LDAP secrets engine bindpass password policy

Is it possible to configure a password policy for the LDAP secrets engine bindpass to guide the rotate-root command?

A quick look at the code suggests that there is one password policy configurable for the entire LDAP secrets engine, used for all password generation, including rotate-root.

I had a policy I was already using for dynamic roles with the LDAP secrets engine that was added using:

vault write sys/policies/password/ldap policy=@password-policy-ldap.hcl

After reconfiguring the LDAP secrets engine by:

vault write ldap/config password_policy="ldap"

I was no longer able to rotate passwords, the domain controller rejected the attempt.

After recreating the secrets engine and specifying the original configuration with the password_policy included, I was able to rotate the password.

Was the way I updated the secrets engine incorrect?

Thank you.

One of the less welcome design elements in Vault, is a lack of consistent approach to incrementally updating configurations. What I mean by that, is that different endpoints have different behaviours:

  • Some of them require the complete configuration (all key-value pairs not set to defaults) to be specified every time you use vault write.

  • Others implement some kind of individual endpoint-specific merging behaviour, allowing vault write to update individual settings, whilst preserving others at the existing values.

  • Still others support both vault write for a full overwrite, and vault patch for individual setting adjustment.

The exact behaviour of each endpoint is not always clearly documented.

I imagine when you ran the command

you probably deleted all the configuration except the password policy.

Thank you so much for all the guidance @maxb!