Improve your Active Directory using 443ID

LAB: How to use 443IDs CLI tool to enrich your Active Directory:

One great way to leverage the 443ID identity signals is by integrating our API directly into your user directory. Our CLI tool supports LDAP allowing you to quickly and easily nearly any user directory in the world. By integrating 443ID to your directory server, you are able to add our identity risk signals directly to your user and make them available to any other part of your identity technology stack. 

Note: There are two main ways to incorporate 443ID signals into your directory service. You can use a manual import/export or use a direct LDAP read/modify to update your users

For this project we will be using the 443ID CLI tool (you can learn more about that here) to give you a high level overview of how to add 443ID identity signals to your active directory.

Quick install:

npm i -g @take2identity/443id-cli
go install[email protected]


  • In this example we are using forgerock directory service to maintain information about users and resources. The docker image comes equipped with sample data and can be found here.
  • 443ID CLI installed and 443ID Schema Extensions on LDAP server if using LDAP.
  • Apache Directory Studio for directory tooling.

Once you connect to your server with Apache Directory Studio, open the Domain Controller and select the organizational unit people (ou=people).

As you can see, this user has not been scored by the 443ID CLI tool.


Next, export the contents to an LDIF file and pipe it into the 443ID CLI tool for scoring. At the top of the menu bar, navigate to File -> Export. Follow the prompt and configure it to your use case.


At the terminal, enter the following command to score your file:

cat [FileName] | 443id-cli evaluate risk-batch --inputType ldif --outputType ldif

Example output:


Now that your LDIF file is scored, open Apache Directory Studio and import it to your server. Choose the location that your file is stored in and upload. You should see the following changes.


The objectClass s443ID was added and the signals and scores are listed, as well as levelTxt and levelNum.

Terminal command:

ldapsearch ldap:[Domain] -b "ou=people, dc=example, dc=com" "(mail=*)" -D "cn-Directory Manager" -w "password”)| 443id-cli evaluate risk-batch--inputType ldif --outputType ldif | -H ldapmodify ldap:[Domain] -D "cn-Directory Manager" -w “password”


Command breakdown:

Here we are using LDAP Search this command allows you to traverse through your LDAP directory tree:

ldapsearch ldap:[Domain] -b "ou=people, dc=example, dc=com" "(mail=*)" -D "cn-Directory Manager" -w "password”)

This is the 443id command to evaluate risk in batch format as well as setting the input and output type to LDIF: 

443id-cli evaluate risk-batch--inputType ldif --outputType ldif

Last is LDAP modify, this command allows you to open a connection to the LDAP server, binds and modifies or adds the new entry.

 -H ldapmodify ldap:[Domain] -D "cn-Directory Manager" -w “password”


Share what you build! Follow us and let us know how you plan to use 443ID to manage your Risk!

Want to learn more about 443ID? Head over to

Related Post