yamldap
A lightweight LDAP server that serves directory data from YAML files
A lightweight LDAP server that serves directory data from YAML files, designed for local development and testing.
Features
- 🚀 Quick Setup - Define your LDAP directory in a simple YAML file
- 🔐 Authentication - Support for multiple password formats (plain, SHA, SSHA, bcrypt)
- 🔍 LDAP Operations - Bind, search, compare, abandon, and extended operations
- 🛠️ Development Friendly - Perfect for testing LDAP integrations locally
- 🐳 Docker Support - Run in containers with provided Dockerfile
- ⚡ Lightweight - Minimal resource usage, fast startup
- 🎯 Advanced Filters - Full LDAP filter support including approximate and extensible match
Installation
From Crates.io
From Binary Releases
Download pre-built binaries from the GitHub Releases page for:
- Linux (x86_64, aarch64)
- macOS (x86_64, aarch64)
- Windows (x86_64)
From Source
Using Docker
Pull from GitHub Container Registry:
# Pull the latest version (multi-platform: linux/amd64, linux/arm64)
# Or pull a specific version
# Run with your YAML directory file
Or build locally:
Using Docker Compose
Using pre-built images from registry:
Or build and run locally:
Quick Start
- Create a YAML file defining your directory:
directory:
base_dn: "dc=example,dc=com"
entries:
- dn: "dc=example,dc=com"
objectClass:
dc: "example"
- dn: "ou=users,dc=example,dc=com"
objectClass:
ou: "users"
- dn: "uid=john,ou=users,dc=example,dc=com"
objectClass:
uid: "john"
cn: "John Doe"
sn: "Doe"
mail: "john@example.com"
userPassword: "secret123"
- Start the server:
# On a non-privileged port
# Or with Docker from registry
# Or with anonymous bind enabled
- Test with LDAP tools:
# Search all entries
# Authenticate and search
Command Line Options
yamldap [OPTIONS]
Options:
-f, --file <FILE> Path to YAML directory file
-p, --port <PORT> Port to listen on [default: 389]
--bind-address <ADDR> Address to bind to [default: 0.0.0.0]
--allow-anonymous Allow anonymous bind operations
-v, --verbose Enable verbose logging
--log-level <LEVEL> Set log level: debug, info, warn, error [default: info]
-h, --help Print help
YAML Directory Format
Basic Structure
directory:
base_dn: "dc=example,dc=com" # Required: Base DN for the directory
entries: # List of directory entries
- dn: "..." # Distinguished Name
objectClass: # Object classes
attribute: value # Attributes and values
Password Formats
# Plain text (for testing only!)
userPassword: "plaintext"
# SHA hash
userPassword: "{SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g="
# Salted SHA
userPassword: "{SSHA}DkMTwBl+a/3DfY+MTDTrcd5kMT8dpDkE"
# Bcrypt
userPassword: "$2b$10$..."
Complete Example
See examples/sample_directory.yaml for a full example with users, groups, and organizational units.
LDAP Filter Support
yamldap supports comprehensive LDAP filter syntax including:
Basic Filters
- Equality:
(uid=john) - Presence:
(mail=*) - Substring:
(cn=*smith*),(cn=john*),(cn=*doe) - Greater/Less:
(age>=18),(created<=20240101)
Boolean Operators
- AND:
(&(objectClass=person)(uid=admin)) - OR:
(|(uid=john)(uid=jane)) - NOT:
(!(uid=guest))
Advanced Filters
- Approximate Match:
(cn~=john)- Fuzzy matching - Extensible Match:
- Simple:
(cn:=John Doe) - With matching rule:
(cn:caseExactMatch:=John Doe) - DN components:
(:dn:=users)- Matches entries with "users" in their DN - Combined:
(cn:dn:caseIgnoreMatch:=admin)
- Simple:
Escape Sequences
Special characters can be escaped in filter values:
\28for(\29for)\2afor*\5cfor\\00for NULL
Testing Scripts
Python Test Script
Shell Test Script
Integration Examples
Python
=
=
Django with django-auth-ldap
# settings.py
=
=
=
=
=
=
Node.js
const ldap = require;
const client = ldap.;
client.;
Java/Spring
public LdapContextSource
Development
Running Tests
# Run all tests
# Run with coverage report
# Check test coverage percentage
# Run benchmarks
Building
# Build release version
# Build Docker image (3.99MB scratch image)
Code Quality
# Format code
# Run linter
# Run all CI checks
Testing & Coverage
The project includes comprehensive unit tests with near 100% code coverage:
- 250+ unit and integration tests covering all major components
- Complete error path and edge case coverage
- Concurrent operation and thread safety tests
- Integration tests for full server lifecycle
- Performance benchmarks with Criterion
- Test coverage reporting via cargo-tarpaulin
Run make help to see all available Make targets.
Fuzz Testing
yamldap includes fuzz testing to ensure robustness against malformed input:
# Install cargo-fuzz
# Run fuzz tests (requires nightly Rust)
See fuzz/README.md for detailed fuzzing instructions.
Limitations
- Read-only operations (no add/modify/delete support yet)
- Basic LDAP v3 protocol support
- No referral or alias support
- No built-in TLS/SSL support (see below)
TLS/SSL Support
yamldap intentionally does not include built-in TLS support to maintain its core value: simplicity. For local development and testing, TLS is rarely needed. When TLS is required, you can easily add it using a reverse proxy:
Using stunnel
# stunnel.conf
Using nginx
stream {
server {
listen 636 ssl;
proxy_pass localhost:389;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
}
}
This approach keeps yamldap simple while allowing TLS when needed for production-like testing.
Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
License
This project is dual-licensed under MIT OR Apache-2.0