There's an administrator privilege escalation possible with LDAP now:
- Point the LDAP adapter at a new server you control.
- Create all the user accounts with password "asdf".
- Escalate from an administrator account to any account with LDAP.
This isn't normally possible because external account domains store the server identity, but for LDAP they're all still "self". T887 will fix this, but this is a special case with security implications (the other cases do not have those implications).