Skip to content
/ lauth Public

Simple OpenID Provider for LDAP like a Microsoft ActiveDirectory.


Notifications You must be signed in to change notification settings


Repository files navigation


Test and Build status codecov coverage Container in Docker Hub Container in GitHub Container Registry MIT License

The simple OpenID Provider for LDAP like a Microsoft ActiveDirectory(AD).

Lauth can translate LDAP and OAuth2/OpenID Connect



Use on Docker

$ docker run macrat/lauth:latest --version
lauth version 1.0.0

Build by source

$ go get

$ lauth --version
lauth version 1.0.0


First, Generate a config file.

$ lauth gen-client your-client-name -u >> config.toml

Then, start the server.

$ lauth \
  --ldap ldap:// \
  --ldap-user "CN=username,OU=somewhere,DC=example,DC=local" \
  --ldap-password ${LDAP_USER_PASSWORD} \
  --config config.toml

Finally, use it.

See also all options list and example config file.

For production

In the production use-case, please add those options.

  • --issuer: External URL of the server.
  • --sign-key: RSA private key for signing to the token.
  • --tls-cert and --tls-key (or --tls-auto): TLS encryption key files (Or automate generate those with Let's encryption).
  • --metrics-username and --metrics-password: Credentials for protect metrics page. (metrics page perhaps interesting hint for an attacker)

Use in docker-compose

Please see example.


Page design

This is default page design:

default design of login page and error page

If you want to customize the design, you can use --login-page, --logout-page, and --error-page. Templates using html/template libraries format.

Please see also the default page templates:

ID attribute

In default, Lauth uses sAMAccountName as the username. That is the logon ID of Microsoft ActiveDirectory.

Please use --ldap-id-attribute option if you want to use another attribute as the username.

$ lauth --ldap-id-attribute mail  # login with e-mail

Or, you can use a config file.

$ cat <<EOS > config.toml
id_attribute = "mail"

$ lauth --config config.toml

Scope and Claims

You can change scope and claims for id_token and userinfo in the config file.

This is default config; That claims for Microsoft ActiveDirectory.


profile = [
  { claim = "name",        attribute = "displayName" },
  { claim = "given_name",  attribute = "givenName"   },
  { claim = "family_name", attribute = "sn"          },

email = [
  { claim = "email", attribute = "mail" },

phone = [
  { claim = "phone_number", attribute = "telephoneNumber" },

groups = [
  { claim = "groups", attribute = "memberOf", type = "[]string" },


server command

$ lauth [OPTIONS]
command line config file environment variable default value description
--issuer issuer LAUTH_ISSUER http://localhost:8000 Issuer URL.
--listen listen LAUTH_LISTEN same port as the Issuer URL Listen address and port.
--sign-key sign_key LAUTH_SIGN_KEY generate random key RSA private key for signing to token.
--tls-auto LAUTH_TLS_AUTO Enable auto generate TLS cert with Let's Encryption.
--tls-cert tls.cert LAUTH_TLS_CERT Cert file for TLS encryption.
--tls-key tls.key LAUTH_TLS_KEY Key file for TLS encryption.
--authz-endpoint endpoint.authz LAUTH_ENDPOINT_AUTHZ /login Path to authorization endpoint.
--token-endpoint endpoint.token LAUTH_ENDPOINT_TOKEN /login/token Path to token endpoint.
--userinfo-endpoint endpoint.userinfo LAUTH_ENDPOINT_USERINFO /login/userinfo Path to userinfo endpoint.
--jwks-uri endpoint.jwks LAUTH_ENDPOINT_JWKS /login/jwks Path to jwks uri.
--login-expire expire.login LAUTH_EXPIRE_LOGIN 1h Time limit to input username and password on the login page.
--code-expire expire.code LAUTH_EXPIRE_CODE 5m Time limit to exchange code to access_token or id_token.
--token-expire expire.token LAUTH_EXPIRE_TOKEN 1d Expiration duration of access_token and id_token.
--refresh-expire expire.refresh LAUTH_EXPIRE_REFRESH 1w Expiration duration of refresh_token.
If set 0, refresh_token will not create.
--sso-expire expire.sso LAUTH_EXPIRE_SSO 2w Duration for don't show login page if logged in past.
If set 0, always ask the username and password to the end-user.
--ldap ldap.server LAUTH_LDAP_SERVER URL of LDAP server.
You can include user credentials like `ldap://USER_DN:PASSW
--ldap-user ldap.user LAUTH_LDAP_USER User DN for connecting to LDAP.
You can use DOMAIN\username style if using ActiveDirectory.
--ldap-password ldap.password LAUTH_LDAP_PASSWORD Password for connecting to LDAP.
--ldap-base-dn ldap.base_dn LAUTH_LDAP_BASE_DN same as user DC The base DN for search user account in LDAP like OU=somewhere,DC=example,DC=local.
--ldap-id-attribute ldap.id_attribute LAUTH_LDAP_ID_ATTRIBUTE sAMAccountName ID attribute name in LDAP.
--ldap-disable-tls ldap.disable_tls LAUTH_LDAP_DISABLE_TLS Disable use TLS when connecting to the LDAP server. THIS IS INSECURE.
--login-page template.login_page LAUTH_TEMPLATE_LOGIN_PAGE Templte file for login page.
--logout-page template.logout_page LAUTH_TEMPLATE_LOGOUT_PAGE Templte file for logged out page.
--error-page template.error_page LAUTH_TEMPLATE_ERROR_PAGE Templte file for error page.
--metrics-path metrics.path LAUTH_METRICS_PATH /metrics Path to Prometheus metrics.
--metrics-username metrics.username LAUTH_METRICS_USERNAME Basic auth username to access to Prometheus metrics.
If omit, disable authentication.
--metrics-password metrics.password LAUTH_METRICS_PASSWORD Basic auth password to access to Prometheus metrics.
If omit, disable authentication.
--config LAUTH_CONFIG Load options from TOML, YAML, or JSON file.
--debug Enable debug output. This is insecure for production use.

gen-client sub command

$ lauth gen-client CLIENT_ID [OPTIONS]
option description
--redirect-uri URIs to accept redirect to.
--secret Client secret value. Generate random secret if omitted. Not recommend using this option.


Simple OpenID Provider for LDAP like a Microsoft ActiveDirectory.








