LDAP Viewer

ldapviewer is a Python script to visualize all LDAP data from ldapdomaindump .json files in a modern, interactive web interface. Unlike the default .html files generated by ldapdomaindump, ldapviewer displays every LDAP attribute, ensuring you never miss critical information.

View Screenshots · Report Bug · Request Feature

Table of Contents

1. Why
2. Usage
3. Features
4. All Filters
5. Roadmap
6. Screenshots

Why?

I created this tool because:

1. ldapdomaindump and Bloodhound often miss some LDAP attributes in their output. For example, during several pentests, I missed sensitive data such as passwords stored in unexpected fields rather than the more common description field, because these tools didn’t display them.
2. I wanted to avoid running additional ldapsearch queries for information I already had, and not struggle with LDAP query syntax.
3. I needed an easy way to filter and search LDAP data for fields that are useful during penetration testing.

Demo

Want to see ldapviewer in action before using it? Download the example file and open it in your browser:

👉 Download ldapviewer_example.html

Usage

python ldapviewer.py <ldapdomaindump.json>

Example

To visualize a domain users dump:

python ldapviewer.py domain_users.json

Then open the generated HTML file (ldapviewer_domain_users.html) in your browser.

---

You can also launch ldapviewer with multiple JSON files at once:

python ldapviewer.py *.json

Features

ldapviewer lets you quickly and interactively explore the full content of an LDAP JSON dump:

Core Views

• Detail view: See all attributes for each LDAP entry, nothing is hidden.
• Table view: All entries and all attributes as columns, for easy comparison.
• Statistics page: View comprehensive statistics and distribution charts for your LDAP data.

Core features

• Instant search: Filter entries as you type.
• Filtering
  • UAC filtering: Filter users by UserAccountControl flags with one click.
  • LDAP Attribute-based filtering: Filter entries by LDAP attributes (e.g., has SPN, msDS-AllowedToDelegateTo, has Description)
  • General filtering: Default/non-default objects, recently created, inactive, never logged in
• CSV export: Export the current table view to CSV.
• Object tagging: Right-click on any object to mark it as owned or high value target.

Interface

• Modern responsive interface: All HTML/CSS/JS is embedded and works offline.
• Dark mode: Switch between light and dark themes with automatic system preference detection.

Filters

UAC Filters

• Account Enabled
• Account Disabled
• No Kerberos PreAuth (ASREProastable)
• Unconstrained Delegation (KUD)
• Constrained Delegation (KCD w/ protocol transition)
• Cannot be delegated

Password Related:

• Password Not Required
• Password Never Expires
• User Cannot Change Password
• Password Expired

Authentication Related:

• Smartcard Required
• Account Locked Out
• Reversible Encryption
• Use DES Key Only

LDAP Filters

• Has SPN (Kerberoastable - requires SPN and enabled account)
• AdminCount=1
• Constrained Delegation (KCD w/o protocol transition)
• RBCD Delegation (Resource-Based Constrained Delegation)
• Has Description
• Unsupported OS

General Filters

• Non-default objects only
• Default objects only
• Recently Created (last 30 days)
• Inactive Accounts (last logon > 90 days)
• Never Logged In (logon count = 0)
• Owned Objects
• Non-Owned Objects

Roadmap

See the project roadmap for a full list of planned features, improvements, and known issues.

Screenshots

Main View

Table View

Statistics

Filters

Dark Mode