Manually rotate root LDAP credentials

You can rotate root credential keys configured directly within the plugin. Rotating to a Vault-generated key makes the key value inaccessible to the operator and ensures only Vault can operate as a root user to manipulate dynamic and static credentials.

Assumptions

You have set up an ldap plugin.
You have permission to update LDAP credentials in Vault.

Use vault write with the /{mount_path}/rotate-root path to rotate the root credential:

$ vault write -f <mount_path>/rotate-root

For example:

$ vault write -f devcreds/rotate-root

Make a POST call to /{mount_path}/rotate-root to rotate the root credential:

$ curl                                                \
  --request POST                                      \
  --header    "X-Vault-Token: ${VAULT_TOKEN}"         \
  --namespace "X-Vault-Namespace: ${VAULT_NAMESPACE}" \
  ${VAULT_ADDR}/v1/sys/<mount_path>/rotate-root

For example:

$ curl                                                \
  --request POST                                      \
  --header    "X-Vault-Token: ${VAULT_TOKEN}"         \
  --namespace "X-Vault-Namespace: ${VAULT_NAMESPACE}" \
  ${VAULT_ADDR}/v1/sys/devcreds/rotate-root