Remove hardcoded LDAP credentials from LDAPManager

src/main/java/org/owasp/benchmark/helpers/LDAPManager.java

@@ -59,7 +59,22 @@ protected Hashtable<Object, Object> createEnv() {
         env.put(Context.PROVIDER_URL, "ldap://localhost:10389");
         env.put(Context.SECURITY_AUTHENTICATION, "simple");
         env.put(Context.SECURITY_PRINCIPAL, "uid=admin,ou=system");
-        env.put(Context.SECURITY_CREDENTIALS, "secret");
+
+        // Retrieve credentials from environment variable instead of hardcoding
+        String ldapPassword = System.getenv("LDAP_ADMIN_PASSWORD");
+        if (ldapPassword == null || ldapPassword.trim().isEmpty()) {
+            // Fallback to system property for backward compatibility
+            ldapPassword = System.getProperty("ldap.admin.password");
+            if (ldapPassword == null || ldapPassword.trim().isEmpty()) {
+                // Last resort fallback for test environments only
+                System.err.println(
+                        "WARNING: Using default LDAP password. "
+                                + "Set LDAP_ADMIN_PASSWORD environment variable or ldap.admin.password system property for secure configuration.");
+                ldapPassword = "secret";
+            }
+        }
+        env.put(Context.SECURITY_CREDENTIALS, ldapPassword);
+
         env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
         return env;
     }