Include rules section

2026-04-30 08:56:36 +07:00 · 2026-04-30 08:56:36 +07:00 · 092c384a48
commit 092c384a48
parent e6e08e32d3
1 changed files with 20 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -94,6 +94,26 @@ For each of `_ldap._tcp` (with fallback to port 389) and `_ldaps._tcp`
 | `bind_password` | no       | Secret. Bound only after TLS is established; never sent over cleartext.     |
 | `base_dn`       | no       | Base DN to test read access against. Requires a successful authenticated bind. |

+## Rules
+
+| Code                            | Description                                                                                                       | Severity            |
+|---------------------------------|-------------------------------------------------------------------------------------------------------------------|---------------------|
+| `ldap.has_srv`                  | Verifies that _ldap._tcp / _ldaps._tcp SRV records are published and resolvable.                                  | WARNING             |
+| `ldap.endpoint_reachable`       | Verifies that every discovered LDAP endpoint accepts a TCP connection.                                            | CRITICAL            |
+| `ldap.has_encrypted_transport`  | Verifies that at least one reachable endpoint offers an encrypted channel (LDAPS or StartTLS).                    | CRITICAL            |
+| `ldap.starttls_supported`       | Verifies that StartTLS is offered and succeeds on every reachable plain LDAP endpoint.                            | CRITICAL            |
+| `ldap.ldaps_handshake`          | Verifies that the direct TLS handshake succeeds on every LDAPS endpoint.                                          | CRITICAL            |
+| `ldap.starttls_on_ldaps`        | Flags servers that needlessly advertise StartTLS on the implicit-TLS LDAPS port.                                  | INFO                |
+| `ldap.ipv6_reachable`           | Verifies at least one endpoint is reachable over IPv6.                                                            | INFO                |
+| `ldap.refuses_plain_bind`       | Verifies the directory refuses authentication attempts over a cleartext channel.                                  | CRITICAL            |
+| `ldap.anonymous_search_blocked` | Flags directories that allow anonymous search of the naming context (information disclosure).                     | WARNING             |
+| `ldap.rootdse_readable`         | Verifies the RootDSE is readable over TLS and advertises naming contexts.                                         | WARNING             |
+| `ldap.sasl_mechanisms`          | Reviews the supportedSASLMechanisms posture (presence of strong mechanisms, absence of password-equivalent ones). | WARNING             |
+| `ldap.protocol_version`         | Flags servers that still advertise the deprecated LDAPv2 protocol.                                                | WARNING             |
+| `ldap.bind_credentials`         | Verifies the supplied bind credentials are accepted by the directory (only runs when bind_dn is set).             | CRITICAL            |
+| `ldap.base_dn_read`             | Verifies the bound account can read the supplied base DN (only runs when base_dn is set and bind succeeded).      | CRITICAL            |
+| `ldap.tls_quality`              | Folds the downstream TLS checker findings (certificate chain, hostname match, expiry) onto the LDAP service.      | CRITICAL            |
+
 ## License

 MIT (see `LICENSE` and `NOTICE`).