HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Vault
Vault Home

You are viewing documentation for version v1.20.x. View latest version.

Rotate root LDAP credentials on a schedule

Enterprise

Appropriate Vault Enterprise  license required

You can set the rotation_schedule parameter with an optional rotation window in your LDAP configuration to rotate root credentials on a fixed schedule.

If you set the rotation window, Vault stops trying to rotate the credential once the window expires. If Vault cannot rotate the credential within the defined window (e.g., due to a network failure) it waits until the next scheduled rotation to try again.

Assumptions

  1. You cannot set rotation_period and rotation_schedule for the same plugin. If you previously set a rotation period, you must disable period rotation in your configuration:

    {
  "schema":            "ad",
  "binddn":            "<ldap_username>",
  "bindpass":          "<ldap_password>",
  "url":               "<ldap_server_uri>",
  "credential_type":   "<password | phrase>",
  "rotation_schedule": "<cron_style_time_string>",
  "rotation_window":   "<window_for_rotation_attempts>",
  "rotation_period":   "0"
}

    For example:

    {
  "schema":            "ad",
  "binddn":            "cn=admin,dc=abc,dc=com",
  "bindpass":          "iamabadpassword",
  "url":               "ldaps://138.91.247.105",
  "credential_type":   "password",
  "rotation_schedule": "0 0 * * SAT",
  "rotation_window":   "1hr",
  "rotation_period":   "0"
}

  2. Apply the changes.

    Use vault write with the {mount_path}/config path to apply your ldap.json configuration file:

    $ vault write <mount_path>/config @ldap.json

    For example:

    $ vault write devcreds/config @ldap.json
Edit this page on GitHub