Hello,
Is it possible to configure a password policy for the LDAP secrets engine bindpass to guide the rotate-root command?
A quick look at the code suggests that there is one password policy configurable for the entire LDAP secrets engine, used for all password generation, including rotate-root.
Hi,
I had a policy I was already using for dynamic roles with the LDAP secrets engine that was added using:
vault write sys/policies/password/ldap policy=@password-policy-ldap.hcl
After reconfiguring the LDAP secrets engine by:
vault write ldap/config password_policy="ldap"
I was no longer able to rotate passwords, the domain controller rejected the attempt.
After recreating the secrets engine and specifying the original configuration with the password_policy included, I was able to rotate the password.
Was the way I updated the secrets engine incorrect?
Thank you.
One of the less welcome design elements in Vault, is a lack of consistent approach to incrementally updating configurations. What I mean by that, is that different endpoints have different behaviours:
-
Some of them require the complete configuration (all key-value pairs not set to defaults) to be specified every time you use
vault write. -
Others implement some kind of individual endpoint-specific merging behaviour, allowing
vault writeto update individual settings, whilst preserving others at the existing values. -
Still others support both
vault writefor a full overwrite, andvault patchfor individual setting adjustment.
The exact behaviour of each endpoint is not always clearly documented.
I imagine when you ran the command
you probably deleted all the configuration except the password policy.
Thank you so much for all the guidance @maxb!