Rotate passwords for Test Users

user20930232 · August 8, 2025, 2:41pm

We have a user case where we have a dozen test users in AD that our developers use from time to time to test functionality of apps they’ve recently deployed. We’d like to use Vault to rotate the password for these test users.

Our requirements are:

A developers should “check out” a test user, so that it is reserved for that developer for a period of time.
The password for these test users should be managed by Vault, rotated automatically (whether that be on a schedule or upon checkout).

How would you recommend we implement this in Vault? Should we create a new LDAP secret engine dedicated to these test users? Is there a way to use paths within our existing LDAP engine so that these test users are separate from our service account (for ACL reasons)?

jonathanfrappier · August 9, 2025, 3:46pm

Depending on your security requirements, a separate LDAP secrets engine is not a bad option if you require strict separation between the test users and regular service account users.

And sounds like you use service account check out with your LDAP secrets engine:

Topic		Replies	Views
LDAP secrets engine bindpass password policy Vault	4	296	June 8, 2023
Unable to rotate passwords for root-user or ldap library service accounts Vault	1	301	August 14, 2023
How can I create personal repository by LDAP user? Vault	3	488	November 2, 2022
LDAP as authentication, VAULT as login data storage Vault	8	681	April 25, 2022
Rotating AD Engine / Kerberos Auth Bind DN Vault	2	550	August 23, 2022

Rotate passwords for Test Users

Related topics