Skip to content

Latest commit

 

History

History
89 lines (62 loc) · 2.62 KB

index.mdx

File metadata and controls

89 lines (62 loc) · 2.62 KB
Raw
layout page_title sidebar_title description
docs
OpenLDAP - Secrets Engine
OpenLDAP
The OpenLDAP secret engine manages OpenLDAP entry passwords.

OpenLDAP Secrets Engine

The OpenLDAP secret engine allows management of LDAP entry passwords. At this time only existing LDAP entries are supported by this plugin.

This plugin currently supports LDAP v3.

Quick Setup

  1. Enable the OpenLDAP secret engine:

    $ vault secrets enable openldap

    By default, the secrets engine will mount at the name of the engine. To enable the secrets engine at a different path, use the -path argument.

  2. Configure the credentials that Vault uses to communicate with OpenLDAP to generate passwords:

    $ vault write openldap/config \
    binddn=$USERNAME \
    bindpass=$PASSWORD \
    url=ldaps://138.91.247.105

    Note: it's recommended a dedicated entry management account be created specfically for Vault.

  3. Rotate the root password so only Vault knows the credentials:

    $ vault write -f openldap/rotate-root

    Note: it's not possible to retrieve the generated password once rotated by Vault.
    It's recommended a dedicated entry management account be created specfically for Vault.

  4. Configure a static role that maps a name in Vault to an entry in OpenLDAP.
    Password rotation settings will be managed by this role.

    $ vault write openldap/static-role/hashicorp \
    dn='uid=hashicorp,ou=users,dc=hashicorp,dc=com' \
    username='hashicorp' \
    rotation_period="24h"

  5. Request credentials for the "hashicorp" role:

    $ vault read openldap/static-role/hashicorp

Password Rotation

Passwords can be managed in two ways:

  • automatic time based rotation, and
  • manual rotation.

Auto Password Rotation

Passwords will automatically be rotated based on the rotation_period configured in the static role (minimum of 5 seconds). When requesting credentials for a static role, the response will include the time before the next rotation (ttl).

Auto-rotation is currently only supported for static roles. The binddn account used by Vault should be rotated using the rotate-root endpoint to generate a password only Vault will know.

Manual Rotation

Static roles can be manually rotated using the rotate-role endpoint. When manually rotated the rotation period will start over.

Deleting Static Roles

Passwords are not rotated upon deletion of a static role. The password should be manually rotated prior to deleting the role or revoking access to the static role.