A comprehensive Python-based Model Context Protocol (MCP) server for managing Active Directory environments through LDAP. This project provides powerful tools for user management, group operations, computer account management, organizational unit administration, and security auditing.
- Create, modify, and delete user accounts
- Password management and reset functionality
- Enable/disable user accounts
- Group membership analysis
- User permission auditing
- Create and manage security and distribution groups
- Group scope management (Global, DomainLocal, Universal)
- Member addition and removal
- Nested group analysis
- Group membership reporting
- Create and manage computer objects
- Computer account lifecycle management
- Stale computer detection
- Computer group memberships
- Service Principal Name management
- Create, modify, and delete OUs
- OU hierarchy management
- Move objects between OUs
- OU content analysis
- Group Policy link information
- Domain security policy analysis
- Privileged group monitoring
- Inactive user detection
- Password policy compliance checking
- Administrative account auditing
- Permission analysis and reporting
- Stdio Transport: Traditional MCP communication
- HTTP Transport: FastMCP-based HTTP transport on port 8813
- Docker Deployment: Production-ready containerization
- MCP Inspector: Compatible with debugging tools
- 129/129 Tests Passing: 100% test success rate across all modules
- Complete Test Coverage: All 5 tool modules fully tested
- LDAP3 Compatible: Latest library compatibility ensured
- Production Ready: Thoroughly tested and validated
- Enterprise Testing: Unit, Integration, and Performance tests
- Comprehensive Coverage: Config, LDAP, tools, workflows, and performance
- Samba AD Test Environment: Real AD protocols for testing
- Python 3.9 or higher
- UV package manager (recommended) or pip
- Access to Active Directory with appropriate permissions
- LDAP/LDAPS connectivity to domain controllers
-
Clone and set up environment:
# Clone repository git clone https://github.com/alpadalar/ActiveDirectoryMCP.git cd ActiveDirectoryMCP # Create and activate virtual environment uv venv source .venv/bin/activate # Linux/macOS # OR .\.venv\Scripts\Activate.ps1 # Windows
-
Install dependencies:
# Install with development dependencies uv pip install -e ".[dev]"
-
Create configuration:
# Create config directory and copy template mkdir -p ad-config cp ad-config/config.example.json ad-config/config.json -
Configure Active Directory connection:
{ "active_directory": { "server": "ldap://dc.example.com:389", "domain": "example.com", "base_dn": "DC=example,DC=com", "bind_dn": "CN=service-account,OU=Service Accounts,DC=example,DC=com", "password": "your-service-account-password" }, "organizational_units": { "users_ou": "OU=Users,DC=example,DC=com", "groups_ou": "OU=Groups,DC=example,DC=com", "computers_ou": "OU=Computers,DC=example,DC=com", "service_accounts_ou": "OU=Service Accounts,DC=example,DC=com" } }
# Test configuration
python -c "import active_directory_mcp; print('Installation OK')"
# Run tests
pytest
# Test LDAP connection
AD_MCP_CONFIG="ad-config/ad-config.json" python -m active_directory_mcp.serverDeploy to production with existing Active Directory:
# 1. Configure for your AD environment
cp ad-config/production-config.example.json ad-config/ad-config.json
# Edit ad-config.json with your AD server details
# 2. Deploy ActiveDirectoryMCP
docker compose up -d
# 3. Verify deployment
docker compose ps
docker compose logs activedirectory-mcpπ Production URL: http://localhost:8813/activedirectory-mcp
Production Features:
- β Connects to existing AD infrastructure
- β SSL/TLS security
- β Resource limits & health checks
- β Production logging
For development with included test LDAP server:
# 1. Start test environment
docker compose -f docker-compose-ad.yml up -d
# 2. Test the setup
python test_ad_environment.py
# 3. Access services
# - ActiveDirectoryMCP: http://localhost:8813/activedirectory-mcp
# - LDAP Admin: http://localhost:8080Test Features:
- β Includes OpenLDAP test server
- β Pre-configured test data
- β Web-based LDAP management
- β No external AD required
For testing and development with stdio transport:
# Start stdio server
./start_server.sh
# Or with custom config
AD_MCP_CONFIG="ad-config/ad-config.json" python -m active_directory_mcp.serverFor local HTTP transport development:
# Start HTTP server
./start_http_server.sh
# Or with custom settings
python -m active_directory_mcp.server_http --host 0.0.0.0 --port 8813 --path /activedirectory-mcp{
"mcpServers": {
"ActiveDirectoryMCP": {
"transport": {
"type": "http",
"url": "http://localhost:8813/activedirectory-mcp"
},
"description": "Active Directory Management with HTTP Transport"
}
}
}{
"mcpServers": {
"ActiveDirectoryMCP-Local": {
"transport": {
"type": "http",
"url": "http://localhost:8813/activedirectory-mcp"
},
"description": "ActiveDirectoryMCP Local Development"
}
}
}{
"mcpServers": {
"ActiveDirectoryMCP": {
"command": "/absolute/path/to/ActiveDirectoryMCP/.venv/bin/python",
"args": ["-m", "active_directory_mcp.server"],
"cwd": "/absolute/path/to/ActiveDirectoryMCP",
"env": {
"PYTHONPATH": "/absolute/path/to/ActiveDirectoryMCP/src",
"AD_MCP_CONFIG": "/absolute/path/to/ActiveDirectoryMCP/ad-config/ad-config.json"
},
"disabled": false
}
}
}list_users- List users with filtering and attributesget_user- Get detailed user informationcreate_user- Create new user accountsmodify_user- Update user attributesdelete_user- Remove user accountsenable_user/disable_user- Account status managementreset_user_password- Password reset functionalityget_user_groups- Group membership analysis
list_groups- List groups with filteringget_group- Get detailed group informationcreate_group- Create security/distribution groupsmodify_group- Update group attributesdelete_group- Remove groupsadd_group_member/remove_group_member- Membership managementget_group_members- Member listing with recursion
list_computers- List computer accountsget_computer- Get computer detailscreate_computer- Create computer objectsmodify_computer- Update computer attributesdelete_computer- Remove computer accountsenable_computer/disable_computer- Account managementreset_computer_password- Password resetget_stale_computers- Find inactive computers
list_organizational_units- List OUs with hierarchyget_organizational_unit- Get OU detailscreate_organizational_unit- Create new OUsmodify_organizational_unit- Update OU attributesdelete_organizational_unit- Remove OUsmove_organizational_unit- Move OUsget_organizational_unit_contents- List OU contents
get_domain_info- Domain security settingsget_privileged_groups- Privileged group analysisget_user_permissions- User permission analysisget_inactive_users- Inactive user detectionget_password_policy_violations- Policy complianceaudit_admin_accounts- Administrative account audit
test_connection- LDAP connectivity testhealth- Server health checkget_schema_info- Tool schema information
β οΈ Note: ActiveDirectoryMCP provides 42 tools total. Some LLM models may experience issues with this many tools.
- Create a dedicated service account in AD
- Grant minimum required permissions:
- Read access to domain
- User/Group/Computer management permissions
- Password reset permissions (if needed)
{
"active_directory": {
"server": "ldaps://dc.example.com:636",
"use_ssl": true
},
"security": {
"enable_tls": true,
"validate_certificate": true,
"ca_cert_file": "/path/to/ca-certificate.pem"
}
}{
"performance": {
"connection_pool_size": 10,
"max_retries": 3,
"retry_delay": 1.0,
"page_size": 1000
}
}β All Tests Passing (129/129) - Production Ready!
- Configuration Tests: 8/8 β
- User Tools Tests: 13/13 β
- Group Tools Tests: 17/17 β
- Computer Tools Tests: 18/18 β
- Security Tools Tests: 14/14 β
- OU Tools Tests: 18/18 β
- LDAP Manager Tests: 12/12 β
- Integration Tests: 20/20 β (End-to-end workflows)
- Performance Tests: 9/9 β (Load & stress testing)
- Total: 129/129 tests passing
# Run all tests with verbose output
pytest -v
# Run specific test categories
pytest tests/test_config.py -v # Configuration tests
pytest tests/test_ldap_manager.py -v # LDAP manager tests
pytest tests/test_user_tools.py -v # User management tests
pytest tests/test_group_tools.py -v # Group management tests
pytest tests/test_computer_tools.py -v # Computer management tests
pytest tests/test_security_tools.py -v # Security & audit tests
pytest tests/test_organizational_unit_tools.py -v # OU management tests
pytest tests/test_integration.py -v # End-to-end workflow tests
pytest tests/test_performance.py -v # Performance & load tests# Test HTTP endpoints directly
python test_scripts/test_http_server.py
# Custom server URL
python test_scripts/test_http_server.py http://your-server:8813/activedirectory-mcp# Test with real AD connection (requires config)
AD_MCP_CONFIG="ad-config/ad-config.json" pytest tests/test_integration.py -v# Run performance and load tests
pytest tests/test_performance.py -v
# Run specific performance categories
pytest tests/test_performance.py::TestLargeDatasetPerformance -v # Large dataset handling
pytest tests/test_performance.py::TestConcurrentOperations -v # Concurrent operations
pytest tests/test_performance.py::TestMemoryAndResourceUsage -v # Memory usage tests
pytest tests/test_performance.py::TestStressScenarios -v # Stress testing
# Performance test features:
# - Large dataset performance (10K+ users/groups)
# - Concurrent operation testing (50+ simultaneous queries)
# - Memory usage validation
# - Sustained load scenarios
# - Connection pooling efficiency# Start LDAP/AD test environment
docker-compose -f docker-compose-ad.yml up -d
# Wait for services to be ready (30 seconds)
docker logs -f openldap-ad-dc
# Test ActiveDirectoryMCP with test environment
python test_ad_environment.py
# Expected output:
# β
Connected to LDAP: 192.168.1.100:389
# β
MCP Config: SUCCESS
# β
HTTP API: SUCCESS
# π Test environment ready!Test Environment Features:
- π LDAP Directory Service with AD-style structure
- π₯ Test users: admin, jdoe, jsmith, mwilson, testadmin
- π Test groups: IT Department, Sales Team, Marketing, All Users
- π₯οΈ Web Admin: http://localhost:8080 (cn=admin,dc=test,dc=local / Admin123!)
- π Full testing guide: TESTING_GUIDE.md
# Health check
curl -X POST "http://localhost:8813/activedirectory-mcp" \
-H "Content-Type: application/json" \
-d '{"method": "health", "params": {}}'
# List users
curl -X POST "http://localhost:8813/activedirectory-mcp" \
-H "Content-Type: application/json" \
-d '{"method": "list_users", "params": {"ou": "OU=Users,DC=example,DC=com"}}'ActiveDirectoryMCP/
βββ π src/ # Source code
β βββ active_directory_mcp/
β βββ server.py # Main MCP server (stdio)
β βββ server_http.py # HTTP MCP server
β βββ config/ # Configuration handling
β βββ core/ # Core functionality
β β βββ ldap_manager.py # LDAP connection manager
β β βββ logging.py # Logging configuration
β βββ tools/ # Tool implementations
β βββ user.py # User management
β βββ group.py # Group management
β βββ computer.py # Computer management
β βββ organizational_unit.py # OU management
β βββ security.py # Security & audit tools
β
βββ π tests/ # Comprehensive test suite (129 tests)
β βββ test_config.py # Configuration tests (8)
β βββ test_ldap_manager.py # LDAP manager tests (12)
β βββ test_user_tools.py # User management tests (13)
β βββ test_group_tools.py # Group management tests (17)
β βββ test_computer_tools.py # Computer management tests (18)
β βββ test_security_tools.py # Security & audit tests (14)
β βββ test_organizational_unit_tools.py # OU management tests (18)
β βββ test_integration.py # End-to-end workflow tests (20)
β βββ test_performance.py # Performance & load tests (9)
βββ π ad-config/ # Configuration files
β βββ ad-config.json # Main server configuration
β βββ config.example.json # Example configuration
β βββ production-config.example.json # Production example
β
βββ π Configuration Files
β βββ pyproject.toml # Project metadata
β βββ docker-compose.yml # Production deployment
β βββ docker-compose-ad.yml # Test environment with LDAP
β βββ Dockerfile # Container definition
β βββ requirements.in # Dependencies
β
βββ π Scripts
βββ start_server.sh # Stdio server launcher
βββ start_http_server.sh # HTTP server launcher
- LDAP3 Compatibility: Fixed TLS configuration compatibility with latest ldap3 library
- Test Suite: All 43 tests now passing successfully (100% success rate)
- Mock Issues: Resolved integration test mocking for error scenarios
- Security Config: Removed deprecated LDAP parameters for better compatibility
-
LDAP Connection Failed
# Test connectivity ldapsearch -H ldap://dc.example.com -D "CN=user,DC=example,DC=com" -W -b "DC=example,DC=com" "(objectClass=domain)"
-
Permission Denied
- Verify service account permissions
- Check OU access rights
- Ensure proper LDAP bind DN
-
SSL/TLS Issues
# Test SSL connection openssl s_client -connect dc.example.com:636 -showcerts -
Port Already in Use
# Check port usage netstat -tlnp | grep 8813 # Change port if needed HTTP_PORT=8814 ./start_http_server.sh
-
β οΈ LLM Tool Limit WarningSome LLM models may experience issues with 40+ tools in context.
# Container logs
docker logs activedirectory-mcp -f
# Local logs
tail -f active_directory_mcp.log- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
- Inspired by ProxmoxMCP-Extended
- Built with the Model Context Protocol (MCP) SDK
- LDAP integration powered by ldap3 library
- FastMCP for HTTP transport capabilities
β Production Ready! π Your comprehensive Active Directory MCP service is fully tested (129/129 tests passing) and ready for production deployment with complete HTTP transport support, performance validation, and enterprise-grade reliability.
- ProxmoxMCP-Extended - Proxmox virtualization management
- Model Context Protocol - Official MCP documentation
- FastMCP - FastMCP for HTTP transport