lolcreds

Public credential defaults and exposure patterns for authorized security testing.

GLPI

Teclibenterprise app3 credentials1 default credential

Credentials3 documented
01

Default Local Accounts

glpi / default-local-accounts

Fresh GLPI installations include built-in local accounts used to sign in before the operator changes or disables them.

static defaultuser definedsecretusername/password

Default credentials

glpi:glpi

Location

public interface
GLPI web login and API session init
database

GLPI users table storing password verifier data

config file

deployment inventories, Docker Compose files, and installer notes

artifact

database dumps and application backups

Notes

Other documented initial accounts commonly include tech/tech, normal/normal, and post-only/postonly; the default block records the administrative glpi/glpi account.

02

API App Token / Session Token

glpi / api-app-token

GLPI REST API clients can use application tokens and user authentication to obtain session tokens for API access.

generated on installuser definedsecrettoken

Location

http header
App-Token

Application token used with GLPI API calls

http header
Session-Token

Session token returned by initSession

database

GLPI API client and session tables

config file

integration scripts, .env files, monitoring configs, and CMDB sync jobs

environment
GLPI_APP_TOKEN, GLPI_SESSION_TOKEN, GLPI_USER_TOKEN
secret store

CI/CD variables and integration vaults

logs

API client traces and web server access logs

03

LDAP, Mail Receiver, and Database Secrets

glpi / ldap-mail-database-secrets

GLPI deployments store LDAP bind credentials, mail receiver passwords, and database credentials for runtime and integrations.

user definedsecretsecret value

Location

config file

config/config_db.php, LDAP configuration, mail receiver setup, and deployment manifests

database

GLPI tables holding encrypted or protected integration settings

secret store

Kubernetes Secrets, vault entries, and password managers

source code

Docker Compose files, Helm values, and automation repos

logs

setup logs, sync errors, and mail receiver debug logs

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.