ldap

package
v0.0.0-...-0c32715 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 13, 2026 License: Apache-2.0 Imports: 19 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	UF_ACCOUNTDISABLE                         = 0x00000002
	UF_TRUSTED_FOR_DELEGATION                 = 0x00080000 // Unconstrained delegation
	UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION = 0x01000000 // Protocol transition
)

UserAccountControl flags for delegation

Variables

This section is empty.

Functions

This section is empty.

Types

type Client 

type Client struct {
	Conn    *goldap.Conn
	Target  session.Target
	Session *session.Credentials
	// contains filtered or unexported fields
}

Client wraps the underlying LDAP connection to provide a unified interface.

func NewClient 

func NewClient(target session.Target, creds *session.Credentials) *Client

NewClient creates a new LDAP client instance.

func (*Client) Add 

func (c *Client) Add(dn string, attributes map[string][]string) error

Add creates a new LDAP entry with the given DN and attributes.

func (*Client) Close 

func (c *Client) Close()

Close terminates the LDAP connection.

func (*Client) Connect 

func (c *Client) Connect(useTLS bool) error

Connect establishes the TCP connection to the LDAP server. If useTLS is true and port is 636, uses implicit TLS (LDAPS). If useTLS is true and port is 389, uses STARTTLS to upgrade.

func (*Client) Delete 

func (c *Client) Delete(dn string) error

Delete removes an LDAP entry by its DN.

func (*Client) FindDelegation 

func (c *Client) FindDelegation(baseDN string, includeDisabled bool, specificUser string) ([]DelegationEntry, error)

FindDelegation searches for all delegation relationships in the domain. includeDisabled: if true, includes disabled accounts in results specificUser: if not empty, filters results to this specific sAMAccountName

func (*Client) FindNPUsers 

func (c *Client) FindNPUsers(baseDN string) ([]UserNP, error)

FindNPUsers searches for users with the UF_DONT_REQUIRE_PREAUTH flag (0x400000) set.

func (*Client) FindSPNUsers 

func (c *Client) FindSPNUsers(baseDN string) ([]UserSPN, error)

FindSPNUsers searches for user accounts with servicePrincipalName attribute set. This is used for Kerberoasting - these accounts can have their TGS tickets requested and cracked offline.

func (*Client) FindSPNUsersWithOptions 

func (c *Client) FindSPNUsersWithOptions(baseDN string, opts SPNQueryOptions) ([]UserSPN, error)

FindSPNUsersWithOptions searches for accounts with SPNs using the given options. When Stealth is true, the servicePrincipalName=* filter is omitted (pulls all accounts, filters client-side). When MachineOnly is true, objectCategory=computer is used instead of objectCategory=person.

func (*Client) GetDefaultNamingContext 

func (c *Client) GetDefaultNamingContext() (string, error)

GetDefaultNamingContext retrieves the root domain context (e.g., DC=corp,DC=local).

func (*Client) GetSchemaNamingContext 

func (c *Client) GetSchemaNamingContext() (string, error)

GetSchemaNamingContext returns the schema naming context from the RootDSE.

func (*Client) Login 

func (c *Client) Login() error

Login attempts to bind to the LDAP server using the session credentials. Supports password, NTLM hash, and Kerberos authentication.

func (*Client) LoginWithHash 

func (c *Client) LoginWithHash() error

LoginWithHash attempts to bind using NTLM hash authentication.

func (*Client) LoginWithKerberos 

func (c *Client) LoginWithKerberos() error

LoginWithKerberos performs Kerberos GSSAPI SASL bind.

func (*Client) LoginWithUser 

func (c *Client) LoginWithUser(username string) error

LoginWithUser attempts to bind using a specific username and the session password.

func (*Client) Modify 

func (c *Client) Modify(dn string, changes []ModifyChange) error

Modify applies changes to an existing LDAP entry.

func (*Client) ModifyRaw 

func (c *Client) ModifyRaw(dn string, operation int, attrName string, rawValue []byte, controls []goldap.Control) error

ModifyRaw performs an LDAP modify with raw byte values and optional controls. This is needed for writing binary attributes like nTSecurityDescriptor.

func (*Client) ModifyRequest 

func (c *Client) ModifyRequest(modReq *goldap.ModifyRequest) error

ModifyRequest performs an LDAP modify with a pre-built ModifyRequest. This allows for complex modifications like delete+add in the same request.

func (*Client) Search 

func (c *Client) Search(baseDN string, filter string, attributes []string) (*goldap.SearchResult, error)

Search performs a generic LDAP search.

func (*Client) SearchBase 

func (c *Client) SearchBase(baseDN string, filter string, attributes []string) (*goldap.SearchResult, error)

SearchBase performs an LDAP search at BASE scope (single object).

func (*Client) SearchWithControls 

func (c *Client) SearchWithControls(baseDN string, filter string, attributes []string, controls []goldap.Control) (*goldap.SearchResult, error)

SearchWithControls performs an LDAP search with the specified controls.

func (*Client) SearchWithPaging 

func (c *Client) SearchWithPaging(baseDN string, filter string, attributes []string, pageSize uint32) (*goldap.SearchResult, error)

SearchWithPaging performs an LDAP search with paging support for large result sets.

type ControlMicrosoftSDFlags 

type ControlMicrosoftSDFlags struct {
	Flags int
}

ControlMicrosoftSDFlags implements the Microsoft SD Flags control (OID 1.2.840.113556.1.4.801). This control specifies which portions of the security descriptor to retrieve or modify.

func NewControlMicrosoftSDFlags 

func NewControlMicrosoftSDFlags(flags int) *ControlMicrosoftSDFlags

NewControlMicrosoftSDFlags creates a new SD Flags control. Common flag values: 0x04 = DACL_SECURITY_INFORMATION

func (*ControlMicrosoftSDFlags) Encode 

func (c *ControlMicrosoftSDFlags) Encode() *ber.Packet

func (*ControlMicrosoftSDFlags) GetControlType 

func (c *ControlMicrosoftSDFlags) GetControlType() string

func (*ControlMicrosoftSDFlags) String 

func (c *ControlMicrosoftSDFlags) String() string

type DelegationEntry 

type DelegationEntry struct {
	AccountName    string
	AccountType    string // Computer, User, etc.
	DelegationType DelegationType
	DelegationTo   string // The target of delegation rights (SPN or account name)
	SPNExists      string // "Yes", "No", or "-"
}

DelegationEntry represents a delegation relationship found in AD

type DelegationType 

type DelegationType string

DelegationType represents the type of delegation configured 

const (
	DelegationUnconstrained                DelegationType = "Unconstrained"
	DelegationConstrainedWithTransition    DelegationType = "Constrained w/ Protocol Transition"
	DelegationConstrainedWithoutTransition DelegationType = "Constrained"
	DelegationResourceBased                DelegationType = "Resource-Based Constrained"
)

type KerberosGSSAPIClient 

type KerberosGSSAPIClient struct {
	// contains filtered or unexported fields
}

KerberosGSSAPIClient implements go-ldap's GSSAPIClient interface using our kerberos.Client for Kerberos SASL authentication.

func NewKerberosGSSAPIClient 

func NewKerberosGSSAPIClient(krbClient *kerberos.Client) *KerberosGSSAPIClient

NewKerberosGSSAPIClient creates a new GSSAPIClient for LDAP Kerberos auth.

func (*KerberosGSSAPIClient) DeleteSecContext 

func (g *KerberosGSSAPIClient) DeleteSecContext() error

DeleteSecContext cleans up the security context. Implements GSSAPIClient.DeleteSecContext.

func (*KerberosGSSAPIClient) InitSecContext 

func (g *KerberosGSSAPIClient) InitSecContext(target string, token []byte) ([]byte, bool, error)

InitSecContext generates the initial GSSAPI token for Kerberos authentication. Implements GSSAPIClient.InitSecContext.

func (*KerberosGSSAPIClient) InitSecContextWithOptions 

func (g *KerberosGSSAPIClient) InitSecContextWithOptions(target string, token []byte, options []int) ([]byte, bool, error)

InitSecContextWithOptions is the same as InitSecContext but with additional options. Implements GSSAPIClient.InitSecContextWithOptions.

func (*KerberosGSSAPIClient) NegotiateSaslAuth 

func (g *KerberosGSSAPIClient) NegotiateSaslAuth(token []byte, authzid string) ([]byte, error)

NegotiateSaslAuth completes the SASL authentication handshake. It receives the server's security layer token and returns our response. Implements GSSAPIClient.NegotiateSaslAuth.

type ModifyChange 

type ModifyChange struct {
	Operation int // goldap.AddAttribute, ReplaceAttribute, DeleteAttribute
	AttrName  string
	AttrVals  []string
}

ModifyChange represents a single modification to an LDAP entry.

type SPNQueryOptions 

type SPNQueryOptions struct {
	Stealth     bool // Remove servicePrincipalName=* filter (stealth mode)
	MachineOnly bool // Query computer accounts instead of person accounts
}

SPNQueryOptions controls how the SPN user search is performed.

type UserNP 

type UserNP struct {
	Username string
	DN       string
}

UserNP represents a user who might not require pre-authentication.

type UserSPN 

type UserSPN struct {
	Username   string
	DN         string
	SPNs       []string
	MemberOf   string
	PwdLastSet time.Time
	LastLogon  time.Time
	Delegation string
}

UserSPN represents a user account with Service Principal Names set.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.