diff --git a/CloudronManifest.json b/CloudronManifest.json
index b3b3dcb..b5ef38f 100644
--- a/CloudronManifest.json
+++ b/CloudronManifest.json
@@ -28,6 +28,7 @@
     "https://cloudron-app-screenshots.s3.amazonaws.com/org.matrix.synapse/606cd9d4ccc3bee11a49f91444a2dad8947cbc7c/2.png",
     "https://cloudron-app-screenshots.s3.amazonaws.com/org.matrix.synapse/606cd9d4ccc3bee11a49f91444a2dad8947cbc7c/3.png"
   ],
+  "optionalSso": true,
   "changelog": "file://CHANGELOG",
   "postInstallMessage": "file://POSTINSTALL.md",
   "minBoxVersion": "5.1.4",
diff --git a/start.sh b/start.sh
index 9d14bbd..13df023 100755
--- a/start.sh
+++ b/start.sh
@@ -31,6 +31,11 @@ if [[ ! -f /app/data/configs/homeserver.yaml ]]; then
 
     yq w -i /app/data/configs/homeserver.yaml auto_join_rooms "[]"
     yq w -i /app/data/configs/homeserver.yaml auto_join_rooms\[0\] "#discuss:${server_name}"
+
+    if [[ -z "${CLOUDRON_LDAP_SERVER:-}" ]]; then
+        yq w -i /app/data/configs/homeserver.yaml enable_registration true
+        yq w -i /app/data/configs/homeserver.yaml password_config.pepper "$(pwgen -1s 12)"
+    fi
 fi
 
 echo "==> Configuring synapse"
@@ -50,12 +55,16 @@ yq w -i /app/data/configs/homeserver.yaml email.smtp_pass "${CLOUDRON_MAIL_SMTP_
 yq w -i /app/data/configs/homeserver.yaml email.notif_from "%(app)s <${CLOUDRON_MAIL_FROM}>"
 
 # ldap
-yq w -i /app/data/configs/homeserver.yaml 'password_providers[0].config.uri' "${CLOUDRON_LDAP_URL}"
-yq w -i /app/data/configs/homeserver.yaml 'password_providers[0].config.start_tls' false
-yq w -i /app/data/configs/homeserver.yaml 'password_providers[0].config.base' "${CLOUDRON_LDAP_USERS_BASE_DN}"
-yq w -i /app/data/configs/homeserver.yaml 'password_providers[0].config.bind_dn' "${CLOUDRON_LDAP_BIND_DN}"
-yq w -i /app/data/configs/homeserver.yaml 'password_providers[0].config.bind_password' "${CLOUDRON_LDAP_BIND_PASSWORD}"
-yq w -i /app/data/configs/homeserver.yaml 'password_providers[0].config.filter' "(objectClass=user)"
+if [[ -n "${CLOUDRON_LDAP_SERVER:-}" ]]; then
+    yq w -i /app/data/configs/homeserver.yaml 'password_providers[0].config.uri' "${CLOUDRON_LDAP_URL}"
+    yq w -i /app/data/configs/homeserver.yaml 'password_providers[0].config.start_tls' false
+    yq w -i /app/data/configs/homeserver.yaml 'password_providers[0].config.base' "${CLOUDRON_LDAP_USERS_BASE_DN}"
+    yq w -i /app/data/configs/homeserver.yaml 'password_providers[0].config.bind_dn' "${CLOUDRON_LDAP_BIND_DN}"
+    yq w -i /app/data/configs/homeserver.yaml 'password_providers[0].config.bind_password' "${CLOUDRON_LDAP_BIND_PASSWORD}"
+    yq w -i /app/data/configs/homeserver.yaml 'password_providers[0].config.filter' "(objectClass=user)"
+else
+    yq w -i /app/data/configs/homeserver.yaml password_config.localdb_enabled true
+fi
 
 # turn (https://github.com/matrix-org/synapse/blob/master/docs/turn-howto.md#synapse-setup)
 yq w -i /app/data/configs/homeserver.yaml turn_uris "[]"