A simple Go library providing an easy-to-use wrapper around go-ldap/ldap/v3 for common LDAP and Active Directory operations.
This package was extracted from netresearch/raybeam to provide a standalone, reusable LDAP client library.
Working with go-ldap/ldap/v3 directly can be challenging for common LDAP operations. This library solves the pain points you'll encounter:
β Complex Connection Management - Manual connection pooling, health checks, and retry logic β Manual DN Construction - Error-prone string building with security risks (DN injection) β No Caching - Repeated LDAP queries for the same data slow down applications β Verbose Error Handling - Generic LDAP errors without context or specific types β AD vs OpenLDAP Differences - Different APIs and attributes require separate code paths β Security Pitfalls - Easy to introduce vulnerabilities without proper input validation β Boilerplate Code - Simple operations require dozens of lines of setup and teardown
β
Automatic Connection Pooling - Built-in connection management with health checks and auto-retry
β
Safe DN Handling - Automatic escaping and validation prevents injection attacks
β
Built-in Caching - Intelligent caching layer reduces LDAP server load
β
Comprehensive Error Types - Specific errors like ErrUserNotFound with detailed context
β
Unified API - Same methods work seamlessly with Active Directory and OpenLDAP
β
Security by Default - Input validation, proper escaping, and secure connection handling
β
Simple API - Common operations in just a few lines of code
Raw go-ldap: Finding and authenticating a user (50+ lines)
import "github.com/go-ldap/ldap/v3"
// Connect and bind
conn, err := ldap.DialURL("ldaps://ldap.example.com:636")
if err != nil {
return err
}
defer conn.Close()
err = conn.Bind("cn=admin,dc=example,dc=com", "password")
if err != nil {
return err
}
// Search for user (manual filter construction)
searchReq := ldap.NewSearchRequest(
"dc=example,dc=com",
ldap.ScopeWholeSubtree,
ldap.NeverDerefAliases,
0, 0, false,
fmt.Sprintf("(&(objectClass=user)(sAMAccountName=%s))",
ldap.EscapeFilter(username)), // Manual escaping required
[]string{"dn", "cn", "mail"},
nil,
)
sr, err := conn.Search(searchReq)
if err != nil {
return err
}
if len(sr.Entries) == 0 {
return errors.New("user not found") // Generic error
}
userDN := sr.Entries[0].DN
// Authenticate user (separate bind operation)
err = conn.Bind(userDN, password)
if err != nil {
return err
}
// ... additional validation and error handlingSimple LDAP Go: Same operation (3 lines)
import ldap "github.com/netresearch/simple-ldap-go"
client, _ := ldap.New(config, "cn=admin,dc=example,dc=com", "password")
user, err := client.CheckPasswordForSAMAccountName("username", "password")
// Returns structured User object with automatic error handling- π User Authentication - One-line password verification with automatic DN resolution and secure binding
- π₯ User Management - Type-safe user operations with automatic attribute mapping and validation
- π’ Group Operations - Simplified group queries and membership management across AD and OpenLDAP
- π» Computer Management - Active Directory computer object support with automatic schema detection
- π Password Management - Secure password changes with automatic LDAPS enforcement and policy validation
- π‘οΈ Active Directory Support - Native AD features like SAMAccountName, UPN, and nested group resolution
- β‘ Connection Pooling - Automatic connection management with health checks, retry logic, and resource cleanup
- π― Smart Caching - Configurable caching layer that reduces server load for repeated queries
- π Security by Default - Built-in DN injection protection, input validation, and secure connection handling
- π Structured Errors - Context-rich error types that make debugging and error handling straightforward
- π Context Support - Full
context.Contextintegration for timeouts, cancellation, and request tracing - π Structured Logging - Integrated slog support for comprehensive operational visibility
go get github.com/netresearch/simple-ldap-gopackage main
import (
"fmt"
"log"
ldap "github.com/netresearch/simple-ldap-go"
)
func main() {
// Configure LDAP connection
config := ldap.Config{
Server: "ldaps://ldap.example.com:636",
BaseDN: "dc=example,dc=com",
IsActiveDirectory: true, // Set to false for generic LDAP
}
// Create client with service account credentials
client, err := ldap.New(config, "cn=admin,dc=example,dc=com", "password")
if err != nil {
log.Fatal(err)
}
// Authenticate a user
user, err := client.CheckPasswordForSAMAccountName("username", "password")
if err != nil {
log.Printf("Authentication failed: %v", err)
return
}
fmt.Printf("Welcome, %s!\n", user.CN())
}Comprehensive examples are available in the examples directory:
- Basic Usage - Finding users, groups, and computers
- Authentication - User authentication and password changes
- User Management - Creating, updating, and managing users
Config- LDAP server configurationLDAP- Main client for LDAP operationsUser- Represents an LDAP user with common attributesGroup- Represents an LDAP group with member informationComputer- Represents a computer object (Active Directory)
// Client creation
client, err := ldap.New(config, username, password)
// User authentication
user, err := client.CheckPasswordForSAMAccountName("jdoe", "password")
// Find users
user, err := client.FindUserBySAMAccountName("jdoe")
users, err := client.FindUsers()
// User management
err := client.CreateUser(fullUser, "ou=Users,dc=example,dc=com")
err := client.DeleteUser("cn=John Doe,ou=Users,dc=example,dc=com")
// Group operations
group, err := client.FindGroupByDN("cn=Admins,dc=example,dc=com")
err := client.AddUserToGroup(userDN, groupDN)See the Go Reference for complete API documentation.
config := ldap.Config{
Server: "ldap://ldap.example.com:389",
BaseDN: "dc=example,dc=com",
IsActiveDirectory: false,
}config := ldap.Config{
Server: "ldaps://ad.example.com:636", // LDAPS recommended
BaseDN: "dc=example,dc=com",
IsActiveDirectory: true, // Enables AD-specific features
}- β Use LDAPS (TLS encryption) in production environments
- β Use service accounts with minimal required permissions
- β Store credentials securely using environment variables or key management
- β Validate certificates in production deployments
β οΈ Password changes require LDAPS when using Active Directory
The library provides specific error types for common scenarios:
// Check for specific errors
_, err := client.FindUserBySAMAccountName("username")
if err == ldap.ErrUserNotFound {
// Handle user not found
} else if err != nil {
// Handle other errors
}Available error types:
ErrUserNotFound- User lookup failedErrGroupNotFound- Group lookup failedErrComputerNotFound- Computer lookup failedErrSAMAccountNameDuplicated- Account name already existsErrMailDuplicated- Email address already existsErrActiveDirectoryMustBeLDAPS- LDAPS required for AD operations
- Go 1.23.0 or later
- Access to an LDAP server (OpenLDAP, Active Directory, etc.)
- Appropriate credentials and permissions for desired operations
Tests require a live LDAP server. Set the following environment variables:
export LDAP_SERVER="ldaps://your-server:636"
export LDAP_BASE_DN="dc=example,dc=com"
export LDAP_READ_USER="cn=service,dc=example,dc=com"
export LDAP_READ_PASSWORD="password"Then run tests:
go test -v ./...This package is licensed under the MIT License. See the included LICENSE file for details.
Contributions are welcome! Please:
- Fork the repository
- Create a feature branch
- Follow Conventional Commits for commit messages
- Use
gofmtfor code formatting - Add tests for new functionality
- Submit a pull request
- go-ldap/ldap - The underlying LDAP library
- netresearch/raybeam - Original project this was extracted from