
index 0000000..1011e4c
--- /dev/null
+++ b/entrypoint.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+set -e
+
+# remove trailing / if any.
+SELF_URL_PATH=${SELF_URL_PATH/%\//}
+
+# extract the root path from SELF_URL_PATH (i.e http://domain.tld/<root_path>).
+ROOT_PATH=${SELF_URL_PATH/#http*\:\/\/*\//}
+if [ "${ROOT_PATH}" == "${SELF_URL_PATH}" ]; then
+    # no root path in SELF_URL_PATH.
+    mkdir -p /var/tmp
+    ln -sf "/var/www" "/var/tmp/www"
+else
+    mkdir -p /var/tmp/www
+    ln -sf "/var/www" "/var/tmp/www/${ROOT_PATH}"
+fi
+
+php /configure-db.php
+exec supervisord -c /etc/supervisor/conf.d/supervisord.conf
diff --git a/ttrss.nginx.conf b/ttrss.nginx.conf
index fa46f23..9c9184d 100644
--- a/ttrss.nginx.conf
+++ b/ttrss.nginx.conf
@@ -1,6 +1,6 @@
 server {
 	listen 80;
-	root /var/www;
+	root /var/tmp/www;
 
 	index index.php index.html;
 
@@ -15,4 +15,3 @@ server {
 		include fastcgi_params;
 	}
 }
-