hashicorp · schavis · Nov 24, 2025 · Nov 14, 2025 · Nov 14, 2025 · Nov 17, 2025
@@ -0,0 +1,138 @@
+---
+layout: docs
+page_title: Create a service account library
+description: >-
+  Create a library of LDAP service accounts that users and machines can check-out
+  as needed.
+---
+
+# Create a service account library
+
+Create a library of service accounts that users and machines can check out as
+needed. Vault automatically rotates the account password when clients return the
+service account to the library.
+
+
+## Before you start 
+
+- **Check your Vault permissions**. You must have permission to enable and
+  configure plugins in Vault.
+- **You must have an LDAP plugin configured for OpenLDAP or Active Directory**.
+  If you do not already have an LDAP plugin enabled, follow the
+  [setup guide](/vault/docs/secrets/ldap/setup).
+- **Create the library accounts on your LDAP server**. We highly recommend
+  creating a dedicated accounts for the library. 
+
+
+## Step 1: Create a library configuration file
+
+For easier maintenance and reuse, create a JSON file `library.json`, with the
+credential library configuration details.
+
+```json
+{
+  "service_account_names":         "<list_of_LDAP_accounts>",
+  "ttl":                           "<default_checkout_period>",
+  "max_ttl":                       "<max_allowed_checkout_period>",
+  "disable_check_in_enforcement":  "false"
+}
+```
+
+For example:
+
+```json
+{
+  "service_account_names":         "[email protected],[email protected]",
+  "ttl":                           "10h",
+  "max_ttl":                       "24h",
+  "disable_check_in_enforcement":  "false"
+}
+```
+
+the following configuration file:
+
+- defines the set of accounts in the library as `[email protected]` and `[email protected]`
+- sets a default checkout time of 10 hours
+- disallows renewals after 24 hours
+- requires that the same Vault entity or client token checking out a service
+  account also be the one to check the account back into the library.
+
+<Tip>
+
+  If your workflow uses a clean up process such that the client returning the
+  service account regularly uses a different token than the client checking the
+  account out, set `disable_check_in_enforcement=true`.
+
+</Tip>
+
+
+
+## Step 2: Configure the plugin
+
+Apply the libray configuration file to your plugin.
+
+<Tabs>
+
+<Tab heading="CLI" group="cli">
+
+@include 'ldap/create-library/cli.mdx'
+
+</Tab>
+
+<Tab heading="API" group="api">
+
+@include 'ldap/create-library/api.mdx'
+
+</Tab>
+
+</Tabs>
+
+
+
+## Step 3: Verify the service account settings
+
+To verify the library settings, view the set status.
+
+<Tabs>
+
+<Tab heading="CLI" group="cli">
+
+@include 'ldap/view-library/cli.mdx'
+
+</Tab>
+
+<Tab heading="API" group="api">
+
+@include 'ldap/view-library/api.mdx'
+
+</Tab>
+
+</Tabs>
+
+
+
+## Step 3: Test the check-out process 
+
+To test the connection between Vault and your LDAP server, try checking out
+and returning a service account.
+
+
+<Tabs>
+
+<Tab heading="CLI" group="cli">
+
+@include 'ldap/account-checkout/cli.mdx'
+
+@include 'ldap/account-checkin/cli.mdx'
+
+</Tab>
+
+<Tab heading="API" group="api">
+
+@include 'ldap/account-checkout/api.mdx'
+
+@include 'ldap/account-checkin/api.mdx'
+
+</Tab>
+
+</Tabs>
@@ -0,0 +1,38 @@
+---
+layout: docs
+page_title: Check in a service account
+description: >-
+  Return a service account previously checked out from an LDAP library
+---
+
+# Check in a service account
+
+Return a service account previously checked out from a previously configured
+LDAP library.
+
+<Tip title="Assumptions">
+
+- You have [set up an `ldap` plugin](/vault/docs/secrets/ldap/setup).
+- You have [created an LDAP account library](/vault/docs/secrets/ldap/account-library).
+
+</Tip>
+
+
+Returing a service account to the library tells Vault to rotate the associated
+password.
+
+<Tabs>
+
+<Tab heading="CLI" group="cli">
+
+@include 'ldap/account-checkin/cli.mdx'
+
+</Tab>
+
+<Tab heading="API" group="api">
+
+@include 'ldap/account-checkin/api.mdx'
+
+</Tab>
+
+</Tabs>
@@ -0,0 +1,39 @@
+---
+layout: docs
+page_title: Check out a service account
+description: >-
+  Check out a service account from an LDAP library
+---
+
+# Check out a service account
+
+The LDAP secrets plugin lets clients check out service accounts from a
+previously configured LDAP library.
+
+<Tip title="Assumptions">
+
+- You have [set up an `ldap` plugin](/vault/docs/secrets/ldap/setup).
+- You have [created an LDAP account library](/vault/docs/secrets/ldap/account-library).
+
+</Tip>
+
+
+<Tabs>
+
+<Tab heading="CLI" group="cli">
+
+@include 'ldap/account-checkout/cli.mdx'
+
+@include 'ldap/account-checkin/cli.mdx'
+
+</Tab>
+
+<Tab heading="API" group="api">
+
+@include 'ldap/account-checkout/api.mdx'
+
+@include 'ldap/account-checkin/api.mdx'
+
+</Tab>
+
+</Tabs>
@@ -0,0 +1,39 @@
+---
+layout: docs
+page_title: Extend a service account lease
+description: >-
+  Extend a service account lease to avoid rotating the associated password.
+---
+
+# Extend a service account lease
+
+The LDAP secrets plugin lets clients extend the lease for checked out service
+accounts as long as the renewal does not violate the maximum TTL of the service
+account.
+
+<Tip title="Assumptions">
+
+- You have [set up an `ldap` plugin](/vault/docs/secrets/ldap/setup).
+- You have [created an LDAP account library](/vault/docs/secrets/ldap/account-library).
+- You know the full lease ID for the service account from the original account
+  checkout.
+
+</Tip>
+
+To extend a check-out so the current password lives longer, renew its lease.
+
+<Tabs>
+
+<Tab heading="CLI" group="cli">
+
+@include 'ldap/extend-lease/cli.mdx'
+
+</Tab>
+
+<Tab heading="API" group="api">
+
+@include 'ldap/extend-lease/api.mdx'
+
+</Tab>
+
+</Tabs>
@@ -0,0 +1,37 @@
+---
+layout: docs
+page_title: Revoke a service account lease
+description: >-
+  Force the return of a service account and rotate the associated password.
+---
+
+# Revoke a service account lease
+
+The LDAP secrets plugin lets operators revoke the lease for checked out service
+account to force a password rotation.
+
+<Tip title="Assumptions">
+
+- You have [set up an `ldap` plugin](/vault/docs/secrets/ldap/setup).
+- You have [created an LDAP account library](/vault/docs/secrets/ldap/account-library).
+- You know the full lease ID for the service account from the original account
+  checkout.
+
+</Tip>
+
+
+<Tabs>
+
+<Tab heading="CLI" group="cli">
+
+@include 'ldap/revoke-lease/cli.mdx'
+
+</Tab>
+
+<Tab heading="API" group="api">
+
+@include 'ldap/revoke-lease/api.mdx'
+
+</Tab>
+
+</Tabs>
@@ -0,0 +1,65 @@
+---
+layout: docs
+page_title: Hash LDAP passwords
+description: >-
+  Hash LDAP passwords
+---
+
+# Hash LDAP passwords
+
+The LDAP secret engine does not hash or encrypt passwords before modifying
+values in LDAP, which can lead to plaintext passwords on your LDAP server.
+
+<Tip title="Assumptions">
+
+- You have permission to update your LDAP server.
+- You know the data information tree (DIT) assocaited with your `ldap` plugin.
+
+</Tip>
+
+We recommend configuring your LDAP server with an LDAP password policy that
+hashes passwords by default on the DIT used by your plugin:
+
+<CodeBlockConfig highlight="11">
+
+```
+dn: cn=module{0},cn=config
+changetype: modify
+add: olcModuleLoad
+olcModuleLoad: ppolicy
+
+dn: olcOverlay={2}ppolicy,olcDatabase={1}mdb,cn=config
+changetype: add
+objectClass: olcPPolicyConfig
+objectClass: olcOverlayConfig
+olcOverlay: {2}ppolicy
+olcPPolicyDefault: cn=default,ou=pwpolicies,<ldap_plugin_dit>
+olcPPolicyForwardUpdates: FALSE
+olcPPolicyHashCleartext: TRUE
+olcPPolicyUseLockout: TRUE
+```
+
+</CodeBlockConfig>
+
+For example, to hash data on the `dc=hashicorp,dc=com` DIT:
+
+<CodeBlockConfig highlight="11">
+
+```
+dn: cn=module{0},cn=config
+changetype: modify
+add: olcModuleLoad
+olcModuleLoad: ppolicy
+
+dn: olcOverlay={2}ppolicy,olcDatabase={1}mdb,cn=config
+changetype: add
+objectClass: olcPPolicyConfig
+objectClass: olcOverlayConfig
+olcOverlay: {2}ppolicy
+olcPPolicyDefault: cn=default,ou=pwpolicies,dc=hashicorp,dc=com
+olcPPolicyForwardUpdates: FALSE
+olcPPolicyHashCleartext: TRUE
+olcPPolicyUseLockout: TRUE
+```
+
+</CodeBlockConfig>