[VAULT] Update LDAP docs

content/vault/v1.21.x/content/docs/secrets/ldap/cookbook/create-static-roles.mdx

@@ -0,0 +1,58 @@
+---
+layout: docs
+page_title: Create static LDAP roles
+description: >-
+   Map a named Vault role to an entry in your LDAP server.
+---
+
+# Create static LDAP roles
+
+Configure static roles to map names in Vault to LDAP entries and use the
+rotation settings to manage credentials automatically with the role.
+
+<Tip title="Assumptions">
+
+- You have [set up an `ldap` plugin](/vault/docs/secrets/ldap/setup). 
+- You have permission to update roles in Vault.
+- You have permission to make `POST` calls to the `ldap` plugin.
+
+</Tip>
+
+1. Create a configuration file, `ldap-role.json` with your role settings:
+
+   @include 'ldap/example-config/static-role/basic.mdx'
+
+1. Save the new role.
+   <Tabs>
+
+   <Tab heading="CLI" group="cli">
+
+   @include 'ldap/create-static-role/cli.mdx'
+
+   </Tab>
+
+   <Tab heading="API" group="api">
+
+   @include 'ldap/create-static-role/api.mdx'
+
+   </Tab>
+
+   </Tabs>
+
+1. Confirm the role settings by requesting credentials from the plugin:
+
+   <Tabs>
+
+   <Tab heading="CLI" group="cli">
+
+   @include 'ldap/get-role-creds/cli.mdx'
+
+   </Tab>
+
+   <Tab heading="API" group="api">
+
+   @include 'ldap/get-role-creds/api.mdx'
+
+   </Tab>
+
+   </Tabs>

content/vault/v1.21.x/content/docs/secrets/ldap/cookbook/delete-static-roles.mdx

@@ -0,0 +1,61 @@
+---
+layout: docs
+page_title: Delete static LDAP roles
+description: >-
+   Delete a named Vault role currently mapped to an entry in your LDAP server.
+---
+
+# Delete static LDAP roles
+
+Vault does not rotate passwords when you delete a static role. We recommend
+manually rotating the mapped credentials before deleting the role or revoking
+access to the static role.
+
+<Tip title="Assumptions">
+
+- You have [set up an `ldap` plugin](/vault/docs/secrets/ldap/setup). 
+- You have permission to update roles in Vault.
+- You have permission to make `POST` calls to the `ldap` plugin.
+
+</Tip>
+
+1. Even for delete requests, the plugin expects all required parameters. You
+   can use the existing configuration file (if you created one) or create a
+   minimal version for the delete request.
+
+   @include 'ldap/example-config/static-role/minimal.mdx'
+
+1. Update the role.
+   <Tabs>
+
+   <Tab heading="CLI" group="cli">
+
+   @include 'ldap/delete-static-role/cli.mdx'
+
+   </Tab>
+
+   <Tab heading="API" group="api">
+
+   @include 'ldap/delete-static-role/api.mdx'
+
+   </Tab>
+
+   </Tabs>
+
+1. Confirm the role deletion by requesting credentials from the plugin:
+
+   <Tabs>
+
+   <Tab heading="CLI" group="cli">
+
+   @include 'ldap/get-role-creds/cli.mdx'
+
+   </Tab>
+
+   <Tab heading="API" group="api">
+
+   @include 'ldap/get-role-creds/api.mdx'
+
+   </Tab>
+
+   </Tabs>

content/vault/v1.21.x/content/docs/secrets/ldap/cookbook/disable-root-rotation.mdx

@@ -0,0 +1,71 @@
+---
+layout: docs
+page_title: Disable LDAP root credential rotation
+description: >-
+  temporarily disable root credential rotation in the LDAP secrets plugin.
+---
+
+# Disable LDAP root credential rotation
+
+You can temporarily disable root rotation with the
+[`disable_automated_rotation`](/vault/api-docs/secret/ldap#disable_automated_rotation)
+paramter in your plugin configuration. 
+
+If you use `rotation_period`, disabling rotation also resets the credential
+TTL.
+
+<Tip title="Assumptions">
+
+- You have [set up an `ldap` plugin](/vault/docs/secrets/ldap/setup). 
+- You have permission to update the plugin configuration.
+
+</Tip>
+
+1. Update your configuration to disable rotation:
+
+  <Tabs>
+
+  <Tab heading="OpenLDAP" group="openldap">
+
+  @include 'ldap/example-config/ad/disable-rotation.mdx'
+
+  </Tab>
+
+  <Tab heading="Active Directory" group="ad">
+
+  @include 'ldap/example-config/openldap/disable-rotation.mdx'
+
+  </Tab>
+
+  <Tab heading="RACF" group="racf">
+
+  @include 'ldap/example-config/racf/disable-rotation.mdx'
+
+  </Tab>
+
+  </Tabs>
+
+
+1. Apply the changes.
+
+  <Tabs>
+
+  <Tab heading="CLI" group="cli">
+
+  @include 'ldap/apply-config/cli.mdx'
+
+  </Tab>
+
+  <Tab heading="API" group="api">
+
+  @include 'ldap/apply-config/api.mdx'
+
+  </Tab>
+
+  <Tab heading="GUI" group="gui">
+
+  @include 'ldap/apply-config/gui.mdx'
+
+  </Tab>
+
+  </Tabs>

content/vault/v1.21.x/content/docs/secrets/ldap/cookbook/hash-passwords.mdx

@@ -0,0 +1,65 @@
+---
+layout: docs
+page_title: Hash LDAP passwords
+description: >-
+  Hash LDAP passwords
+---
+
+# Hash LDAP passwords
+
+The LDAP secret engine does not hash or encrypt passwords before modifying
+values in LDAP, which can lead to plaintext passwords on your LDAP server.
+
+<Tip title="Assumptions">
+
+- You have permission to update your LDAP server.
+- You know the data information tree (DIT) assocaited with your `ldap` plugin.
+
+</Tip>
+
+We recommend configuring your LDAP server with an LDAP password policy that
+hashes passwords by default on the DIT used by your plugin:
+
+<CodeBlockConfig highlight="11">
+
+```
+dn: cn=module{0},cn=config
+changetype: modify
+add: olcModuleLoad
+olcModuleLoad: ppolicy
+
+dn: olcOverlay={2}ppolicy,olcDatabase={1}mdb,cn=config
+changetype: add
+objectClass: olcPPolicyConfig
+objectClass: olcOverlayConfig
+olcOverlay: {2}ppolicy
+olcPPolicyDefault: cn=default,ou=pwpolicies,<ldap_plugin_dit>
+olcPPolicyForwardUpdates: FALSE
+olcPPolicyHashCleartext: TRUE
+olcPPolicyUseLockout: TRUE
+```
+
+</CodeBlockConfig>
+
+For example, to hash data on the `dc=hashicorp,dc=com` DIT:
+
+<CodeBlockConfig highlight="11">
+
+```
+dn: cn=module{0},cn=config
+changetype: modify
+add: olcModuleLoad
+olcModuleLoad: ppolicy
+
+dn: olcOverlay={2}ppolicy,olcDatabase={1}mdb,cn=config
+changetype: add
+objectClass: olcPPolicyConfig
+objectClass: olcOverlayConfig
+olcOverlay: {2}ppolicy
+olcPPolicyDefault: cn=default,ou=pwpolicies,dc=hashicorp,dc=com
+olcPPolicyForwardUpdates: FALSE
+olcPPolicyHashCleartext: TRUE
+olcPPolicyUseLockout: TRUE
+```
+
+</CodeBlockConfig>

content/vault/v1.21.x/content/docs/secrets/ldap/cookbook/rotate-root-creds.mdx

@@ -0,0 +1,36 @@
+---
+layout: docs
+page_title: Manually rotate root LDAP credentials
+description: >-
+  Manually rotate root credentials in the LDAP secrets plugin.
+---
+
+# Manually rotate root LDAP credentials
+
+You can rotate root credential keys configured directly within the plugin.
+Rotating to a Vault-generated key makes the key value inaccessible to the
+operator and ensures only Vault can operate as a root user to manipulate dynamic
+and static credentials.
+
+<Tip title="Assumptions">
+
+- You have [set up an `ldap` plugin](/vault/docs/secrets/ldap/setup). 
+- You have permission to update LDAP credentials in Vault.
+
+</Tip>
+
+<Tabs>
+
+<Tab heading="CLI" group="cli">
+
+@include 'ldap/rotate-root/cli.mdx'
+
+</Tab>
+
+<Tab heading="API" group="api">
+
+@include 'ldap/rotate-root/api.mdx'
+
+</Tab>
+
+</Tabs>

content/vault/v1.21.x/content/docs/secrets/ldap/cookbook/rotate-static-roles.mdx

@@ -0,0 +1,34 @@
+---
+layout: docs
+page_title: Manually rotate static role credentials
+description: >-
+  Manually rotate credentials for static roles using the LDAP secrets plugin.
+---
+
+# Manually rotate static role credentials
+
+The LDAP secrets plugin can rotate LDAP credential for static roles configured
+the plugin.
+
+<Tip title="Assumptions">
+
+- You have [set up an `ldap` plugin](/vault/docs/secrets/ldap/setup). 
+- You have permission to update LDAP credentials in Vault.
+
+</Tip>
+
+<Tabs>
+
+<Tab heading="CLI" group="cli">
+
+@include 'ldap/rotate-creds/cli.mdx'
+
+</Tab>
+
+<Tab heading="API" group="api">
+
+@include 'ldap/rotate-creds/api.mdx'
+
+</Tab>
+
+</Tabs>