Get a full Active Directory REST API in 30 seconds
Clone or download
Latest commit 465e5bb Apr 6, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
bin Autoformat code Aug 2, 2017
src Update loadConfig.js Mar 30, 2018
.gitignore Add gitignore Aug 2, 2017
Dockerfile update dockerfile Aug 2, 2017
config.json initial commit Jul 26, 2017
index.js Autoformat code Aug 2, 2017
license initial commit Jul 26, 2017
lint-staged.config.js Add autoformatter Aug 2, 2017
middleware.js Autoformat code Aug 2, 2017
package.json 1.1.1 Aug 6, 2017 Updated readme Aug 29, 2017


Get a full Active Directory REST API in 30 seconds

Addict is a drop-in REST API microservice for Active Directory implementations. Just like that.

Doing this:

npm i addict -g
addict --url ldaps://[address] --user [user]@[domain] --pass [pass]

Gives you a web server with REST endpoints to add, remove, move, disable, enable, unlock or list Users, Groups and Organizational Units. It includes result caching by default and flexible filters for querying, sorting, pagination and column selection.

There's interactive API docs at /api:

Screenshot of API docs for Addict.

No, it's not Slate.

These docs let you add arguments, try the requests and see the results.

Lastly, it comes with a companion Javascript library.

Made with <3 by dthree.


# Users

GET /user
POST /user
GET /user/:user
PUT /user/:user
GET /user/:user/exists
GET /user/:user/member-of/:group
POST /user/:user/authenticate
PUT /user/:user/password
PUT /user/:user/password-never-expires
PUT /user/:user/password-expires
PUT /user/:user/enable
PUT /user/:user/disable
PUT /user/:user/move
PUT /user/:user/unlock
DELETE /user/:user

# Groups

GET /group
POST /group
GET /group/:group
GET /group/:group/exists
GET /group/:group/members
POST /group/:group/user/:user
DELETE /group/:group/user/:user
DELETE /group/:group

# Organizational Units

GET /ou
POST /ou
GET /ou/:ou
GET /ou/:ou/exists
DELETE /ou/:ou

# Other

GET /other
GET /all
GET /find/:filter
GET /status

# Monitoring

GET /status

Want more? Just ask.



Choose which fields to include in the results:

GET /user?_fields=description,cn


Filter any field with fieldName=value.

GET /group?cn=Guests

We've got operators as well:

GET /user?userAccountControl_gte=500

  • =: Equals
  • _ne=: Not equals
  • _lt=: Less than
  • _gt=: Greater than
  • _gte=: Greater than or equal to
  • _lte=: Less than or equal to
  • _like=: Like (fuzzy search)


GET /ou?_sort=whenCreated,dn&_order=desc,asc


GET /user?_page=6&limit=10


Add _start and _end or _limit:

GET /user?_start=20&_limit=40

Full Text Search

GET /group?_q=addict

The Nitty Gritty

Passing Secrets

You can pass the AD details at runtime:

addict --url ldaps://[address] --user [user]@[domain] --pass [pass] --port [port]

Port is optional and defaults to 3000.

As environmental variables:

export ADDICT_URL=ldaps://[address]
export ADDICT_USER=[user]@[domain]
export ADDICT_PASS=[pass]
export ADDICT_PORT=[port] # optional

You can run it from docker as well, using environmental variables.

Or in ./config.json:

git clone
cd addict
vim ./config.json
  "user": "[user]@[domain]",
  "pass": "[pass]",
  "url": "ldaps://[address]",
  "port": 3000


This service defaults to no authentication. I can't and won't try to guess your flavor.

Addict uses express. The file ./middleware.js at the root of the directory exposes the app so you can add middleware hooks for auth logic.


If you connect to Active Directory over plain LDAP, it will refuse certain write operations including adding a user and changing a password. To make things even better, Windows Server doesn't support LDAPS out of the box. You're going to have to set up the Domain Controller as a cert authority by installing the Active Directory Certificate Services Role.

Here's a good tutorial on that.