admin/settings/ldap/ldapprov/test takes $_POST parameters and takes actions based on them. Ideally the $_POST should contain a token as shown in this article about csrf.

I can't think of any way to actually abuse this functionality without already owning the site, so I'm posting this publicly, but it feels worth doing just in case...