From 092c384a484c1fa39db0ff95d682d7fe1283226b Mon Sep 17 00:00:00 2001
From: Pierre-Olivier Mercier <nemunaire@nemunai.re>
Date: Thu, 30 Apr 2026 08:56:36 +0700
Subject: [PATCH] Include rules section

---
 README.md | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/README.md b/README.md
index ff42106..1b66b14 100644
--- a/README.md
+++ b/README.md
@@ -94,6 +94,26 @@ For each of `_ldap._tcp` (with fallback to port 389) and `_ldaps._tcp`
 | `bind_password` | no       | Secret. Bound only after TLS is established; never sent over cleartext.     |
 | `base_dn`       | no       | Base DN to test read access against. Requires a successful authenticated bind. |
 
+## Rules
+
+| Code                            | Description                                                                                                       | Severity            |
+|---------------------------------|-------------------------------------------------------------------------------------------------------------------|---------------------|
+| `ldap.has_srv`                  | Verifies that _ldap._tcp / _ldaps._tcp SRV records are published and resolvable.                                  | WARNING             |
+| `ldap.endpoint_reachable`       | Verifies that every discovered LDAP endpoint accepts a TCP connection.                                            | CRITICAL            |
+| `ldap.has_encrypted_transport`  | Verifies that at least one reachable endpoint offers an encrypted channel (LDAPS or StartTLS).                    | CRITICAL            |
+| `ldap.starttls_supported`       | Verifies that StartTLS is offered and succeeds on every reachable plain LDAP endpoint.                            | CRITICAL            |
+| `ldap.ldaps_handshake`          | Verifies that the direct TLS handshake succeeds on every LDAPS endpoint.                                          | CRITICAL            |
+| `ldap.starttls_on_ldaps`        | Flags servers that needlessly advertise StartTLS on the implicit-TLS LDAPS port.                                  | INFO                |
+| `ldap.ipv6_reachable`           | Verifies at least one endpoint is reachable over IPv6.                                                            | INFO                |
+| `ldap.refuses_plain_bind`       | Verifies the directory refuses authentication attempts over a cleartext channel.                                  | CRITICAL            |
+| `ldap.anonymous_search_blocked` | Flags directories that allow anonymous search of the naming context (information disclosure).                     | WARNING             |
+| `ldap.rootdse_readable`         | Verifies the RootDSE is readable over TLS and advertises naming contexts.                                         | WARNING             |
+| `ldap.sasl_mechanisms`          | Reviews the supportedSASLMechanisms posture (presence of strong mechanisms, absence of password-equivalent ones). | WARNING             |
+| `ldap.protocol_version`         | Flags servers that still advertise the deprecated LDAPv2 protocol.                                                | WARNING             |
+| `ldap.bind_credentials`         | Verifies the supplied bind credentials are accepted by the directory (only runs when bind_dn is set).             | CRITICAL            |
+| `ldap.base_dn_read`             | Verifies the bound account can read the supplied base DN (only runs when base_dn is set and bind succeeded).      | CRITICAL            |
+| `ldap.tls_quality`              | Folds the downstream TLS checker findings (certificate chain, hostname match, expiry) onto the LDAP service.      | CRITICAL            |
+
 ## License
 
 MIT (see `LICENSE` and `NOTICE`).