Addict: An Active Directory REST API (opens in new tab)

Scenario #1: You have a small, team, busy people and have some process or workflow that would be greatly streamlined by a simple one-page app let's call it 'todo' which needs to integrate with email and provide single sign-on for ease of use. Your awesome dev Steph who dreams REST hand-pours with love your artisanal todo-365 app this weekend and everyone is using it next week and saving heaps of time because y'know there are only twenty of you... yet. FTW!

Scenarios #2: Ugh okay, Alex is the devops, sysadmin, security officer, fire-warden and makes great bullet-coffee but even with twenty there are lot of domain groups to manage with your startup and lots of projects depending on them so Alex just needs a python script for his Ansible playbook and because powershell makes Alex want to throw up.

Doesn't look to me like this can work with web-based AD, so it's probably useless unless you have an actual domain controller on-premises.

For the record, web-based 365 ADs (and most modern on-prem) already support webservices, just soap (and somewhat painful) rather than rest. I use it to authenticate from an app outside our network, the implementation wasn't that hard (python) but i really only do auth, no manipulation. It would be cool if MS added REST as an option to make this sort of common case easier, but they are too busy selling you complex integrated services to do that in Azure ("use Visual Studio, next next next, your app is now deployed on Azure and completely integrated with all these management tools. Cool, uh? Now give me lots of money every month or turn it off.")

Do you want to write a webapp to manipulate AD? Otherwise this probably isn't of any use to you.

If your AD doesn't have a saml endpoint, and you down want to talk directly to AD, this is _a_ way.

However it doesn't allow kerberos, or 2fa, so its not _all_ that useful in an enterprise setting.

To be honest, if you have to ask it's probably not one you're having. Things like this tend to be quite application specific. Generally, if you're doing much with AD directly, you'd be doing it via LDAP. However, if you need to talk to it (for some reason) through a web application -- this just might be helpful.

The problem of not having an Active Directory REST API.

I have a bunch of engineers that can presumably automate the provisioning and de-provisioning of the LDAP user accounts without having to mess around with the AD. I hire a consultant (think MSP) to set up and maintain the LDAP hosts and have my engineers write the necessary scripts to perform the aforementioned. This is beneficial for security automation, especially, in the cases where a company is too small to afford a dedicated IT SMEs but large enough to be able to afford something like SSAE-18 SOC 2 Type 2 (or equivalent). In those cases, the security automation in itself presents a repeatable process, which can be verified given the scripts would be executed using a job (Jenkins). This project fits that mold perfectly because that I have dealt with the exact scenario nth times with many start-ups operating in the B2B world with security stipulations such as ISO 27xxx or SOC 2 Type 2.

There are other ways to do it, but if you wanted, for example, to build a tool for employee on-boarding/off-boarding as web app, this might be helpful. Or maybe adding password change to an existing web app that authenticates via AD.

There are existing REST apis for AD, so I don't know what this brings that's new.

I suspect the down votes are because the word has already been co-opted for years to describe things that aren't issues. Similar for "viral", "infectious", "jonesing", "getting my cookie fix" and so on.

No need for self-righteous indignity here dude. Keep that on Tumblr.

Well that's good. I built it to fill my niche and hoping others would find use for it as well.

My impression is that it can be installed on any machine (even your own workstation) so long as it can reach your DC.

Many people making "REST" APIs don't even know what media types are which means many REST APIs are impure. That doesn't mean that the author won't add these based on feedback, or that they they have something in particular against describing it as an HTTP API. In many cases people searching for a REST API to access AD probably won't care about this particular nuance.