diff --git a/content/vault/v1.10.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.10.x/content/api-docs/auth/ldap.mdx index 1fd3376630..bcfef5fd36 100644 --- a/content/vault/v1.10.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.10.x/content/api-docs/auth/ldap.mdx @@ -60,8 +60,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing - authentication when providing an empty password. +- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication + attempts when the user provides an empty password (null binds). Setting + `deny_null_bind` to `false` tells Vault to defer the handling of empty-password + authentication attempts to the LDAP server. You may want to allow LDAP + anonymous bind operations for directory configurations using anonymous search + or discovery. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.10.x/content/docs/auth/ldap.mdx b/content/vault/v1.10.x/content/docs/auth/ldap.mdx index b9a7505515..14c4b411ad 100644 --- a/content/vault/v1.10.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.10.x/content/docs/auth/ldap.mdx @@ -126,7 +126,7 @@ There are two alternate methods of resolving the user object used to authenticat - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`. -- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. @include 'ldap-auth-userfilter-warning.mdx' diff --git a/content/vault/v1.11.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.11.x/content/api-docs/auth/ldap.mdx index 45bea94e52..edc02cc83e 100644 --- a/content/vault/v1.11.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.11.x/content/api-docs/auth/ldap.mdx @@ -65,8 +65,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing - authentication when providing an empty password. +- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication + attempts when the user provides an empty password (null binds). Setting + `deny_null_bind` to `false` tells Vault to defer the handling of empty-password + authentication attempts to the LDAP server. You may want to allow LDAP + anonymous bind operations for directory configurations using anonymous search + or discovery. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.11.x/content/docs/auth/ldap.mdx b/content/vault/v1.11.x/content/docs/auth/ldap.mdx index 6d5ab2f1c3..6b3d77a42c 100644 --- a/content/vault/v1.11.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.11.x/content/docs/auth/ldap.mdx @@ -128,7 +128,7 @@ There are two alternate methods of resolving the user object used to authenticat - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`. -- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. @include 'ldap-auth-userfilter-warning.mdx' diff --git a/content/vault/v1.12.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.12.x/content/api-docs/auth/ldap.mdx index 45bea94e52..edc02cc83e 100644 --- a/content/vault/v1.12.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.12.x/content/api-docs/auth/ldap.mdx @@ -65,8 +65,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing - authentication when providing an empty password. +- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication + attempts when the user provides an empty password (null binds). Setting + `deny_null_bind` to `false` tells Vault to defer the handling of empty-password + authentication attempts to the LDAP server. You may want to allow LDAP + anonymous bind operations for directory configurations using anonymous search + or discovery. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.12.x/content/docs/auth/ldap.mdx b/content/vault/v1.12.x/content/docs/auth/ldap.mdx index 6d5ab2f1c3..6b3d77a42c 100644 --- a/content/vault/v1.12.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.12.x/content/docs/auth/ldap.mdx @@ -128,7 +128,7 @@ There are two alternate methods of resolving the user object used to authenticat - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`. -- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. @include 'ldap-auth-userfilter-warning.mdx' diff --git a/content/vault/v1.13.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.13.x/content/api-docs/auth/ldap.mdx index 2b7e066de9..9d0a8317e3 100644 --- a/content/vault/v1.13.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.13.x/content/api-docs/auth/ldap.mdx @@ -65,8 +65,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing - authentication when providing an empty password. +- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication + attempts when the user provides an empty password (null binds). Setting + `deny_null_bind` to `false` tells Vault to defer the handling of empty-password + authentication attempts to the LDAP server. You may want to allow LDAP + anonymous bind operations for directory configurations using anonymous search + or discovery. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.13.x/content/docs/auth/ldap.mdx b/content/vault/v1.13.x/content/docs/auth/ldap.mdx index 3be8de89ca..82055bb81b 100644 --- a/content/vault/v1.13.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.13.x/content/docs/auth/ldap.mdx @@ -128,7 +128,7 @@ There are two alternate methods of resolving the user object used to authenticat - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`. -- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. @include 'ldap-auth-userfilter-warning.mdx' diff --git a/content/vault/v1.14.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.14.x/content/api-docs/auth/ldap.mdx index 064f6a731a..2cbabd16bc 100644 --- a/content/vault/v1.14.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.14.x/content/api-docs/auth/ldap.mdx @@ -65,8 +65,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing - authentication when providing an empty password. +- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication + attempts when the user provides an empty password (null binds). Setting + `deny_null_bind` to `false` tells Vault to defer the handling of empty-password + authentication attempts to the LDAP server. You may want to allow LDAP + anonymous bind operations for directory configurations using anonymous search + or discovery. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.14.x/content/docs/auth/ldap.mdx b/content/vault/v1.14.x/content/docs/auth/ldap.mdx index 2b6e799eea..a91cb226fd 100644 --- a/content/vault/v1.14.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.14.x/content/docs/auth/ldap.mdx @@ -128,7 +128,7 @@ There are two alternate methods of resolving the user object used to authenticat - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`. -- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. @include 'ldap-auth-userfilter-warning.mdx' diff --git a/content/vault/v1.15.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.15.x/content/api-docs/auth/ldap.mdx index eec8772318..1dda4a1f71 100644 --- a/content/vault/v1.15.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.15.x/content/api-docs/auth/ldap.mdx @@ -65,8 +65,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing - authentication when providing an empty password. +- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication + attempts when the user provides an empty password (null binds). Setting + `deny_null_bind` to `false` tells Vault to defer the handling of empty-password + authentication attempts to the LDAP server. You may want to allow LDAP + anonymous bind operations for directory configurations using anonymous search + or discovery. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.15.x/content/docs/auth/ldap.mdx b/content/vault/v1.15.x/content/docs/auth/ldap.mdx index 409af5e271..2e33e2ebd2 100644 --- a/content/vault/v1.15.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.15.x/content/docs/auth/ldap.mdx @@ -132,7 +132,7 @@ For anonymous search, `discoverdn` must be set to `true`, and `deny_null_bind` m - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`. -- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. @include 'ldap-auth-userfilter-warning.mdx' diff --git a/content/vault/v1.16.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.16.x/content/api-docs/auth/ldap.mdx index eec8772318..1dda4a1f71 100644 --- a/content/vault/v1.16.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.16.x/content/api-docs/auth/ldap.mdx @@ -65,8 +65,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing - authentication when providing an empty password. +- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication + attempts when the user provides an empty password (null binds). Setting + `deny_null_bind` to `false` tells Vault to defer the handling of empty-password + authentication attempts to the LDAP server. You may want to allow LDAP + anonymous bind operations for directory configurations using anonymous search + or discovery. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.16.x/content/docs/auth/ldap.mdx b/content/vault/v1.16.x/content/docs/auth/ldap.mdx index cead3960ef..baba84912e 100644 --- a/content/vault/v1.16.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.16.x/content/docs/auth/ldap.mdx @@ -132,7 +132,7 @@ For anonymous search, `discoverdn` must be set to `true`, and `deny_null_bind` m - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`. -- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. @include 'ldap-auth-userfilter-warning.mdx' diff --git a/content/vault/v1.17.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.17.x/content/api-docs/auth/ldap.mdx index eec8772318..1dda4a1f71 100644 --- a/content/vault/v1.17.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.17.x/content/api-docs/auth/ldap.mdx @@ -65,8 +65,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing - authentication when providing an empty password. +- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication + attempts when the user provides an empty password (null binds). Setting + `deny_null_bind` to `false` tells Vault to defer the handling of empty-password + authentication attempts to the LDAP server. You may want to allow LDAP + anonymous bind operations for directory configurations using anonymous search + or discovery. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.17.x/content/docs/auth/ldap.mdx b/content/vault/v1.17.x/content/docs/auth/ldap.mdx index cead3960ef..baba84912e 100644 --- a/content/vault/v1.17.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.17.x/content/docs/auth/ldap.mdx @@ -132,7 +132,7 @@ For anonymous search, `discoverdn` must be set to `true`, and `deny_null_bind` m - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`. -- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. @include 'ldap-auth-userfilter-warning.mdx' diff --git a/content/vault/v1.18.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.18.x/content/api-docs/auth/ldap.mdx index eec8772318..1dda4a1f71 100644 --- a/content/vault/v1.18.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.18.x/content/api-docs/auth/ldap.mdx @@ -65,8 +65,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing - authentication when providing an empty password. +- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication + attempts when the user provides an empty password (null binds). Setting + `deny_null_bind` to `false` tells Vault to defer the handling of empty-password + authentication attempts to the LDAP server. You may want to allow LDAP + anonymous bind operations for directory configurations using anonymous search + or discovery. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.18.x/content/docs/auth/ldap.mdx b/content/vault/v1.18.x/content/docs/auth/ldap.mdx index cead3960ef..baba84912e 100644 --- a/content/vault/v1.18.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.18.x/content/docs/auth/ldap.mdx @@ -132,7 +132,7 @@ For anonymous search, `discoverdn` must be set to `true`, and `deny_null_bind` m - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`. -- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. @include 'ldap-auth-userfilter-warning.mdx' diff --git a/content/vault/v1.19.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.19.x/content/api-docs/auth/ldap.mdx index 02e518e536..33f9ed49db 100644 --- a/content/vault/v1.19.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.19.x/content/api-docs/auth/ldap.mdx @@ -65,8 +65,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing - authentication when providing an empty password. +- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication + attempts when the user provides an empty password (null binds). Setting + `deny_null_bind` to `false` tells Vault to defer the handling of empty-password + authentication attempts to the LDAP server. You may want to allow LDAP + anonymous bind operations for directory configurations using anonymous search + or discovery. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.19.x/content/docs/auth/ldap.mdx b/content/vault/v1.19.x/content/docs/auth/ldap.mdx index 27dda923f6..03dca31732 100644 --- a/content/vault/v1.19.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.19.x/content/docs/auth/ldap.mdx @@ -132,7 +132,7 @@ For anonymous search, `discoverdn` must be set to `true`, and `deny_null_bind` m - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`. -- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. @include 'ldap-auth-userfilter-warning.mdx' diff --git a/content/vault/v1.20.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.20.x/content/api-docs/auth/ldap.mdx index 02e518e536..33f9ed49db 100644 --- a/content/vault/v1.20.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.20.x/content/api-docs/auth/ldap.mdx @@ -65,8 +65,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing - authentication when providing an empty password. +- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication + attempts when the user provides an empty password (null binds). Setting + `deny_null_bind` to `false` tells Vault to defer the handling of empty-password + authentication attempts to the LDAP server. You may want to allow LDAP + anonymous bind operations for directory configurations using anonymous search + or discovery. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.20.x/content/docs/auth/ldap.mdx b/content/vault/v1.20.x/content/docs/auth/ldap.mdx index 1082ade2a6..87ac4da924 100644 --- a/content/vault/v1.20.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.20.x/content/docs/auth/ldap.mdx @@ -134,7 +134,7 @@ For anonymous search, `discoverdn` must be set to `true`, and `deny_null_bind` m - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`. -- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. @include 'ldap-auth-userfilter-warning.mdx' diff --git a/content/vault/v1.4.x/content/api-docs/auth/ldap/index.mdx b/content/vault/v1.4.x/content/api-docs/auth/ldap/index.mdx index 3e0a90df6f..8c716900c5 100644 --- a/content/vault/v1.4.x/content/api-docs/auth/ldap/index.mdx +++ b/content/vault/v1.4.x/content/api-docs/auth/ldap/index.mdx @@ -57,8 +57,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing - authentication when providing an empty password. +- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication + attempts when the user provides an empty password (null binds). Setting + `deny_null_bind` to `false` tells Vault to defer the handling of empty-password + authentication attempts to the LDAP server. You may want to allow LDAP + anonymous bind operations for directory configurations using anonymous search + or discovery. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.4.x/content/docs/auth/ldap.mdx b/content/vault/v1.4.x/content/docs/auth/ldap.mdx index a4b7c05ead..517deac755 100644 --- a/content/vault/v1.4.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.4.x/content/docs/auth/ldap.mdx @@ -121,7 +121,7 @@ There are two alternate methods of resolving the user object used to authenticat - `discoverdn` (bool, optional) - If true, use anonymous bind to discover the bind DN of a user - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` -- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`. #### Binding - User Principal Name (AD) diff --git a/content/vault/v1.5.x/content/api-docs/auth/ldap/index.mdx b/content/vault/v1.5.x/content/api-docs/auth/ldap/index.mdx index 0801e9ddc3..3b8bf67438 100644 --- a/content/vault/v1.5.x/content/api-docs/auth/ldap/index.mdx +++ b/content/vault/v1.5.x/content/api-docs/auth/ldap/index.mdx @@ -61,8 +61,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing - authentication when providing an empty password. +- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication + attempts when the user provides an empty password (null binds). Setting + `deny_null_bind` to `false` tells Vault to defer the handling of empty-password + authentication attempts to the LDAP server. You may want to allow LDAP + anonymous bind operations for directory configurations using anonymous search + or discovery. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.5.x/content/docs/auth/ldap.mdx b/content/vault/v1.5.x/content/docs/auth/ldap.mdx index dae5bd04a9..a7a9f9f635 100644 --- a/content/vault/v1.5.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.5.x/content/docs/auth/ldap.mdx @@ -123,7 +123,7 @@ There are two alternate methods of resolving the user object used to authenticat - `discoverdn` (bool, optional) - If true, use anonymous bind to discover the bind DN of a user - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` -- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. #### Binding - User Principal Name (AD) diff --git a/content/vault/v1.6.x/content/api-docs/auth/ldap/index.mdx b/content/vault/v1.6.x/content/api-docs/auth/ldap/index.mdx index 0801e9ddc3..3b8bf67438 100644 --- a/content/vault/v1.6.x/content/api-docs/auth/ldap/index.mdx +++ b/content/vault/v1.6.x/content/api-docs/auth/ldap/index.mdx @@ -61,8 +61,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing - authentication when providing an empty password. +- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication + attempts when the user provides an empty password (null binds). Setting + `deny_null_bind` to `false` tells Vault to defer the handling of empty-password + authentication attempts to the LDAP server. You may want to allow LDAP + anonymous bind operations for directory configurations using anonymous search + or discovery. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.6.x/content/docs/auth/ldap.mdx b/content/vault/v1.6.x/content/docs/auth/ldap.mdx index dae5bd04a9..a7a9f9f635 100644 --- a/content/vault/v1.6.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.6.x/content/docs/auth/ldap.mdx @@ -123,7 +123,7 @@ There are two alternate methods of resolving the user object used to authenticat - `discoverdn` (bool, optional) - If true, use anonymous bind to discover the bind DN of a user - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` -- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. #### Binding - User Principal Name (AD) diff --git a/content/vault/v1.7.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.7.x/content/api-docs/auth/ldap.mdx index 0801e9ddc3..3b8bf67438 100644 --- a/content/vault/v1.7.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.7.x/content/api-docs/auth/ldap.mdx @@ -61,8 +61,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing - authentication when providing an empty password. +- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication + attempts when the user provides an empty password (null binds). Setting + `deny_null_bind` to `false` tells Vault to defer the handling of empty-password + authentication attempts to the LDAP server. You may want to allow LDAP + anonymous bind operations for directory configurations using anonymous search + or discovery. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.7.x/content/docs/auth/ldap.mdx b/content/vault/v1.7.x/content/docs/auth/ldap.mdx index dae5bd04a9..a7a9f9f635 100644 --- a/content/vault/v1.7.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.7.x/content/docs/auth/ldap.mdx @@ -123,7 +123,7 @@ There are two alternate methods of resolving the user object used to authenticat - `discoverdn` (bool, optional) - If true, use anonymous bind to discover the bind DN of a user - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` -- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. #### Binding - User Principal Name (AD) diff --git a/content/vault/v1.8.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.8.x/content/api-docs/auth/ldap.mdx index f00ddc24a4..af23a2e587 100644 --- a/content/vault/v1.8.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.8.x/content/api-docs/auth/ldap.mdx @@ -60,8 +60,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing - authentication when providing an empty password. +- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication + attempts when the user provides an empty password (null binds). Setting + `deny_null_bind` to `false` tells Vault to defer the handling of empty-password + authentication attempts to the LDAP server. You may want to allow LDAP + anonymous bind operations for directory configurations using anonymous search + or discovery. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.8.x/content/docs/auth/ldap.mdx b/content/vault/v1.8.x/content/docs/auth/ldap.mdx index de701e8537..6611d8b712 100644 --- a/content/vault/v1.8.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.8.x/content/docs/auth/ldap.mdx @@ -122,7 +122,7 @@ There are two alternate methods of resolving the user object used to authenticat - `discoverdn` (bool, optional) - If true, use anonymous bind to discover the bind DN of a user - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` -- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. #### Binding - User Principal Name (AD) diff --git a/content/vault/v1.9.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.9.x/content/api-docs/auth/ldap.mdx index 28a27f448b..ded546cd2d 100644 --- a/content/vault/v1.9.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.9.x/content/api-docs/auth/ldap.mdx @@ -60,8 +60,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing - authentication when providing an empty password. +- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication + attempts when the user provides an empty password (null binds). Setting + `deny_null_bind` to `false` tells Vault to defer the handling of empty-password + authentication attempts to the LDAP server. You may want to allow LDAP + anonymous bind operations for directory configurations using anonymous search + or discovery. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.9.x/content/docs/auth/ldap.mdx b/content/vault/v1.9.x/content/docs/auth/ldap.mdx index 95c8ec79eb..ab049213af 100644 --- a/content/vault/v1.9.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.9.x/content/docs/auth/ldap.mdx @@ -124,7 +124,7 @@ There are two alternate methods of resolving the user object used to authenticat - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`. -- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. #### Binding - User Principal Name (AD)