HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Vault
Vault Home

LDAP secrets engine overview

Manage static and dynamic LDAP credentials and integrate with services that implement the LDAP v3 protocol, including OpenLDAP, Active Directory, and IBM Resource Access Control Facility (RACF).

Current versionEditionRuntimeCode source
0.17.0CommunityBuilt-inhashicorp/vault-plugin-secrets-openldap

Feature summary

  • Use OpenLDAP, RACF, and Active Directory schemas.
  • Use traditional 8-character passwords and modern, longer password phrases.
  • Check-out service accounts with automatic password rotation.
  • Map static Vault roles to LDAP credentials.
  • Use dynamic LDAP credentials and manage LDAP user accounts through LDIF.
  • Manually rotate LDAP passwords and root credentials.
  • Automatically rotate LDAP passwords for static credentials.
  • Rotate root credentials on a predefined schedule. Enterprise
  • Organize related credentials with hierarchical paths.

Service account libraries

Use the service account functionality to create a library of service accounts that users and machines can check out and use as needed. Vault automatically rotates the associated password when the client checks the service account back in.

Clients can voluntarily check in service accounts at any time and Vault automatically returns the account to the library when the lending period ("ttl") ends.

The service account check-out functionality works with all the LDAP schemas supported by the plugin.

Credential rotation

For static roles, Vault automatically rotates passwords based on the configured rotation period. When clients request credentials for a static role, Vault includes the time before the next rotation (ttl) in the response.

The plugin can alsp rotate root credential keys configured directly within the mount. Rotating to a Vault-generated key makes the key value inaccessible to the operator and ensures only Vault can operate as a root user to manipulate dynamic and static credentials.

Logging

Logging for manual rotation records the same information as other rotation logging with an additional reference that the rotation happened on user request.

Rotation logging

The rotation manager emits logs to the standard vault.log on any successful or failed rotation.

In the case of success, Vault notes:

  • the rotated credential as the first parameter, rotationID.
  • the anticipated time of the next rotation as expire_time.

In the case of failure, Vault sets rotationID to err and may emit additional logs depending on the configured log level.

As with the rotation manager, Vault logs rotations with reference to the name of the role and error information if the rotation failed. The logs also indicate if the rotation was part of a periodic function.

Hierarchical paths

The LDAP secrets plugin lets you define role and set names that contain an arbitrary number of forward slashes. Names with forward slashes define hierarchical path structures.

For example, you can configure two static roles with the names org/secure and org/platform/dev.

Names with hierarchical paths let you use the plugin API to query the available roles at a specific path with arbitrary depth. Names that end with a forward slash indicate that sub-paths reside under that path.

For example, to list all static roles under the org/ path, you can call the {mount_path}/static-role/{role_name}/ endpoint with the org path segment:

$ vault list ldap/static-role/org/

Keys
----
platform/
secure

Since Vault policies are also path-based, hierarchical names also let you define policies that map 1-1 to LDAP secrets engine roles and set paths.

Edit this page on GitHub