Skip to content

BP-2521: Clarify ForceLDAPSSL and LDAPS fallback behavior in SharpHound#344

Open
jeff-matthews wants to merge 4 commits into
mainfrom
BP-2521-ldap-clarifications
Open

BP-2521: Clarify ForceLDAPSSL and LDAPS fallback behavior in SharpHound#344
jeff-matthews wants to merge 4 commits into
mainfrom
BP-2521-ldap-clarifications

Conversation

@jeff-matthews

@jeff-matthews jeff-matthews commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Summary

This PR updates the SharpHound documentation to clarify that ForceLDAPSSL should not be read as a blanket guarantee that every directory-related operation will avoid non-LDAPS paths. It also aligns the System Requirements page with the more nuanced caveat already present in Local Configuration.

Two doc tickets flagged that the current wording is too absolute:

  • BP-2521 notes that even with ForceLDAPSSL set, SharpHound does not always exclusively use LDAPS and that the docs should not imply otherwise.

  • BP-2581 raises the same issue and also notes that blocking TCP 389 can currently cause SharpHound to fail in some scenarios.

What changed

  • Reworded the Network section on the System Requirements page to remove the absolute statement that LDAPS is enforceable.

  • Clarified fallback behavior when ForceLDAPSSL is disabled.

  • Clarified that enabling ForceLDAPSSL affects SharpHound's primary LDAP configuration, but some negotiation or resolution paths may still occur outside that path.

  • Added an explicit warning not to assume that blocking TCP 389 is safe in all deployments without validation.

  • Reformatted network system requirements and configuration file settings to make them easier to read.

Summary by CodeRabbit

  • Documentation
    • Reorganized SharpHound Enterprise setup docs for clearer navigation and easier reference.
    • Added a clearer workflow for editing local configuration files and restarting the service.
    • Reworked settings, authentication, and IWA guidance into structured reference sections.
    • Improved system requirements docs with clearer deployment steps and more organized network/connectivity tables.
    • Clarified connectivity and permission notes, including LDAP/LDAPS behavior and IWA-related requirements.

@jeff-matthews jeff-matthews self-assigned this Jul 8, 2026
@jeff-matthews jeff-matthews added feedback Updates based on internal and external feedback data-collection Docs related to nodes, edges, and general data collection labels Jul 8, 2026
@jeff-matthews
jeff-matthews requested a review from specterkris July 8, 2026 21:50
@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@jeff-matthews, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 46 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b633f791-5f52-45a9-85a6-464834b9ab59

📥 Commits

Reviewing files that changed from the base of the PR and between e00fb57 and 8b443e0.

📒 Files selected for processing (2)
  • docs/install-data-collector/install-sharphound/local-configuration.mdx
  • docs/install-data-collector/install-sharphound/system-requirements.mdx

Walkthrough

Documentation for SharpHound Enterprise local configuration and system requirements was restructured. Configuration file descriptions moved to tables and ResponseField-based reference formats; network requirements were reorganized into Baseline/Optional Connectivity tables; several inline notes/warnings were reformatted into multi-line callout blocks.

Changes

SharpHound Enterprise documentation updates

Layer / File(s) Summary
Local configuration files overview and workflow
docs/install-data-collector/install-sharphound/local-configuration.mdx
Adds a two-file table for settings.json/auth.json and a new "Configure SharpHound Settings" section describing the stop-edit-start workflow.
IWA configuration reference rewrite
docs/install-data-collector/install-sharphound/local-configuration.mdx
Replaces static field/default tables with <Tip> and <ResponseField>-based documentation for settings.json (including IWA-only fields) and auth.json (Token, TokenID).
Deployment overview and network connectivity requirements
docs/install-data-collector/install-sharphound/system-requirements.mdx
Renumbers deployment steps with linked labels and restructures network requirements into "Baseline Connectivity" and "Optional Connectivity" tables, refining ForceLDAPSSL guidance.
Service account and IWA connectivity notes reformatting
docs/install-data-collector/install-sharphound/system-requirements.mdx
Reformats the service account Domain Admin warning, tombstoning permission note, and ADFS connectivity note into multi-line <Warning>/<Note> blocks.

Estimated code review effort: 2 (Simple) | ~12 minutes

Possibly related PRs

  • SpecterOps/bloodhound-docs#328: Both PRs reorganize SharpHound Enterprise docs around the same settings.json/auth.json configuration workflow, including Token/TokenID and service stop/start steps.

Suggested reviewers: StephenHinck

Poem

A rabbit hops through docs so neat,
Tables replace bullets, tidy and sweet.
Settings and auth, now clearly shown,
IWA fields each get their own throne.
Stop, edit, start — the workflow's clear,
Hop hop hooray, the docs are here! 🐇📄

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately captures the main documentation change: clarifying ForceLDAPSSL and LDAPS fallback behavior in SharpHound.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch BP-2521-ldap-clarifications

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/install-data-collector/install-sharphound/system-requirements.mdx`:
- Line 17: The sentence in the SharpHound system requirements section is awkward
because it mixes the run-as account with the requirement note; update the
wording in the “Create a Service Account or gMSA” line so it clearly says
SharpHound runs under that account and separately references the Service Account
Requirements below. Use the existing SharpHound setup phrasing in the relevant
MDX section and keep the link to create-gmsa intact while making the two ideas
distinct and easier to read.
- Around line 51-58: The Optional Connectivity table in system-requirements.mdx
has a semantic mismatch because the bandwidth entry is placed in the Protocol /
port column. Update the row in the Optional Connectivity section so the
collection bandwidth is no longer listed as a protocol/port value; instead, move
that information into the Notes text or place it as a separate note below the
table, keeping the existing privilege collection entries and the DC Registry and
CA Registry row unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b327028a-6678-44d0-8950-0027757b6093

📥 Commits

Reviewing files that changed from the base of the PR and between 22e5db8 and e00fb57.

📒 Files selected for processing (2)
  • docs/install-data-collector/install-sharphound/local-configuration.mdx
  • docs/install-data-collector/install-sharphound/system-requirements.mdx

Comment thread docs/install-data-collector/install-sharphound/system-requirements.mdx Outdated
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

data-collection Docs related to nodes, edges, and general data collection feedback Updates based on internal and external feedback

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants