diff --git a/.docker/.env b/.docker/.env
index 27d7e8897869164966088559379a28848f375897..3a05b79650a207a76f93874477a7e642d6407847 100644
--- a/.docker/.env
+++ b/.docker/.env
@@ -1,13 +1,17 @@
+# general
+BASE_URL=
 ADMIN_EMAIL=support@example.com
-# password for cn=admin,dc=dbrepo,dc=at
-IDENTITY_SERVICE_ADMIN_PASSWORD=fbfef87364fe1f0d5bcc016de0be2005
+# password for the identity service admin user
+IDENTITY_SERVICE_ADMIN_PASSWORD=admin
+# password for the auth service admin user
+AUTH_SERVICE_ADMIN_PASSWORD=admin
 # passwords for root user of the databases
-METADATA_DB_PASSWORD=f37fa4ba8c1f2d90ed37218275736018
-DATA_DB_PASSWORD=92ff19f31fb55ef6f1d7f27f2015504f
-AUTH_DB_PASSWORD=32c0bf0611c5bd0c53c21bea87a432b6
-SEARCH_DB_PASSWORD=72c28aa831ce2da8d63d87af6761b8c1
+METADATA_DB_PASSWORD=dbrepo
+DATA_DB_PASSWORD=dbrepo
+AUTH_DB_PASSWORD=dbrepo
+SEARCH_DB_PASSWORD=dbrepo
 # storage service
-S3_ACCESS_KEY_ID=672093d6ab952654b8cffd64bdbf64d2
-S3_SECRET_ACCESS_KEY=f84039188daf247c49012a7931be4535
-# internal user
-SYSTEM_PASSWORD=efe287c82818692e9ac25117487c9eb7
+S3_ACCESS_KEY_ID=seaweedfsadmin
+S3_SECRET_ACCESS_KEY=seaweedfsadmin
+# internal admin user, requires a change of the value of auth_ldap.dn_lookup_bind.password in dist/rabbitmq.conf
+SYSTEM_PASSWORD=admin
diff --git a/.docker/docker-compose.yml b/.docker/docker-compose.yml
index e47f63c3f0588daeb5e0b893f4916f66109adbbe..3f5a47c9e305aeec4ff98ea52f7d3bc95a36ea33 100644
--- a/.docker/docker-compose.yml
+++ b/.docker/docker-compose.yml
@@ -26,7 +26,7 @@ services:
       MARIADB_DATABASE: "${METADATA_DB:-dbrepo}"
       MARIADB_ROOT_PASSWORD: "${METADATA_DB_PASSWORD:-dbrepo}"
     healthcheck:
-      test: mysqladmin ping --user="${METADATA_USERNAME:-root}" --password="${METADATA_DB_PASSWORD:-dbrepo}" --silent
+      test: mysqladmin ping --user=root --password="${METADATA_DB_PASSWORD:-dbrepo}" --silent
       interval: 10s
       timeout: 5s
       retries: 12
@@ -431,10 +431,8 @@ services:
       BROKER_EXCHANGE_NAME: ${BROKER_EXCHANGE_NAME:-dbrepo}
       BROKER_QUEUE_NAME: ${BROKER_QUEUE_NAME:-dbrepo}
       BROKER_HOST: "${BROKER_ENDPOINT:-broker-service}"
-      BROKER_PASSWORD: ${BROKER_PASSWORD:-admin}
       BROKER_PORT: ${BROKER_PORT:-5672}
       BROKER_SERVICE_ENDPOINT: ${BROKER_SERVICE_ENDPOINT:-http://gateway-service/admin/broker}
-      BROKER_USERNAME: ${BROKER_USERNAME:-admin}
       BROKER_VIRTUALHOST: "${BROKER_VIRTUALHOST:-dbrepo}"
       CONNECTION_TIMEOUT: ${CONNECTION_TIMEOUT:-60000}
       EXCHANGE_NAME: ${EXCHANGE_NAME:-dbrepo}
diff --git a/.docs/images/architecture.drawio b/.docs/images/architecture.drawio
index afbb55618b71f3e6d80f43526c2b4c158e996923..8433da025fa2c2ecf2221a4794a2e2f693df6042 100644
--- a/.docs/images/architecture.drawio
+++ b/.docs/images/architecture.drawio
@@ -1,6 +1,6 @@
-<mxfile host="Electron" modified="2024-07-17T12:02:57.588Z" agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/24.6.4 Chrome/124.0.6367.207 Electron/30.0.6 Safari/537.36" etag="O7nthEdDByNBwN0tnA1g" version="24.6.4" type="device" pages="8">
+<mxfile host="Electron" modified="2024-07-18T03:24:43.687Z" agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/24.6.4 Chrome/124.0.6367.207 Electron/30.0.6 Safari/537.36" etag="yfnnaSFCfO3oi8Cn43Ov" version="24.6.4" type="device" pages="8">
   <diagram id="mvBsv1rP8O80Qe3yGnn_" name="docker-compose">
-    <mxGraphModel dx="1687" dy="967" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="1169" pageHeight="827" math="0" shadow="0">
+    <mxGraphModel dx="683" dy="391" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="1169" pageHeight="827" math="0" shadow="0">
       <root>
         <mxCell id="0" />
         <mxCell id="1" parent="0" />
@@ -274,6 +274,11 @@
         <mxCell id="f61RwCrreTIYbJ5Vt7fi-17" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=1;exitY=0.5;exitDx=0;exitDy=0;entryX=0;entryY=0.5;entryDx=0;entryDy=0;startArrow=classic;startFill=1;" edge="1" parent="1" source="f61RwCrreTIYbJ5Vt7fi-3" target="O_ELZSFbvl3Butg3bv_j-1">
           <mxGeometry relative="1" as="geometry" />
         </mxCell>
+        <mxCell id="f61RwCrreTIYbJ5Vt7fi-18" value="idp" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" vertex="1" connectable="0" parent="f61RwCrreTIYbJ5Vt7fi-17">
+          <mxGeometry x="-0.1676" y="1" relative="1" as="geometry">
+            <mxPoint x="4" as="offset" />
+          </mxGeometry>
+        </mxCell>
         <mxCell id="f61RwCrreTIYbJ5Vt7fi-3" value="Identity Service&lt;div&gt;(OpenLDAP)&lt;/div&gt;" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#E6E6E6;fontColor=#000000;strokeColor=#000000;" vertex="1" parent="1">
           <mxGeometry x="30" y="470" width="130" height="40" as="geometry" />
         </mxCell>
diff --git a/.docs/images/screenshots/secure-auth-service-1.png b/.docs/images/screenshots/secure-auth-service-1.png
deleted file mode 100644
index 40e167aa484e33aa42e4dfc66e6592dc60026a61..0000000000000000000000000000000000000000
Binary files a/.docs/images/screenshots/secure-auth-service-1.png and /dev/null differ
diff --git a/.docs/images/screenshots/secure-auth-service-2.png b/.docs/images/screenshots/secure-auth-service-2.png
deleted file mode 100644
index 351e821b63e197c02ba72f190431065d4fe42a43..0000000000000000000000000000000000000000
Binary files a/.docs/images/screenshots/secure-auth-service-2.png and /dev/null differ
diff --git a/.docs/installation.md b/.docs/installation.md
index a1aeb1783205544041ec957a1960cf970e77f9f4..162a515f883cdd1bfdb332ee1abe8d600d518c64 100644
--- a/.docs/installation.md
+++ b/.docs/installation.md
@@ -36,66 +36,55 @@ SSL/TLS certificate is recommended. Follow the [secure install](#secure-install)
 
 ## Secure Installation
 
-Execute the install script to download only the environment and save it to `dist`.
-
-```shell
-curl -sSL https://gitlab.phaidra.org/fair-data-austria-db-repository/fda-services/-/raw/release-1.4.5/install.sh | DOWNLOAD_ONLY=1 bash
-```
-
-To secure your deployment traffic with **SSL/TLS**, tell the Gateway Service to use your certificate secret (e.g. from 
-Let's Encrypt):
-
-```yaml title="docker-compose.yml"
-services:
-  ...
-  dbrepo-gateway-service:
-    ...
-    volumes:
-      - /path/to/cert.crt:/app/cert.crt
-      - /path/to/cert.key:/app/cert.key
-    ...
-```
-
-Now redirect all non-HTTPS routes to HTTPS in the Gateway Service:
-
-```config title="dist/dbrepo.conf"
-server {
-    listen 80 default_server;
-    server_name _;
-    return 301 https://$host$request_uri;
-}
-
-server {
-    listen 443 ssl default_server;
-    server_name my_hostname;
-    ssl_certificate /app/cert.crt;
-    ssl_certificate_key /app/cert.key;
-    ...
-}
-```
-
-Afterwards, briefly start DBRepo with `docker compose up -d` and change the client secret of the `dbrepo-client` of the
-Auth Service by calling [https://localhost/api/auth](https://localhost/api/auth) and logging into the Auth Service.
-
-Change the realm :material-numeric-1-circle-outline: to "dbrepo" and navigate to :material-numeric-2-circle-outline:
-"Clients". In the list, select the "dbrepo-client" client and then select the "Credentials" tab 
-:material-numeric-3-circle-outline:. Finally, open the generation confirmation dialog by clicking the "Regenerate" 
-button :material-numeric-4-circle-outline: (c.f. Figure 1).
-
-<figure markdown>
-![](../images/screenshots/secure-auth-service-1.png){ .img-border }
-<figcaption>Figure 1: Page to open the client secret regeneration.</figcaption>
-</figure>
-
-Finally, confirm the secret recreation by clicking the "Yes" button :material-numeric-1-circle-outline: (c.f. Figure 2).
-
-<figure markdown>
-![](../images/screenshots/secure-auth-service-2.png){ .img-border }
-<figcaption>Figure 2: Regeneration confirmation dialog.</figcaption>
-</figure>
-
-Set the `AUTH_SERVICE_CLIENT_SECRET` variable to the newly generated secret in your `.env` file. Finally, update the
-**default secrets** in `.env` to secure passwords. You can use `openssl` for that, e.g. `openssl rand -hex 16`.
+1. Execute the install script to download only the environment and save it to `dist`.
+
+    ```shell
+    curl -sSL https://gitlab.phaidra.org/fair-data-austria-db-repository/fda-services/-/raw/release-1.4.5/install.sh | DOWNLOAD_ONLY=1 bash
+    ```
+
+2. Call the helper script to regenerate the client secret of the `dbrepo-client` and set it as value of the
+   `AUTH_SERVICE_CLIENT_SECRET` variable in the `.env` file.
+
+    ```bash
+    curl -sSL "https://gitlab.phaidra.org/fair-data-austria-db-repository/fda-services/-/raw/release-1.4.5/.scripts/reg-client-secret.sh" | bash
+    ```
+
+3. Finally, update the rest of the default secrets in the `.env` file to secure passwords. You can use `openssl` for
+   that, e.g. `openssl rand -hex 16`. 
+
+    Set `auth_ldap.dn_lookup_bind.password` in `dist/rabbitmq.conf` to the value of `SYSTEM_PASSWORD`.
+
+4. To secure your deployment traffic with SSL/TLS, tell the Gateway Service to use your certificate secret (e.g.
+   from Let's Encrypt):
+
+    ```yaml title="docker-compose.yml"
+    services:
+      ...
+      dbrepo-gateway-service:
+        ...
+        volumes:
+          - /path/to/cert.crt:/app/cert.crt
+          - /path/to/cert.key:/app/cert.key
+        ...
+    ```
+    
+    Now redirect all non-HTTPS routes to HTTPS in the Gateway Service:
+    
+    ```config title="dist/dbrepo.conf"
+    server {
+        listen 80 default_server;
+        server_name _;
+        return 301 https://$host$request_uri;
+    }
+    
+    server {
+        listen 443 ssl default_server;
+        server_name my_hostname;
+        ssl_certificate /app/cert.crt;
+        ssl_certificate_key /app/cert.key;
+        ...
+    }
+    ```
 
 ## Troubleshooting
 
diff --git a/.scripts/docker-prune.sh b/.scripts/docker-prune.sh
deleted file mode 100755
index c82dc1b674247df131682619e8bbf30b3d68f541..0000000000000000000000000000000000000000
--- a/.scripts/docker-prune.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/bash
-if [[ "$CI_COMMIT_BRANCH" =~ (dev|master) ]]; then
-  echo "pruning for branch ${CI_COMMIT_BRANCH} ..."
-  docker system prune -f -a --volumes
-fi
\ No newline at end of file
diff --git a/.scripts/reg-client-secret.sh b/.scripts/reg-client-secret.sh
new file mode 100644
index 0000000000000000000000000000000000000000..bf6a9852c082098cd6173ac907e18e1daa8ea533
--- /dev/null
+++ b/.scripts/reg-client-secret.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+USERNAME=""
+PASSWORD=""
+
+fancy () {
+  printf "\e[1;34m$1\e[m"
+}
+
+printf "This is a utility script to re-generate the client secret of the %s client.\n" $(fancy dbrepo-client)
+fancy "Your credentials are never transmitted outside your machine!\n\n"
+read -rp "Username: " USERNAME
+read -rp "Password: " PASSWORD
+
+# get admin token
+ADMIN_ACCESS_TOKEN=$(curl -fsSL -X POST -d "username=${USERNAME}&password=${PASSWORD}&grant_type=password&client_id=admin-cli" http://localhost/api/auth/realms/master/protocol/openid-connect/token | jq -r .access_token)
+printf "\nSuccessfully obtained admin token."
+
+# re-generate client secret
+SECRET=$(curl -fsSL -X POST -H "Authorization: Bearer ${ADMIN_ACCESS_TOKEN}" http://localhost/api/auth/admin/realms/dbrepo/clients/6b7ef364-4132-4831-b4e2-b6e9e9dc63ee/client-secret | jq -r .value)
+printf "\nSuccessfully re-generated client secret: %s" $(fancy $SECRET)
diff --git a/dbrepo-broker-service/advanced.config b/dbrepo-broker-service/advanced.config
index cf1411a1275648f666188a0d1bc40a6a29d02111..4445ea601954e5c93c32edeba1638135c5af5e59 100644
--- a/dbrepo-broker-service/advanced.config
+++ b/dbrepo-broker-service/advanced.config
@@ -5,7 +5,7 @@
       {
         tag_queries, [
           {
-            administrator, {in_group_nested, "cn=system,ou=users,dn=dbrepo,dn=at", "member"}
+            administrator, {in_group_nested, "cn=system,ou=users,dc=dbrepo,dc=at", "member"}
           },
           {
             management, {constant, true}
diff --git a/dbrepo-metadata-service/rest-service/src/main/resources/application.yml b/dbrepo-metadata-service/rest-service/src/main/resources/application.yml
index 6cd249d7bfe5fb1691a68cb110fc1234cd02048e..9b1f6fede17615cc81c4d711d98e9f20c62391e8 100644
--- a/dbrepo-metadata-service/rest-service/src/main/resources/application.yml
+++ b/dbrepo-metadata-service/rest-service/src/main/resources/application.yml
@@ -6,7 +6,7 @@ spring:
     url: "jdbc:mariadb://${METADATA_HOST:metadata-db}:3306/${METADATA_DB:dbrepo}${METADATA_JDBC_EXTRA_ARGS}"
     driver-class-name: org.mariadb.jdbc.Driver
     username: "${METADATA_USERNAME:root}"
-    password: "${METADATA_PASSWORD:dbrepo}"
+    password: "${METADATA_DB_PASSWORD:dbrepo}"
   jpa:
     show-sql: false
     database-platform: org.hibernate.dialect.MariaDBDialect
diff --git a/docker-compose.yml b/docker-compose.yml
index 8c5c56dd52d51913d84154e24cb9427adf7f3643..45dbd3b36207d9b3d0ec8adc52c4cda77dfcbcde 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -377,6 +377,7 @@ services:
       - '1389:1389'
       - '1636:1636'
     environment:
+      BITNAMI_DEBUG: true
       LDAP_ADMIN_USERNAME: "${IDENTITY_SERVICE_ADMIN_USERNAME:-admin}"
       LDAP_ADMIN_PASSWORD: "${IDENTITY_SERVICE_ADMIN_PASSWORD:-admin}"
       LDAP_USERS: "${SYSTEM_USERNAME:-admin}"
@@ -496,10 +497,10 @@ services:
       BROKER_EXCHANGE_NAME: ${BROKER_EXCHANGE_NAME:-dbrepo}
       BROKER_QUEUE_NAME: ${BROKER_QUEUE_NAME:-dbrepo}
       BROKER_HOST: "${BROKER_ENDPOINT:-broker-service}"
-      BROKER_PASSWORD: ${BROKER_PASSWORD:-admin}
+      BROKER_PASSWORD: ${SYSTEM_USERNAME:-admin}
       BROKER_PORT: ${BROKER_PORT:-5672}
       BROKER_SERVICE_ENDPOINT: ${BROKER_SERVICE_ENDPOINT:-http://gateway-service/admin/broker}
-      BROKER_USERNAME: ${BROKER_USERNAME:-admin}
+      BROKER_USERNAME: ${SYSTEM_PASSWORD:-admin}
       BROKER_VIRTUALHOST: "${BROKER_VIRTUALHOST:-dbrepo}"
       CONNECTION_TIMEOUT: ${CONNECTION_TIMEOUT:-60000}
       EXCHANGE_NAME: ${EXCHANGE_NAME:-dbrepo}