LDAP Credentials

Description

General

• Documentation: https://tools.ietf.org/html/rfc2251
• Summary: LDAP stands for Lightweight Directory Access Protocol. It is a protocol used when accessing directory information services. It is useful when fast retrieval of data is needed, and to query databases where users perform a lot of queries and only few updates to the database, typically login information.
• IPs allowlist: This can be implemented on the server side.
• Scopes: Credentials correspond to the concerned user's range of permission.

Revoke the secret

Database administrators can revoke an entry in the directory.

Check for suspicious activity

Logs can be kept on the server.

Details for Ldap credentials assignment

• Family: Database

• Category: Data storage

• High recall: False

• Validity check available: True

• On-premise instances exist: False

• Only valid secrets raise an alert: False

• Minimum number of matches: 3

• Occurrences found for one million commits: 0.37

• Prefixed: False

• PreValidators:

- type: ContentWhitelistPreValidator
  patterns:
    - ldap
- type: ContentWhitelistPreValidator
  patterns:
    - email
    - user
    - dn
    - uid
- type: ContentWhitelistPreValidator
  patterns:
    - pass
    - pwd
    - cred

Examples

- text: |
    ldap_uri = ldaps://company.beta.com
    ldap_bind_dn = a_ldap_user_01@company.beta.com
    ldap_pass = "k%udk423u4%P8=H_"
  host: company.beta.com
  username: a_ldap_user_01@company.beta.com
  password: k%udk423u4%P8=H_

- text: |
    ldap_server = ldaps://company.beta.com
    ldap_user = a_ldap_user_01
    ldap_pwd = "k%udk423u4%P8=H_"
  host: company.beta.com
  username: a_ldap_user_01
  password: k%udk423u4%P8=H_

- text: |
    ldap_server = ldaps://company.beta.com:389
    ldap_user = a_ldap_user_01
    ldap_pwd = "k%udk423u4%P8=H_"
  host: company.beta.com:389
  username: a_ldap_user_01
  password: k%udk423u4%P8=H_

- text: |
    ldap_server = 124.36.78.214:389
    ldap_user = a_ldap_user_01
    ldap_pwd = "k%udk423u4%P8=H_"
  host: 124.36.78.214:389
  username: a_ldap_user_01
  password: k%udk423u4%P8=H_

Details for Ldap credentials assignment with dn

• Family: Database

• Category: Data storage

• High recall: False

• Validity check available: True

• On-premise instances exist: False

• Only valid secrets raise an alert: False

• Minimum number of matches: 3

• Occurrences found for one million commits: 3.44

• Prefixed: False

• PreValidators:

- type: ContentWhitelistPreValidator
  patterns:
    - ldap
- type: ContentWhitelistPreValidator
  patterns:
    - (dn|dc|ou|cn|o|uid)=
- type: ContentWhitelistPreValidator
  patterns:
    - pass
    - pwd?
    - cred

Examples

- text: |
    ldaps://company.beta.com
    cn=somedev,ou=company,dc=beta,dc=com
    pwd = "k%udk423u4%P8=H_"
  host: company.beta.com
  username: cn=somedev,ou=company,dc=beta,dc=com
  password: k%udk423u4%P8=H_

- text: |
    ldaps://company.beta.com:389
    cn=somedev,ou=company,dc=beta,dc=com
    pwd = "k%udk423u4%P8=H_"
  host: company.beta.com:389
  username: cn=somedev,ou=company,dc=beta,dc=com
  password: k%udk423u4%P8=H_