- 🗒️ Formats date/time, boolean and other categorical attributes into readable text
- 😎 Pretty colors & cool emojis
- 🔐 LDAPS & StartTLS support
- ⏩ Fast explorer that loads objects on demand
- 🔎 Recursive object search bundled with useful saved searches
- 👥 Group members & user groups lookup
- 🎡 Supports creation, editing and removal of objects and attributes
- 🚙 Supports moving and renaming objects
- 🗑️ Supports searching deleted & recycled objects
- 📁 Supports exporting specific subtrees of the directory into JSON files
- 🕹️ Interactive userAccountControl editor
- 🔥 Interactive DACL editor
- 🧦 SOCKS support
go install github.com/Macmod/godap/v2@latestBind with username and password
$ godap <hostname or IP> -u <username>@<domain> -p <password>Bind with an NTLM hash
$ godap <hostname or IP> -u <username> -H <hash> [-d <domain>]Anonymous Bind
$ godap <hostname or IP> -p anythingLDAPS/StartTLS
To use LDAPS for the initial connection (ignoring certificate validation) run:
$ godap <hostname or IP> [bind flags] -S -I -P 636To use StartTLS to upgrade an existing connection to use TLS, use the Ctrl + u keybinding inside godap.
Notice that, if the server certificate is not trusted by your client, you must either have started godap with -I to use the upgrade command properly or toggle the IgnoreCert checkbox using the l keybinding before upgrading.
If LDAPS is available, you can also change the port using l, toggle the LDAPS checkbox, set the desired value for IgnoreCert, and reconnect with Ctrl + r.
SOCKS
To connect to LDAP through a SOCKS proxy include the flag -x schema://ip:port, where schema is one of socks4, socks4a or socks5.
You can also change the address of your proxy using the l keybinding.
-u,--username- Username for bind-p,--password- Password for bind--passfile- Path to a file containing the password for bind-P,--port- Custom port for the connection (default:389)-r,--rootDN <distinguishedName>- Initial root DN (default: automatic)-f,--filter <search filter>- Initial LDAP search filter (default:(objectClass=*))-E,--emojis- Prefix objects with emojis (default:true, to change use-emojis=false)-C,--colors- Colorize objects (default:true, to change use-colors=false)-A,--expand- Expand multi-value attributes (default:true, to change use-expand=false)-L,--limit- Number of attribute values to render for multi-value attributes when-expandistrue(default:20)-F,--format- Format attributes into human-readable values (default:true, to change use-format=false)-M,--cache- Keep loaded entries in memory while the program is open and don't query them again (default:true)-D,--deleted- Include deleted objects in all queries performed (default:false)-T,--timeout- Timeout for LDAP connections in seconds (default:10)-I,--insecure- Skip TLS verification for LDAPS/StartTLS (default:false)-S,--ldaps- Use LDAPS for initial connection (default:false)-G,--paging- Paging size for regular queries (default:800)-d,--domain- Domain for NTLM bind-H,--hashes- Hashes for NTLM bind--hashfile- Path to a file containing the hashes for NTLM bind-x,--socks- URI of SOCKS proxy to use for connection (supportssocks4://,socks4a://orsocks5://schemas)-k,--schema- Load GUIDs from schema on initialization (default:false)
| Keybinding | Context | Action |
|---|---|---|
| Ctrl + Enter (or Ctrl + J) | Global | Next panel |
| f / F | Global | Toggle attribute formatting |
| e / E | Global | Toggle emojis |
| c / C | Global | Toggle colors |
| a / A | Global | Toggle attribute expansion for multi-value attributes |
| d / D | Global | Toggle "include deleted objects" flag |
| l / L | Global | Change current server address & credentials |
| Ctrl + r | Global | Reconnect to the server |
| Ctrl + u | Global | Upgrade connection to use TLS (with StartTLS) |
| Ctrl + f | LDAP Explorer & Object Search pages | Open the finder to search for cached objects & attributes with regex |
| Right Arrow | Explorer panel | Expand the children of the selected object |
| Left Arrow | Explorer panel | Collapse the children of the selected object |
| r / R | Explorer panel | Reload the attributes and children of the selected object |
| Ctrl + n | Explorer panel | Create a new object under the selected object |
| Ctrl + s | Explorer panel | Export all loaded nodes in the selected subtree into a JSON file |
| Ctrl + p | Explorer panel | Change the password of the selected user or computer account |
| Ctrl + a | Explorer panel | Update the userAccountControl of the object interactively |
| Ctrl + l | Explorer panel | Move the selected object to another location |
| Delete | Explorer panel | Delete the selected object |
| r / R | Attributes panel | Reload the attributes for the selected object |
| Ctrl + e | Attributes panel | Edit the selected attribute of the selected object |
| Ctrl + n | Attributes panel | Create a new attribute in the selected object |
| Delete | Attributes panel | Delete the selected attribute of the selected object |
| Ctrl + o | DACL page | Change the owner of the current DACL |
| Ctrl + k | DACL page | Change the control flags of the current DACL |
| Ctrl + n | DACL entries panel | Create a new ACE in the current DACL |
| Ctrl + e | DACL entries panel | Edit the selected ACE of the current DACL |
| Delete | DACL entries panel | Deletes the selected ACE of the current DACL |
| h / H | Global | Show/hide headers |
| q | Global | Exit the program |
The nodes in the explorer tree are colored as follows:
| Scenario | Color |
|---|---|
| Object exists and is enabled | Default |
| Object exists and is disabled | Yellow* |
| Object was deleted and not yet recycled | Gray* |
| Object was recycled already | Red* |
* Before v2.2.0, disabled nodes were colored red. This was the only custom color in the tree panel; other nodes were colored with default colors (the "include deleted objects" flag had not been implemented yet).
Contributions are welcome by opening an issue or by submitting a pull request.
-
DACL parsing code and SOCKS code were adapted from the tools below:
-
BadBlood was also very useful for testing during the development of the tool.
- Although some features might work with OpenLDAP (mainly in the explorer/search pages), the main focus of this tool is Active Directory.
- All features were tested and seem to be working properly on a Windows Server 2019, but this tool is highly experimental and I cannot test it extensively - I don't take responsibility for modifications that you execute and end up impacting your environment. If you observe any unexpected behaviors please let me know so I can try to fix it.
The MIT License (MIT)
Copyright (c) 2023 Artur Henrique Marzano Gonzaga
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
