layout | page_title | sidebar_title | description |
---|---|---|---|
docs |
OpenLDAP - Secrets Engine |
OpenLDAP |
The OpenLDAP secret engine manages OpenLDAP entry passwords. |
The OpenLDAP secret engine allows management of LDAP entry passwords. At this time only existing LDAP entries are supported by this plugin.
This plugin currently supports LDAP v3.
-
Enable the OpenLDAP secret engine:
$ vault secrets enable openldap
By default, the secrets engine will mount at the name of the engine. To enable the secrets engine at a different path, use the
-path
argument. -
Configure the credentials that Vault uses to communicate with OpenLDAP to generate passwords:
$ vault write openldap/config \ binddn=$USERNAME \ bindpass=$PASSWORD \ url=ldaps://138.91.247.105
Note: it's recommended a dedicated entry management account be created specfically for Vault.
-
Rotate the root password so only Vault knows the credentials:
$ vault write -f openldap/rotate-root
Note: it's not possible to retrieve the generated password once rotated by Vault.
It's recommended a dedicated entry management account be created specfically for Vault. -
Configure a static role that maps a name in Vault to an entry in OpenLDAP.
Password rotation settings will be managed by this role.$ vault write openldap/static-role/hashicorp \ dn='uid=hashicorp,ou=users,dc=hashicorp,dc=com' \ username='hashicorp' \ rotation_period="24h"
-
Request credentials for the "hashicorp" role:
$ vault read openldap/static-role/hashicorp
Passwords can be managed in two ways:
- automatic time based rotation, and
- manual rotation.
Passwords will automatically be rotated based on the rotation_period
configured
in the static role (minimum of 5 seconds). When requesting credentials for a static
role, the response will include the time before the next rotation (ttl
).
Auto-rotation is currently only supported for static roles. The binddn
account used
by Vault should be rotated using the rotate-root
endpoint to generate a password
only Vault will know.
Static roles can be manually rotated using the rotate-role
endpoint. When manually
rotated the rotation period will start over.
Passwords are not rotated upon deletion of a static role. The password should be manually rotated prior to deleting the role or revoking access to the static role.