Hi Team,
I’m facing an issue where the LDAP auth login token TTL is causing my secret engine (Library - for service account password checkout) to expire much earlier than their configured TTL.
My setup:
-
LDAP auth method → login token TTL = 10 minutes
-
Library (custom LDAP secret engine) for checkout service account credentials →
-
ttl = 8h -
max_ttl = 24h
-
Expected behavior:
A lease issued by the Library should remain valid for its entire TTL (8 hours) regardless of the login token TTL.
Actual behavior:
Even though the Library lease is configured for 8 hours, it gets revoked in ~10 minutes, matching the LDAP login token TTL.
vault lease lookup shows the lease disappeared immediately after the login token expired.
Sample Log:
{
“@level”: “info”,
“@message”: “revoked lease”,
“@module”: “expiration”,
“@timestamp”: “2025-11-16T16:20:31.965685+05:30”,
“lease_id”: “auth/ldap/login/itadmin/he9abc762cabe9f5838”
}
{
“@level”: “info”,
“@message”: “revoked lease”,
“@module”: “expiration”,
“@timestamp”: “2025-11-16T16:20:32.006707+05:30”,
“lease_id”: “SVC-LDAP/library/fetch_svc/check-out/0oYZtnwpWt3aulxrPMM4w”
}
Question:
Is there a Vault-supported way to ensure that:
-
LDAP login token TTL remains short (10 min)
-
Secret engine leases (from Library) honor their own TTL (8 hours)
If this is expected behavior, is there a recommended pattern to prevent library leases from being revoked when the LDAP login token expires?
Thanks in advance!