Security-First Design

Identity CollectorSecure by Default

A lightweight Docker container with enterprise-grade security. Multi-platform support for AD, Azure, Intune, and Exchange with one-command installation.

View on GitHubStart Audit
150+
Security Checks
138MB
Docker Image
<3s
Startup Time
100%
On-Premises
Security Architecture

Enterprise-Grade Protection

Multiple layers of security ensure your identity data stays protected across all platforms.

Consumable Tokens

Tokens are limited to a configurable number of uses (3-100). Once exhausted, the token is invalidated - preventing theft and unauthorized sharing.

# Response headers
X-Token-Usage: 3
X-Token-Remaining: 7

Short-Lived Tokens

Default expiry of 1 hour (not 365 days like legacy systems). Automatic cleanup runs every 5 minutes to remove expired tokens from the database.

Token file deleted after installation

Rate Limiting

Built-in protection against abuse with 100 requests/minute per client. Prevents brute-force attacks and resource exhaustion.

Configurable via RATE_LIMIT env var

Network Isolation

Binds to localhost (127.0.0.1) by default. Your collector is never exposed to the internet unless explicitly configured.

Air-gapped environments supportedOptional reverse proxy integration

Endpoint Access Control

Three deployment modes for principle of least privilege:

fullAll operations
audit-onlyRead-only scans
no-auditManagement only

Hardened Container

Runs as non-root user (UID 1001) with minimal attack surface. LDAP injection prevention through parameter escaping and validation.

LDAPS (port 636) with optional TLS verification
One-Command Setup

Deploy in Minutes,Not Hours

Our interactive installer handles everything: OS detection, Docker installation, LDAP configuration, token generation, and Azure setup. No manual configuration files needed.

1
Download & Run
Single wget command downloads the installer
2
Answer Prompts
Interactive wizard guides configuration
3
Test Connection
Automatic LDAP connectivity validation
4
Start Auditing
Collector ready, token generated
install.sh
# Download and run installer
$ wget https://raw.githubusercontent.com/Fuskerrs/docker-ad-collector-n8n/main/install.sh
$ chmod +x install.sh && ./install.sh
Detected OS: Ubuntu 22.04
Docker: installed
Enter LDAP Server URL:
ldaps://dc.company.com:636
Testing connection...
Connection successful!
Generating API token...
Token saved to /opt/ad-collector/.token
AD Collector is ready!
Secure Workflow

Maximum Security, Minimum Exposure

For air-gapped environments or maximum security requirements, use our local export workflow. Generate reports without ever exposing your collector to the network.

1

Configure Token Limits

Set your token to single-use or limited uses for maximum security.

# .env configuration
TOKEN_MAX_USES=1
TOKEN_EXPIRY=1h
2

Run Local Audit

Execute the audit directly on the server with no network exposure.

# Local CLI export
docker exec ad-collector \
node export-audit.js \
--output audit.json
3

Secure Transfer

Transfer the JSON file via your secure channel (USB, SFTP, encrypted email).

4

Import & Generate Report

Upload the JSON to EtcSec for analysis and PDF report generation.

Import JSON

Zero Network Exposure

Collector never needs to be accessible from outside the server

Token Auto-Invalidation

Single-use tokens expire immediately after the audit

Full Audit Trail

Complete JSON export with all 150+ vulnerability checks

REST API

47 API Endpoints

Complete REST API for security auditing across all identity platforms and management operations.

Active Directory

On-Premises
POST/api/audit/ad
POST/api/audit/ad/streamSSE
POST/api/audit/ad/status
POST/api/audit/export
GET/api/audit/last
74 SSE progression steps

Azure Entra ID

Cloud
POST/api/audit/azure/streamSSE
POST/api/audit/azure/status
25 SSE progression steps
COMING SOON

Intune

Cloud
POST/api/audit/intune/streamSSE
POST/api/audit/intune/status
20 SSE progression steps
COMING SOON

Exchange Online

Cloud
POST/api/audit/exchange/streamSSE
POST/api/audit/exchange/status
15 SSE progression steps

Token Management

2 endpoints
GET/api/token/info
GET/api/token/validate

Token usage, expiration, quota status

User Management

12 endpoints

CRUD operations, password reset, group membership, enable/disable accounts

Group Management

8 endpoints

Create, delete, add/remove members, list groups and memberships

OUs & System

8 endpoints

Organizational units CRUD, health check, connection test

47 total endpoints for complete identity management and security auditing across all platforms

View Full API Documentation

Ready to Secure YourActive Directory?

Deploy the collector in minutes and start your first security audit today.

Get Started on GitHubRun Your First Audit