{"id":25839672,"url":"https://github.com/netresearch/ldap-selfservice-password-changer","last_synced_at":"2026-04-01T19:33:14.676Z","repository":{"id":177215900,"uuid":"657161477","full_name":"netresearch/ldap-selfservice-password-changer","owner":"netresearch","description":"A simple and fast self-service LDAP (Lightweight Directory Access Protocol) / AD (Active Directory) password changer written in Golang.","archived":false,"fork":false,"pushed_at":"2026-03-23T22:00:49.000Z","size":3126,"stargazers_count":23,"open_issues_count":1,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-03-24T14:54:17.943Z","etag":null,"topics":["account-management","active-directory","activedirectory","application","go","golang","gopher","ldap","netresearch","password","password-change","password-reset","self-service"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/netresearch.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2023-06-22T12:59:00.000Z","updated_at":"2026-03-23T22:00:53.000Z","dependencies_parsed_at":null,"dependency_job_id":"5a96210e-8b98-41c4-aeee-85c1671de553","html_url":"https://github.com/netresearch/ldap-selfservice-password-changer","commit_stats":null,"previous_names":["netresearch/ldap-selfservice-password-changer"],"tags_count":18,"template":false,"template_full_name":null,"purl":"pkg:github/netresearch/ldap-selfservice-password-changer","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/netresearch%2Fldap-selfservice-password-changer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/netresearch%2Fldap-selfservice-password-changer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/netresearch%2Fldap-selfservice-password-changer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/netresearch%2Fldap-selfservice-password-changer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/netresearch","download_url":"https://codeload.github.com/netresearch/ldap-selfservice-password-changer/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/netresearch%2Fldap-selfservice-password-changer/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31291147,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-01T13:12:26.723Z","status":"ssl_error","status_checked_at":"2026-04-01T13:12:25.102Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["account-management","active-directory","activedirectory","application","go","golang","gopher","ldap","netresearch","password","password-change","password-reset","self-service"],"created_at":"2025-03-01T04:34:00.812Z","updated_at":"2026-04-01T19:33:14.661Z","avatar_url":"https://github.com/netresearch.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n  \u003ch1\u003eGopherPass 🐹\u003c/h1\u003e\n\nSelf-service password **change \u0026 reset** for **Active Directory and LDAP** — written in Go.\n\n\u003e Give users a simple, secure web interface to change or reset their directory passwords — no tickets, no scripts.\n\n  \u003cimg src=\"./internal/web/static/logo.webp\" height=\"256\" alt=\"GopherPass Logo\"\u003e\n\n[![Check](https://github.com/netresearch/ldap-selfservice-password-changer/actions/workflows/check.yml/badge.svg)](https://github.com/netresearch/ldap-selfservice-password-changer/actions/workflows/check.yml)\n[![CodeQL](https://github.com/netresearch/ldap-selfservice-password-changer/actions/workflows/codeql.yml/badge.svg)](https://github.com/netresearch/ldap-selfservice-password-changer/actions/workflows/codeql.yml)\n[![codecov](https://codecov.io/gh/netresearch/ldap-selfservice-password-changer/branch/main/graph/badge.svg)](https://codecov.io/gh/netresearch/ldap-selfservice-password-changer)\n[![Go Report Card](https://goreportcard.com/badge/github.com/netresearch/ldap-selfservice-password-changer)](https://goreportcard.com/report/github.com/netresearch/ldap-selfservice-password-changer)\n[![Docker](https://github.com/netresearch/ldap-selfservice-password-changer/actions/workflows/docker.yml/badge.svg)](https://github.com/netresearch/ldap-selfservice-password-changer/actions/workflows/docker.yml)\n[![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)](LICENSE)\n[![WCAG 2.2 AAA](https://img.shields.io/badge/WCAG%202.2-AAA%20Compliant-brightgreen?style=flat-square)](https://www.w3.org/WAI/WCAG22/quickref/?currentsidebar=%23col_customize\u0026levels=aaa)\n\n\u003c/div\u003e\n\n## Features\n\n- **Active Directory \u0026 LDAP Support**: Works with both AD and OpenLDAP directory services\n- **Dual Mode Operation**: Self-service password change (authenticated) and email-based password reset\n- **Configurable Password Policies**: Enforce minimum length, numbers, symbols, uppercase, lowercase requirements\n- **Security First**: LDAPS support, cryptographic token generation, rate limiting, no password storage\n- **Real-Time Validation**: Client-side validation with immediate feedback on password requirements\n- **Accessibility Excellence**: WCAG 2.2 Level AAA compliant with full keyboard navigation and screen reader support\n- **Modern UX**: Dark mode support, adaptive density, responsive design, optimized for password managers\n- **Production Ready**: Single binary deployment, Docker support, comprehensive logging\n- **Developer Friendly**: Go backend, TypeScript frontend, Tailwind CSS, embedded assets\n\n## Quick Start\n\n### Docker (Recommended)\n\n```bash\ndocker run -d -p 3000:3000 \\\n  -e LDAP_SERVER=ldaps://dc1.example.com:636 \\\n  -e LDAP_IS_AD=true \\\n  -e LDAP_BASE_DN=DC=example,DC=com \\\n  -e LDAP_READONLY_USER=readonly \\\n  -e LDAP_READONLY_PASSWORD=readonly \\\n  -e PASSWORD_RESET_ENABLED=true \\\n  -e SMTP_HOST=smtp.gmail.com \\\n  -e SMTP_PORT=587 \\\n  -e SMTP_USERNAME=notifications@example.com \\\n  -e SMTP_PASSWORD=your_app_password \\\n  -e SMTP_FROM_ADDRESS=noreply@example.com \\\n  -e APP_BASE_URL=https://password.example.com \\\n  ghcr.io/netresearch/ldap-selfservice-password-changer\n```\n\nAccess at `http://localhost:3000`\n\n### Native Installation\n\n**Prerequisites:**\n\n- Go 1.26+\n- Node.js 24+\n- Corepack (`npm i -g corepack`)\n\n```bash\n# Clone and build\ngit clone https://github.com/netresearch/ldap-selfservice-password-changer\ncd ldap-selfservice-password-changer\ncorepack enable\npnpm install\npnpm build\n\n# Configure (create .env.local or use flags)\ncp .env.local.example .env.local\n# Edit .env.local with your directory server details\n\n# Run\n./ldap-selfservice-password-changer\n```\n\n## Configuration\n\nGopherPass is configured via environment variables or command-line flags. Key settings:\n\n### Directory Connection\n\n- `LDAP_SERVER` - Directory server URI (ldaps://server:636)\n- `LDAP_IS_AD` - Set to `true` for Active Directory\n- `LDAP_BASE_DN` - Base DN for user searches\n- `LDAP_READONLY_USER` - Service account with read access\n- `LDAP_READONLY_PASSWORD` - Service account password\n\n### Password Policy\n\n- `MIN_LENGTH` - Minimum password length (default: 8)\n- `MIN_NUMBERS` - Required numeric characters (default: 1)\n- `MIN_SYMBOLS` - Required special characters (default: 1)\n- `MIN_UPPERCASE` - Required uppercase letters (default: 1)\n- `MIN_LOWERCASE` - Required lowercase letters (default: 1)\n\n### Password Reset Feature\n\n- `PASSWORD_RESET_ENABLED` - Enable email-based password reset\n- `SMTP_HOST` / `SMTP_PORT` - Mail server configuration\n- `SMTP_USERNAME` / `SMTP_PASSWORD` - SMTP authentication\n- `SMTP_FROM_ADDRESS` - Sender email address\n- `APP_BASE_URL` - Base URL for reset links\n- `RESET_TOKEN_EXPIRY_MINUTES` - Token validity (default: 15)\n- `RESET_RATE_LIMIT_REQUESTS` - Max requests per window (default: 3)\n\nFor complete configuration options, run `./ldap-selfservice-password-changer --help`\n\n## Password Reset Feature\n\nThe password reset feature allows users to reset forgotten passwords via secure email-based token verification.\n\n### Key Features\n\n- **Email-Based Verification**: Secure tokens sent via SMTP (Google Workspace supported)\n- **Cryptographic Security**: 32-byte tokens generated with `crypto/rand`\n- **Rate Limiting**: Configurable limits prevent abuse (default: 3 requests/hour per user)\n- **Token Expiration**: Tokens expire after 15 minutes (configurable)\n- **Single-Use Tokens**: Tokens cannot be reused after password reset\n- **No User Enumeration**: Generic responses prevent account discovery\n- **Directory Integration**: Automatic email-to-username lookup\n\n### How It Works\n\n1. User navigates to `/forgot-password` and enters their email\n2. System looks up user in directory and generates secure token\n3. Reset email sent with link: `https://your-domain.com/reset-password?token=XXX`\n4. User clicks link, enters new password with real-time validation\n5. Password updated in directory, token marked as used\n\n### LDAP/AD Permissions\n\n**Security Best Practice:** Use dedicated service accounts with minimal permissions.\n\n**For Active Directory:**\n\n- **Read-only account** (`LDAP_READONLY_USER`): Default Users group permissions\n- **Reset account** (`LDAP_RESET_USER`, optional): Grant \"Reset password\" permission on user OU\n\n**For OpenLDAP:**\n\n```ldif\n# Read-only access\naccess to dn.subtree=\"ou=users,dc=example,dc=com\"\n    by dn=\"cn=readonly,dc=example,dc=com\" read\n\n# Password reset access (optional dedicated account)\naccess to attrs=userPassword\n    by dn=\"cn=password-reset,dc=example,dc=com\" write\n    by self write\n    by * auth\n```\n\n## Security Recommendations\n\n### LDAPS (LDAP over TLS)\n\n**Strongly Recommended for Production:** Use `ldaps://` instead of `ldap://` to encrypt credentials in transit.\n\n```bash\n# ✅ Recommended: Encrypted connection\nLDAP_SERVER=ldaps://dc1.example.com:636\n\n# ⚠️  Not recommended: Unencrypted connection (passwords visible on network)\nLDAP_SERVER=ldap://dc1.example.com:389\n```\n\n**When LDAPS is Required:**\n\n- Active Directory password changes (AD protocol requirement)\n- Production deployments accessible over untrusted networks\n- Compliance requirements (HIPAA, PCI-DSS, SOC 2)\n\n**When plain LDAP may be acceptable:**\n\n- Internal trusted networks with network-level encryption (VPN, WireGuard)\n- Development/testing environments\n- Legacy systems where LDAPS deployment is not feasible\n\n**GopherPass Behavior:**\n\n- Accepts both `ldap://` and `ldaps://` connections (non-blocking)\n- Logs warning at startup when using unencrypted connections\n- Provides visibility for security monitoring and compliance auditing\n\n**Setting up LDAPS:**\n\n- Ensure your LDAP/AD server has valid TLS certificates configured\n- Use port 636 for LDAPS (vs port 389 for plain LDAP)\n- Test connection: `openssl s_client -connect dc1.example.com:636`\n\n## Documentation\n\nComprehensive documentation is available in the [`docs/`](docs/) directory:\n\n- **[API Reference](docs/api-reference.md)** - JSON-RPC API specification and validation rules\n- **[Development Guide](docs/development-guide.md)** - Setup, workflows, and troubleshooting\n- **[Testing Guide](docs/testing-guide.md)** - Testing strategies and recommendations\n- **[Accessibility Guide](docs/accessibility.md)** - WCAG 2.2 AAA compliance and testing procedures\n- **[Architecture](docs/architecture.md)** - System architecture overview\n\nFor a complete overview, see the [Documentation Index](docs/README.md).\n\n## Development\n\n### Docker Compose (Recommended)\n\n```bash\n# Copy example environment\ncp .env.local.example .env.local\n# Edit .env.local with your directory server details\n\n# Start development environment with Mailhog\ndocker compose --profile dev up\n\n# Application: http://localhost:3000\n# Mailhog UI: http://localhost:8025 (view password reset emails)\n```\n\n### Native Development\n\n```bash\ncorepack enable\npnpm install\ncp .env.local.example .env.local\n\n# Edit .env.local with your settings\n\n# Run with hot-reload\npnpm dev\n```\n\n## Project Background\n\nGopherPass was originally developed by [Netresearch DTT GmbH](https://www.netresearch.de/) for Active Directory environments and later expanded to support OpenLDAP. The project emphasizes security, accessibility, and user experience while maintaining simplicity and ease of deployment.\n\n## Contributing\n\nContributions are welcome! Please:\n\n- Follow [Conventional Commits](https://www.conventionalcommits.org/) for commit messages\n- Use `gofmt` and `prettier` formatting standards\n- Ensure tests pass and add new tests for features\n- Update documentation for significant changes\n\n## License\n\nGopherPass is licensed under the [MIT License](LICENSE).\n\n---\n\n\u003cdiv align=\"center\"\u003e\n\n**Built with ❤️ by [Netresearch DTT GmbH](https://www.netresearch.de/)**\n\n[Documentation](docs/) • [Issues](https://github.com/netresearch/ldap-selfservice-password-changer/issues) • [Contributing](#contributing)\n\n\u003c/div\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnetresearch%2Fldap-selfservice-password-changer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnetresearch%2Fldap-selfservice-password-changer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnetresearch%2Fldap-selfservice-password-changer/lists"}