»OpenLDAP Secrets Engine
The OpenLDAP secret engine allows management of LDAP entry passwords. At this time only existing LDAP entries are supported by this plugin.
This plugin currently supports LDAP v3.
Enable the OpenLDAP secret engine:
$ vault secrets enable openldap
By default, the secrets engine will mount at the name of the engine. To enable the secrets engine at a different path, use the
Configure the credentials that Vault uses to communicate with OpenLDAP to generate passwords:
$ vault write openldap/config \ binddn=$USERNAME \ bindpass=$PASSWORD \ url=ldaps://22.214.171.124
Note: it's recommended a dedicated entry management account be created specfically for Vault.
Rotate the root password so only Vault knows the credentials:
$ vault write -f openldap/rotate-root
Note: it's not possible to retrieve the generated password once rotated by Vault.
It's recommended a dedicated entry management account be created specfically for Vault.
Configure a static role that maps a name in Vault to an entry in OpenLDAP.
Password rotation settings will be managed by this role.
$ vault write openldap/static-role/hashicorp \ dn='uid=hashicorp,ou=users,dc=hashicorp,dc=com' \ username='hashicorp' \ rotation_period="24h"
Request credentials for the "hashicorp" role:
$ vault read openldap/static-role/hashicorp
The OpenLDAP Secret Engine supports two different schemas:
openldap (default) and
By default the OpenLDAP Secret Engine assumes the entry password is stored in
The following object classes provide
»Resource Access Control Facility (RACF)
For managing IBM's Resource Access Control Facility (RACF) security system, the secret
engine must be configured to use the schema
Generated passwords must be 8 characters or less to support RACF. The length of the password can be configured as shown:
vault write openldap/config \ binddn=$USERNAME \ bindpass=$PASSWORD \ url=ldaps://126.96.36.199 \ schema=racf \ length=8
Passwords can be managed in two ways:
- automatic time based rotation, and
- manual rotation.
»Auto Password Rotation
Passwords will automatically be rotated based on the
in the static role (minimum of 5 seconds). When requesting credentials for a static
role, the response will include the time before the next rotation (
Auto-rotation is currently only supported for static roles. The
binddn account used
by Vault should be rotated using the
rotate-root endpoint to generate a password
only Vault will know.
Static roles can be manually rotated using the
rotate-role endpoint. When manually
rotated the rotation period will start over.
»Deleting Static Roles
Passwords are not rotated upon deletion of a static role. The password should be manually rotated prior to deleting the role or revoking access to the static role.