​

Namespace: ldap

​

Table of contents

​

Classes

• Client

​

Interfaces

• ADObject
• Config
• Entry
• EntryAttribute
• Metadata
• SearchResult

​

Variables

• FilterAccountDisabled
• FilterAccountEnabled
• FilterCanSendEncryptedPassword
• FilterDontExpirePassword
• FilterDontRequirePreauth
• FilterHasServicePrincipalName
• FilterHomedirRequired
• FilterInterdomainTrustAccount
• FilterIsAdmin
• FilterIsComputer
• FilterIsDuplicateAccount
• FilterIsGroup
• FilterIsNormalAccount
• FilterIsPerson
• FilterLockout
• FilterLogonScript
• FilterMnsLogonAccount
• FilterNotDelegated
• FilterPartialSecretsAccount
• FilterPasswordCantChange
• FilterPasswordExpired
• FilterPasswordNotRequired
• FilterServerTrustAccount
• FilterSmartCardRequired
• FilterTrustedForDelegation
• FilterTrustedToAuthForDelegation
• FilterUseDesKeyOnly
• FilterWorkstationTrustAccount

​

Functions

• DecodeADTimestamp
• DecodeSID
• DecodeZuluTimestamp
• JoinFilters
• NegativeFilter

​

Variables

​

FilterAccountDisabled

• Const FilterAccountDisabled: "(userAccountControl:1.2.840.113556.1.4.803:=2)"

The user account is disabled.

​

Defined in

ldap.ts:4

​

FilterAccountEnabled

• Const FilterAccountEnabled: "(!(userAccountControl:1.2.840.113556.1.4.803:=2))"

The user account is enabled.

​

Defined in

ldap.ts:7

​

FilterCanSendEncryptedPassword

• Const FilterCanSendEncryptedPassword: "(userAccountControl:1.2.840.113556.1.4.803:=128)"

The user can send an encrypted password.

​

Defined in

ldap.ts:10

​

FilterDontExpirePassword

• Const FilterDontExpirePassword: "(userAccountControl:1.2.840.113556.1.4.803:=65536)"

Represents the password, which should never expire on the account.

​

Defined in

ldap.ts:13

​

FilterDontRequirePreauth

• Const FilterDontRequirePreauth: "(userAccountControl:1.2.840.113556.1.4.803:=4194304)"

This account doesn’t require Kerberos pre-authentication for logging on.

​

Defined in

ldap.ts:16

​

FilterHasServicePrincipalName

• Const FilterHasServicePrincipalName: "(servicePrincipalName=*)"

The object has a service principal name.

​

Defined in

ldap.ts:19

​

FilterHomedirRequired

• Const FilterHomedirRequired: "(userAccountControl:1.2.840.113556.1.4.803:=8)"

The home folder is required.

​

Defined in

ldap.ts:22

​

FilterInterdomainTrustAccount

• Const FilterInterdomainTrustAccount: "(userAccountControl:1.2.840.113556.1.4.803:=2048)"

It’s a permit to trust an account for a system domain that trusts other domains.

​

Defined in

ldap.ts:25

​

FilterIsAdmin

• Const FilterIsAdmin: "(adminCount=1)"

The object is an admin.

​

Defined in

ldap.ts:28

​

FilterIsComputer

• Const FilterIsComputer: "(objectCategory=computer)"

The object is a computer.

​

Defined in

ldap.ts:31

​

FilterIsDuplicateAccount

• Const FilterIsDuplicateAccount: "(userAccountControl:1.2.840.113556.1.4.803:=256)"

It’s an account for users whose primary account is in another domain.

​

Defined in

ldap.ts:34

​

FilterIsGroup

• Const FilterIsGroup: "(objectCategory=group)"

The object is a group.

​

Defined in

ldap.ts:37

​

FilterIsNormalAccount

• Const FilterIsNormalAccount: "(userAccountControl:1.2.840.113556.1.4.803:=512)"

It’s a default account type that represents a typical user.

​

Defined in

ldap.ts:40

​

FilterIsPerson

• Const FilterIsPerson: "(objectCategory=person)"

The object is a person.

​

Defined in

ldap.ts:43

​

FilterLockout

• Const FilterLockout: "(userAccountControl:1.2.840.113556.1.4.803:=16)"

The user is locked out.

​

Defined in

ldap.ts:46

​

FilterLogonScript

• Const FilterLogonScript: "(userAccountControl:1.2.840.113556.1.4.803:=1)"

The logon script will be run.

​

Defined in

ldap.ts:49

​

FilterMnsLogonAccount

• Const FilterMnsLogonAccount: "(userAccountControl:1.2.840.113556.1.4.803:=131072)"

It’s an MNS logon account.

​

Defined in

ldap.ts:52

​

FilterNotDelegated

• Const FilterNotDelegated: "(userAccountControl:1.2.840.113556.1.4.803:=1048576)"

When this flag is set, the security context of the user isn’t delegated to a service even if the service account is set as trusted for Kerberos delegation.

​

Defined in

ldap.ts:55

​

FilterPartialSecretsAccount

• Const FilterPartialSecretsAccount: "(userAccountControl:1.2.840.113556.1.4.803:=67108864)"

The account is a read-only domain controller (RODC).

​

Defined in

ldap.ts:58

​

FilterPasswordCantChange

• Const FilterPasswordCantChange: "(userAccountControl:1.2.840.113556.1.4.803:=64)"

The user can’t change the password.

​

Defined in

ldap.ts:61

​

FilterPasswordExpired

• Const FilterPasswordExpired: "(userAccountControl:1.2.840.113556.1.4.803:=8388608)"

The user’s password has expired.

​

Defined in

ldap.ts:64

​

FilterPasswordNotRequired

• Const FilterPasswordNotRequired: "(userAccountControl:1.2.840.113556.1.4.803:=32)"

No password is required.

​

Defined in

ldap.ts:67

​

FilterServerTrustAccount

• Const FilterServerTrustAccount: "(userAccountControl:1.2.840.113556.1.4.803:=8192)"

It’s a computer account for a domain controller that is a member of this domain.

​

Defined in

ldap.ts:70

​

FilterSmartCardRequired

• Const FilterSmartCardRequired: "(userAccountControl:1.2.840.113556.1.4.803:=262144)"

When this flag is set, it forces the user to log on by using a smart card.

​

Defined in

ldap.ts:73

​

FilterTrustedForDelegation

• Const FilterTrustedForDelegation: "(userAccountControl:1.2.840.113556.1.4.803:=524288)"

When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation.

​

Defined in

ldap.ts:76

​

FilterTrustedToAuthForDelegation

• Const FilterTrustedToAuthForDelegation: "(userAccountControl:1.2.840.113556.1.4.803:=16777216)"

The account is enabled for delegation.

​

Defined in

ldap.ts:79

​

FilterUseDesKeyOnly

• Const FilterUseDesKeyOnly: "(userAccountControl:1.2.840.113556.1.4.803:=2097152)"

Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.

​

Defined in

ldap.ts:82

​

FilterWorkstationTrustAccount

• Const FilterWorkstationTrustAccount: "(userAccountControl:1.2.840.113556.1.4.803:=4096)"

It’s a computer account for a computer that is running old Windows builds.

​

Defined in

ldap.ts:85

​

Functions

​

DecodeADTimestamp

▸ DecodeADTimestamp(timestamp): string

DecodeADTimestamp decodes an Active Directory timestamp

​

Parameters

​

Returns

string

Example

const ldap = require('nuclei/ldap');
const timestamp = ldap.DecodeADTimestamp('132036744000000000');
log(timestamp);

​

Defined in

ldap.ts:96

​

DecodeSID

▸ DecodeSID(s): string

DecodeSID decodes a SID string

​

Parameters

​

Returns

string

Example

const ldap = require('nuclei/ldap');
const sid = ldap.DecodeSID('S-1-5-21-3623811015-3361044348-30300820-1013');
log(sid);

​

Defined in

ldap.ts:111

​

DecodeZuluTimestamp

▸ DecodeZuluTimestamp(timestamp): string

DecodeZuluTimestamp decodes a Zulu timestamp

​

Parameters

​

Returns

string

Example

const ldap = require('nuclei/ldap');
const timestamp = ldap.DecodeZuluTimestamp('2021-08-25T10:00:00Z');
log(timestamp);

​

Defined in

ldap.ts:126

​

JoinFilters

▸ JoinFilters(filters): string

JoinFilters joins multiple filters into a single filter

​

Parameters

​

Returns

string

Example

const ldap = require('nuclei/ldap');
const filter = ldap.JoinFilters(ldap.FilterIsPerson, ldap.FilterAccountEnabled);

​

Defined in

ldap.ts:140

​

NegativeFilter

▸ NegativeFilter(filter): string

NegativeFilter returns a negative filter for a given filter

​

Parameters

​

Returns

string

Example

const ldap = require('nuclei/ldap');
const filter = ldap.NegativeFilter(ldap.FilterIsPerson);

​

Defined in

ldap.ts:154