LDAP / Active Directory
Discover LDAP directory objects - users, groups, and organizational units.
The LDAP molecule automatically syncs directory data into your SixDegree ontology, providing visibility into organizational structure, users, and group memberships.
- SixDegree Platform installed
- Access to LDAP/Active Directory server
- LDAP bind credentials with read access
discovery:
enabled: true
settings:
# LDAP server connection
server_url: "ldaps://ldap.company.com:636"
# Base DN for searches
base_dn: "dc=company,dc=com"
# Bind credentials
bind_dn: "cn=service-account,ou=users,dc=company,dc=com"
bind_password: "your_bind_password"
# Optional: Search filter
search_filter: "(objectClass=*)"
# Optional: Attributes to retrieve
attributes:
- cn
- mail
- memberOf
- manager
- department
- title
- telephoneNumber
# Optional: TLS settings
insecure_skip_verify: false
# Optional: Connection timeout (seconds)
timeout: 30
mcp:
enabled: true
settings:
server_url: "ldaps://ldap.company.com:636"
bind_dn: "cn=service-account,ou=users,dc=company,dc=com"
bind_password: "your_bind_password"
base_dn: "dc=company,dc=com"
namespace: "production"
The LDAP molecule discovers:
entities.sixdegree.ai/v1/LdapUser- LDAP user accountsentities.sixdegree.ai/v1/LdapGroup- LDAP groupsentities.sixdegree.ai/v1/LdapOrgUnit- Organizational units
Each LdapUser entity includes:
-
Common Name (cn): User's full name
-
Email (mail): Primary email address
-
Department: Department name
-
Title: Job title
-
Manager: Reference to manager user
-
Phone: Telephone number
-
MEMBER_OF- User is member of Group -
REPORTS_TO- User reports to Manager (another User) -
BELONGS_TO- User/Group belongs to Organizational Unit -
OWNED_BY- Group owned by User -
MANAGED_BY- Group managed by User
AI agents can use these LDAP directory tools:
Search for users in the directory.
Parameters:
query(string, required) - Search query (cn, mail, or department)attributes(array, optional) - Attributes to return
Example:
User: "Find users in the engineering department"
AI: [Calls ldap_search_users]
"Found 24 users in engineering:
• John Smith (john.smith@company.com) - Senior Engineer
• Jane Doe (jane.doe@company.com) - Engineering Manager
• ..."
Get detailed information about a user.
Parameters:
username(string, required) - Username or DNattributes(array, optional) - Attributes to return
Example:
User: "Who is john.smith's manager?"
AI: [Calls ldap_get_user]
"John Smith reports to Jane Doe (Engineering Manager)
Department: Engineering
Title: Senior Engineer
Email: john.smith@company.com"
List all groups in the directory.
Parameters:
filter(string, optional) - Filter by group name
Example:
User: "What LDAP groups exist?"
AI: [Calls ldap_list_groups]
"Found 45 groups:
• Engineering-Team
• Product-Team
• DevOps-Team
• Admin-Users
• VPN-Access"
Get members of a group.
Parameters:
group(string, required) - Group name or DN
Example:
User: "Who is in the DevOps-Team group?"
AI: [Calls ldap_get_group_members]
"DevOps-Team has 8 members:
• alice.jones@company.com
• bob.wilson@company.com
• charlie.brown@company.com"
Get groups a user belongs to.
Parameters:
username(string, required) - Username or DN
Example:
User: "What groups is john.smith in?"
AI: [Calls ldap_get_user_groups]
"john.smith is in 5 groups:
• Engineering-Team
• VPN-Access
• GitHub-Users
• Jira-Developers
• Office-Access"
degree discovery run ldap@1.0.0 --config ldap-config.yaml
degree discovery run ldap@1.0.0 --config ldap-config.yaml --dry-run
LDAP_LOG_LEVEL=debug degree discovery run ldap@1.0.0 --config ldap-config.yaml
Once configured, AI agents can query the directory:
You: "Who works in the product team?"
AI: [Uses ldap_search_users]
"Product team has 12 members, managed by Sarah Johnson"
You: "What access does john.smith have?"
AI: [Uses ldap_get_user_groups]
"john.smith has access to:
• VPN-Access
• GitHub-Users
• Engineering-Team
• AWS-Production"
cd ldap
go build -o ../bin/ldap
cd ..
make dev
server_url: "ldap://ldap.company.com:389"
Not recommended for production.
server_url: "ldaps://ldap.company.com:636"
insecure_skip_verify: false
Recommended for production.
For Active Directory servers:
discovery:
settings:
server_url: "ldaps://ad.company.com:636"
base_dn: "dc=company,dc=com"
bind_dn: "CN=Service Account,OU=Service Accounts,DC=company,DC=com"
bind_password: "password"
# Active Directory specific attributes
attributes:
- cn
- mail
- memberOf
- manager
- department
- title
- sAMAccountName # Windows username
- userPrincipalName # UPN
- distinguishedName
Customize discovery with LDAP search filters:
search_filter: "(objectClass=person)"
search_filter: "(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
search_filter: "(&(objectClass=person)(ou=Engineering))"
search_filter: "(&(objectClass=person)(mail=*))"
The bind account needs:
- Read access to users, groups, and organizational units
- No write access required
- Search permissions on base DN and subtrees
Recommended: Create a dedicated service account with read-only permissions.
- Always use LDAPS (TLS encrypted) in production
- Store bind passwords as secrets in your configuration
- Use dedicated service accounts with minimal permissions
- Enable certificate verification (
insecure_skip_verify: false) - Regularly rotate service account passwords
- Audit service account access logs
Connection refused:
- Verify LDAP server URL and port (389 for LDAP, 636 for LDAPS)
- Check firewall allows connections
- Ensure LDAP server is running
Authentication failed:
- Verify bind DN format is correct
- Check bind password is correct
- Ensure service account is not locked/disabled
No results returned:
- Verify base DN is correct
- Check search filter syntax
- Ensure bind account has read permissions
- Enable debug logging to see LDAP queries
TLS certificate errors:
- Add CA certificate to system trust store
- Or set
insecure_skip_verify: true(not recommended)
Timeout errors:
-
Increase timeout value
-
Check network connectivity
-
Verify LDAP server performance
MIT - See LICENSE file in molecules directory