There's an administrator privilege escalation possible with LDAP now:
This isn't normally possible because external account domains store the server identity, but for LDAP they're all still "self". T887 will fix this, but this is a special case with security implications (the other cases do not have those implications).
This escalation requires control of DNS/networking or something to point phabricator at the new LDAP server, correct?
No -- you point Phabricator at the new LDAP server by using a compromised administrative account and going to Auth → LDAP and changing ldap.mycompany.com to ldap.evil.com.
This phrasing was unclear:
administrator privilege escalation
I mean "if you compromise an administrator account, you can escalate from that to any other account", not "you can escalate to administrative privileges from [some lesser set of privileges]".
escalate from that to any other account
To be precise, any other account which already has an associated link with an external LDAP account.
I think we're going to fix this with T7667 instead. Binding to a particular domain creates headaches if you actually move the LDAP server, and unlocked authentication creates a lot of other problems that we can't address in a similar way.