Skip to main content

LDAP Credentials

Description#

General#

  • Documentation: https://tools.ietf.org/html/rfc2251
  • Summary: LDAP stands for Lightweight Directory Access Protocol. It is a protocol used when accessing directory information services. It is useful when fast retrieval of data is needed, and to query databases where users perform a lot of queries and only few updates to the database, typically login information.
  • IPs allowlist: This can be implemented on the server side.
  • Scopes: Credentials correspond to the concerned user's range of permission.

Revoke the secret#

Database administrators can revoke an entry in the directory.

Check for suspicious activity#

Logs can be kept on the server.

Details for Ldap credentials assignment#

  • Family: Database

  • Category: Data storage

  • High recall: False

  • Validity check available: True

  • On-premise instances exist: True

  • Only valid secrets raise an alert: False

  • Minimum number of matches: 3

  • Occurrences found for one million commits: 2.52

  • Prefixed: False

  • PreValidators:

- type: ContentWhitelistPreValidator  patterns:  - ldap- type: ContentWhitelistPreValidator  patterns:  - email  - user  - dn  - uid- type: ContentWhitelistPreValidator  patterns:  - pass  - pwd  - cred

Examples#

- text: |    ldap_uri = ldaps://company.beta.com    ldap_bind_dn = a_ldap_user_01@company.beta.com    ldap_pass = "k%udk423u4%P8=H_"  host: company.beta.com  username: a_ldap_user_01@company.beta.com  password: k%udk423u4%P8=H_
- text: |    ldap_server = ldaps://company.beta.com    ldap_user = a_ldap_user_01    ldap_pwd = "k%udk423u4%P8=H_"  host: company.beta.com  username: a_ldap_user_01  password: k%udk423u4%P8=H_
- text: |    ldap_server = ldaps://company.beta.com:389    ldap_user = a_ldap_user_01    ldap_pwd = "k%udk423u4%P8=H_"  host: company.beta.com:389  username: a_ldap_user_01  password: k%udk423u4%P8=H_
- text: |    ldap_server = 124.36.78.214:389    ldap_user = a_ldap_user_01    ldap_pwd = "k%udk423u4%P8=H_"  host: 124.36.78.214:389  username: a_ldap_user_01  password: k%udk423u4%P8=H_

Details for Ldap credentials assignment with dn#

  • Family: Database

  • Category: Data storage

  • High recall: False

  • Validity check available: True

  • On-premise instances exist: True

  • Only valid secrets raise an alert: False

  • Minimum number of matches: 3

  • Occurrences found for one million commits: very rare

  • Prefixed: False

  • PreValidators:

- type: ContentWhitelistPreValidator  patterns:  - ldap- type: ContentWhitelistPreValidator  patterns:  - (dn|dc|ou|cn|o|uid)=- type: ContentWhitelistPreValidator  patterns:  - pass  - pwd?  - cred

Examples#

- text: |    ldaps://company.beta.com    cn=somedev,ou=company,dc=beta,dc=com    pwd = "k%udk423u4%P8=H_"  host: company.beta.com  username: cn=somedev,ou=company,dc=beta,dc=com  password: k%udk423u4%P8=H_
- text: |    ldaps://company.beta.com:389    cn=somedev,ou=company,dc=beta,dc=com    pwd = "k%udk423u4%P8=H_"  host: company.beta.com:389  username: cn=somedev,ou=company,dc=beta,dc=com  password: k%udk423u4%P8=H_