{"Name":"activedirectory","ID":"go.mondoo.com/mql/v13/providers/activedirectory","Version":"13.0.3","ConnectionTypes":["activedirectory"],"CrossProviderTypes":null,"Connectors":[{"Name":"activedirectory","Use":"activedirectory","Short":"an Active Directory domain","Long":"Use the activedirectory provider to query Active Directory Domain Services via LDAP.\n\n\tExamples:\n  cnspec shell activedirectory --dc dc01.corp.local --user admin@corp.local --password \u003cPASSWORD\u003e\n  cnspec scan activedirectory --dc dc01.corp.local --user admin@corp.local --password \u003cPASSWORD\u003e\n  cnspec shell activedirectory --dc dc01.corp.local --kerberos --user admin@CORP.LOCAL --password \u003cPASSWORD\u003e\n  cnspec shell activedirectory --dc dc01.corp.local --kerberos --keytab /etc/krb5.keytab --user admin@CORP.LOCAL\n  cnspec shell activedirectory --dc dc01.corp.local --kerberos\n\n\tNotes:\n  LDAPS (port 636) is the default transport. Use --starttls for LDAP+StartTLS on port 389, or --plain-ldap only for labs that cannot use TLS.\n  Kerberos authentication supports keytabs, credential caches, user/password, and on Windows the current logon session when no explicit credentials are supplied.\n","Flags":[{"Long":"dc","Desc":"Domain controller hostname or IP address","Type":3},{"Long":"user","Desc":"Username (user@domain.com or DOMAIN\\user for simple bind; user@REALM for Kerberos)","Type":3},{"Long":"password","Desc":"Password for LDAP bind or Kerberos AS exchange","Type":3},{"Long":"domain","Desc":"Domain DNS name (auto-detected from RootDSE if omitted)","Type":3},{"Long":"base-dn","Desc":"Base DN for LDAP searches (auto-detected from RootDSE if omitted)","Type":3},{"Long":"ldaps","Desc":"Use LDAPS (TLS, port 636). This is the default transport.","Type":1},{"Long":"plain-ldap","Desc":"Use plaintext LDAP on port 389 (explicit opt-in; credentials are exposed without TLS)","Type":1},{"Long":"starttls","Desc":"Upgrade plain LDAP on port 389 to TLS via StartTLS (mutually exclusive with --ldaps and --plain-ldap)","Type":1},{"Long":"port","Desc":"LDAP port (default: 636 for LDAPS, 389 for StartTLS/plain LDAP)","Type":2},{"Long":"insecure","Desc":"Skip TLS certificate verification","Type":1},{"Long":"kerberos","Desc":"Use Kerberos/GSSAPI authentication instead of simple bind (on Windows, omit explicit credentials to use the current logon session)","Type":1},{"Long":"keytab","Desc":"Path to Kerberos keytab file (requires --kerberos and --user)","Type":3},{"Long":"krb5conf","Desc":"Path to krb5.conf (default: KRB5_CONFIG env or /etc/krb5.conf)","Type":3},{"Long":"ccache","Desc":"Path to Kerberos credential cache file (requires --kerberos)","Type":3},{"Long":"backend","Default":"ldap","Desc":"Backend to use: ldap (default) or rsat (Windows only, not yet implemented)","Type":3}],"Aliases":["ad"]}],"AssetUrlTrees":[{"path_segments":["technology=directory-service","provider=activedirectory"]}]}