Is it possible to configure a password policy for the LDAP secrets engine
bindpass to guide the
A quick look at the code suggests that there is one password policy configurable for the entire LDAP secrets engine, used for all password generation, including
I had a policy I was already using for dynamic roles with the LDAP secrets engine that was added using:
vault write sys/policies/password/ldap email@example.com
After reconfiguring the LDAP secrets engine by:
vault write ldap/config password_policy="ldap"
I was no longer able to rotate passwords, the domain controller rejected the attempt.
After recreating the secrets engine and specifying the original configuration with the
password_policy included, I was able to rotate the password.
Was the way I updated the secrets engine incorrect?
One of the less welcome design elements in Vault, is a lack of consistent approach to incrementally updating configurations. What I mean by that, is that different endpoints have different behaviours:
Some of them require the complete configuration (all key-value pairs not set to defaults) to be specified every time you use
Others implement some kind of individual endpoint-specific merging behaviour, allowing
vault writeto update individual settings, whilst preserving others at the existing values.
Still others support both
vault writefor a full overwrite, and
vault patchfor individual setting adjustment.
The exact behaviour of each endpoint is not always clearly documented.
I imagine when you ran the command
you probably deleted all the configuration except the password policy.
Thank you so much for all the guidance @maxb!