Skip to content

Add LDAP authentication support to LdapOperations#55

Open
thegreatmhn wants to merge 6 commits into
GhostPack:mainfrom
thegreatmhn:main
Open

Add LDAP authentication support to LdapOperations#55
thegreatmhn wants to merge 6 commits into
GhostPack:mainfrom
thegreatmhn:main

Conversation

@thegreatmhn

Copy link
Copy Markdown

Description
Right now LdapOperations can only talk to LDAP as whoever is currently logged in — there's no way to pass in a different username/password. This PR adds that.
What changed:

Added a small private helper, GetDirectoryEntry(), that builds the DirectoryEntry and applies the username/password if they were given.
Swapped all the methods (GetPKIObjects, GetEnterpriseCAs, GetCertificateTemplates, etc.) to use this helper instead of creating DirectoryEntry objects on their own.

Why:

Sometimes you need to run this as a specific account instead of the current user (e.g. from a non-domain-joined box, or with a service account). There was no clean way to do that before.
Does this break anything?

Nope — if you don't pass a username/password, it works exactly like before (current user auth). If you do pass them, they're now actually used everywhere instead of just in the constructor.
Tested:

Ran it with --username/--password and confirmed the bind works.
Ran it with no credentials and confirmed it still works as current user.

@bytewreck

Copy link
Copy Markdown
Collaborator

Looks good, but it looks like you only added it to Enumerate Templates and Enumerate PKI objects (and omitted the masked password input querying on the latter). What about Enumerate CAs ? :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants