Koppla

Koppla is a model-context-protocol server for Active Directory that enables you to manage users, groups, and computer objects using natural language.

For more information, visit https://lazyadmin.nl/koppla

With Koppla, you can seamlessly query and manage your Active Directory environment using Claude Desktop or other MCP capable AI agents.

🔹 What Can Koppla Do?

Koppla allows you to execute complex Active Directory queries and updates effortlessly. Examples:

• "Find all inactive users who haven't logged in for 90 days."
• "Add John Doe to the 'IT Admins' security group."
• "List all locked-out user accounts."
• "Find all users in the Sales department."
• "Which groups does Jane Smith belong to?"
• "Show me empty groups."
• "Find users in group A but not in group B."

🚀 Getting Started

1️⃣ Prerequisites

• Python 3.7 or higher
• Active Directory environment
• Claude Desktop application (for integration with Claude)

2️⃣ Installation

Koppla requires Python and can be installed using:

pip install koppla

3️⃣ Configuration

Using the Configuration Manager (Recommended)

Koppla includes a secure configuration manager that handles encryption of sensitive credentials:

koppla-config configure

This interactive tool will:

1. Prompt for your Active Directory connection details
2. Securely encrypt your password using Fernet symmetric encryption
3. Create or update the Claude Desktop configuration file with Koppla server settings
4. Automatically create a backup of your existing Claude Desktop configuration
5. Test the connection to verify your credentials

You can also:

• Display current configuration: koppla-config show
• Test your AD connection: koppla-config test

Manual Configuration

Koppla uses environment variables for configuration:

To manually configure Koppla with the Claude Desktop app, add the following configuration to the "mcpServers" section of your claude_desktop_config.json:

{
  "mcpServers": {
    "Koppla-Active-Directory": {
        "command": "python",
        "args": ["-m", "koppla.server"],
        "env": {
            "AD_SERVER": "ldap://<domain-controller-name>:389",
            "AD_USER": "<domain\\username>",
            "AD_PASSWORD": "<password>",
            "BASE_DN": "DC=lazyadmin,DC=nl",
            "AD_WRITE_ENABLED": "false"
        }
    }
  }
}

⚠️ Data Processing & Privacy Notice

Important: Koppla transmits Active Directory data to external AI models for processing. This may have security and compliance implications, particularly for organizations subject to GDPR or similar regulations. No AD data is stored by Koppla itself, but be aware that AI agents may retain conversation history according to their own policies. Ensure usage complies with your organization's data handling requirements and consider limiting the scope of queryable data through careful configuration.

🔒 Security Features

Password Encryption

• Koppla uses Fernet symmetric encryption (from the cryptography package) to secure your Active Directory password
• The encryption key is stored separately from the configuration in a key file with restricted permissions
• When using the configuration manager, passwords are never stored in plain text
• Encrypted passwords appear as ENCRYPTED:xxxx... in the configuration file

Backup System

• Before any configuration changes, Koppla automatically creates timestamped backups of your Claude Desktop configuration
• Backups are stored alongside your configuration with format: claude_desktop_config.json.backup_YYYYMMDD_HHMMSS

Write Protection

• By default, all write operations (adding/removing users from groups, updating user attributes) are disabled
• To enable write operations, set AD_WRITE_ENABLED to "true"
• Critical accounts and groups have additional protection regardless of write settings

Supported Write Operations

Koppla supports the following write operations when AD_WRITE_ENABLED is set to "true":

1. Update User Attributes

   • Modify standard user attributes like description, title, department, etc.
   • Protected fields (passwords, security identifiers, account control) cannot be modified
   • Protected accounts (administrators, service accounts, etc.) cannot be modified

2. Add User to Group

   • Add standard users to security or distribution groups
   • Cannot add users to protected administrative groups
   • Protected accounts cannot be added to any groups

3. Remove User from Group

   • Remove users from most security or distribution groups
   • Cannot remove users from critical system groups
   • Protected accounts cannot be removed from any groups

All write operations require explicit confirmation before execution.