This is a fork of the korylprince/go-ad-auth project.
go-ad-auth is a simple wrapper around the great ldap library to help with Active Directory authentication.
Using Go Modules:
go get github.com/Ctere1/go-ad-auth
Dependencies:
Example:
config := &auth.Config{
Server: "ldap.example.com",
Port: 389,
BaseDN: "OU=Users,DC=example,DC=com",
Security: auth.SecurityStartTLS,
EnforceSamAccountNameSearch: false,
LegacyDomainName: "example.com",
}
username := "user"
password := "pass"
status, err := auth.Authenticate(config, username, password)
if err != nil {
//handle err
return
}
if !status {
//handle failed authentication
return
}See more advanced examples on go.dev.
go test -v
Most tests will be skipped unless you supply the following environment variables to connect to an Active Directory server:
| Name | Description |
|---|---|
| ADTEST_SERVER | Hostname or IP Address of an Active Directory server |
| ADTEST_PORT | Port to use - defaults to 389 |
| ADTEST_BIND_UPN | userPrincipalName (user@domain.tld) of admin user |
| ADTEST_BIND_PASS | Password of admin user |
| ADTEST_BIND_SECURITY | NONE || TLS || STARTTLS || INSECURETLS || INSECURESTARTTLS - defaults to STARTTLS |
| ADTEST_BASEDN | LDAP Base DN - for testing the root DN is recommended, e.g. DC=example,DC=com |
| ADTEST_ROOT_CA_FILE | Optional path to a PEM-encoded CA certificate used to verify the AD TLS certificate |
| ADTEST_TLS_SERVER_NAME | Optional TLS hostname override used for certificate verification when ADTEST_SERVER is an IP or alias |
| ADTEST_PASSWORD_UPN | userPrincipalName of a test user that will be used to test password changing functions |
If your AD certificate is signed by a private CA, set ADTEST_ROOT_CA_FILE to that CA's PEM file. If you connect to AD by IP address but the certificate is issued for a DNS name, also set ADTEST_TLS_SERVER_NAME to the certificate's DNS name so TLS and StartTLS validation can still succeed.
AuthenticateExtended and Conn.ObjectGroups will automatically search for nested groups. For example, if User A is a member of Group A, and Group A is a member of Group B, using Conn.ObjectGroups on User A will return both Group A and Group B.
SQL Injection is a well known attack vector, and most SQL libraries provide mitigations such as prepared statements. Similarly, LDAP Injection, while not seen often in the wild, is something we should be concerned with.
This library sanitizes inputs (with ldap.EscapeFilter) that are used to create LDAP filters in library functions, namely GetDN and GetAttributes. This means high level functions in this library are protected against malicious inputs. If you use Search or SearchOne, take care to sanitize any untrusted inputs you use in your LDAP filter.
This package preserves SecurityNone as the zero-value Config.Security setting for backward compatibility. That mode uses plaintext LDAP and should only be chosen intentionally on trusted networks. For production authentication, explicitly set SecurityStartTLS or SecurityTLS, configure trusted root CAs where needed, and ensure the TLS server name matches the certificate presented by Active Directory.