BP-2521: Clarify ForceLDAPSSL and LDAPS fallback behavior in SharpHound#344
BP-2521: Clarify ForceLDAPSSL and LDAPS fallback behavior in SharpHound#344jeff-matthews wants to merge 4 commits into
Conversation
|
Warning Review limit reached
Next review available in: 46 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
WalkthroughDocumentation for SharpHound Enterprise local configuration and system requirements was restructured. Configuration file descriptions moved to tables and ResponseField-based reference formats; network requirements were reorganized into Baseline/Optional Connectivity tables; several inline notes/warnings were reformatted into multi-line callout blocks. ChangesSharpHound Enterprise documentation updates
Estimated code review effort: 2 (Simple) | ~12 minutes Possibly related PRs
Suggested reviewers: Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/install-data-collector/install-sharphound/system-requirements.mdx`:
- Line 17: The sentence in the SharpHound system requirements section is awkward
because it mixes the run-as account with the requirement note; update the
wording in the “Create a Service Account or gMSA” line so it clearly says
SharpHound runs under that account and separately references the Service Account
Requirements below. Use the existing SharpHound setup phrasing in the relevant
MDX section and keep the link to create-gmsa intact while making the two ideas
distinct and easier to read.
- Around line 51-58: The Optional Connectivity table in system-requirements.mdx
has a semantic mismatch because the bandwidth entry is placed in the Protocol /
port column. Update the row in the Optional Connectivity section so the
collection bandwidth is no longer listed as a protocol/port value; instead, move
that information into the Notes text or place it as a separate note below the
table, keeping the existing privilege collection entries and the DC Registry and
CA Registry row unchanged.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: b327028a-6678-44d0-8950-0027757b6093
📒 Files selected for processing (2)
docs/install-data-collector/install-sharphound/local-configuration.mdxdocs/install-data-collector/install-sharphound/system-requirements.mdx
Summary
This PR updates the SharpHound documentation to clarify that
ForceLDAPSSLshould not be read as a blanket guarantee that every directory-related operation will avoid non-LDAPS paths. It also aligns the System Requirements page with the more nuanced caveat already present in Local Configuration.Two doc tickets flagged that the current wording is too absolute:
BP-2521 notes that even with
ForceLDAPSSLset, SharpHound does not always exclusively use LDAPS and that the docs should not imply otherwise.BP-2581 raises the same issue and also notes that blocking TCP 389 can currently cause SharpHound to fail in some scenarios.
What changed
Reworded the Network section on the System Requirements page to remove the absolute statement that LDAPS is enforceable.
Clarified fallback behavior when
ForceLDAPSSLis disabled.Clarified that enabling
ForceLDAPSSLaffects SharpHound's primary LDAP configuration, but some negotiation or resolution paths may still occur outside that path.Added an explicit warning not to assume that blocking TCP 389 is safe in all deployments without validation.
Reformatted network system requirements and configuration file settings to make them easier to read.
Summary by CodeRabbit