From d8021f7166bbb97226be54ddc5dfc926ba527ba4 Mon Sep 17 00:00:00 2001 From: kevin-loehfelm Date: Thu, 2 Oct 2025 15:19:20 -0400 Subject: [PATCH 01/13] update description for deny_null_bind on ldap auth backend config --- content/vault/v1.10.x/content/api-docs/auth/ldap.mdx | 8 ++++++-- content/vault/v1.11.x/content/api-docs/auth/ldap.mdx | 8 ++++++-- content/vault/v1.12.x/content/api-docs/auth/ldap.mdx | 8 ++++++-- content/vault/v1.13.x/content/api-docs/auth/ldap.mdx | 8 ++++++-- content/vault/v1.14.x/content/api-docs/auth/ldap.mdx | 8 ++++++-- content/vault/v1.15.x/content/api-docs/auth/ldap.mdx | 8 ++++++-- content/vault/v1.16.x/content/api-docs/auth/ldap.mdx | 8 ++++++-- content/vault/v1.17.x/content/api-docs/auth/ldap.mdx | 8 ++++++-- content/vault/v1.18.x/content/api-docs/auth/ldap.mdx | 8 ++++++-- content/vault/v1.19.x/content/api-docs/auth/ldap.mdx | 8 ++++++-- content/vault/v1.20.x/content/api-docs/auth/ldap.mdx | 8 ++++++-- content/vault/v1.4.x/content/api-docs/auth/ldap/index.mdx | 8 ++++++-- content/vault/v1.5.x/content/api-docs/auth/ldap/index.mdx | 8 ++++++-- content/vault/v1.6.x/content/api-docs/auth/ldap/index.mdx | 8 ++++++-- content/vault/v1.7.x/content/api-docs/auth/ldap.mdx | 8 ++++++-- content/vault/v1.8.x/content/api-docs/auth/ldap.mdx | 8 ++++++-- content/vault/v1.9.x/content/api-docs/auth/ldap.mdx | 8 ++++++-- 17 files changed, 102 insertions(+), 34 deletions(-) diff --git a/content/vault/v1.10.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.10.x/content/api-docs/auth/ldap.mdx index 1fd3376630..de591b0fb3 100644 --- a/content/vault/v1.10.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.10.x/content/api-docs/auth/ldap.mdx @@ -60,8 +60,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing - authentication when providing an empty password. +- `deny_null_bind` `(bool: true)` – By default, Vault will prevent LDAP authentication + attempts where the user provides an empty password (null binds). Setting this parameter + to false allows Vault to support LDAP anonymous bind operations, which may be required + for certain directory configurations that use anonymous search or discovery. When set to + false, Vault defers the handling of empty-password authentication attempts to the LDAP + server. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.11.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.11.x/content/api-docs/auth/ldap.mdx index 45bea94e52..ee178bd030 100644 --- a/content/vault/v1.11.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.11.x/content/api-docs/auth/ldap.mdx @@ -65,8 +65,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing - authentication when providing an empty password. +- `deny_null_bind` `(bool: true)` – By default, Vault will prevent LDAP authentication + attempts where the user provides an empty password (null binds). Setting this parameter + to false allows Vault to support LDAP anonymous bind operations, which may be required + for certain directory configurations that use anonymous search or discovery. When set to + false, Vault defers the handling of empty-password authentication attempts to the LDAP + server. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.12.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.12.x/content/api-docs/auth/ldap.mdx index 45bea94e52..ee178bd030 100644 --- a/content/vault/v1.12.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.12.x/content/api-docs/auth/ldap.mdx @@ -65,8 +65,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing - authentication when providing an empty password. +- `deny_null_bind` `(bool: true)` – By default, Vault will prevent LDAP authentication + attempts where the user provides an empty password (null binds). Setting this parameter + to false allows Vault to support LDAP anonymous bind operations, which may be required + for certain directory configurations that use anonymous search or discovery. When set to + false, Vault defers the handling of empty-password authentication attempts to the LDAP + server. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.13.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.13.x/content/api-docs/auth/ldap.mdx index 2b7e066de9..4eaa85881d 100644 --- a/content/vault/v1.13.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.13.x/content/api-docs/auth/ldap.mdx @@ -65,8 +65,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing - authentication when providing an empty password. +- `deny_null_bind` `(bool: true)` – By default, Vault will prevent LDAP authentication + attempts where the user provides an empty password (null binds). Setting this parameter + to false allows Vault to support LDAP anonymous bind operations, which may be required + for certain directory configurations that use anonymous search or discovery. When set to + false, Vault defers the handling of empty-password authentication attempts to the LDAP + server. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.14.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.14.x/content/api-docs/auth/ldap.mdx index 064f6a731a..3ea8ddbeb4 100644 --- a/content/vault/v1.14.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.14.x/content/api-docs/auth/ldap.mdx @@ -65,8 +65,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing - authentication when providing an empty password. +- `deny_null_bind` `(bool: true)` – By default, Vault will prevent LDAP authentication + attempts where the user provides an empty password (null binds). Setting this parameter + to false allows Vault to support LDAP anonymous bind operations, which may be required + for certain directory configurations that use anonymous search or discovery. When set to + false, Vault defers the handling of empty-password authentication attempts to the LDAP + server. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.15.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.15.x/content/api-docs/auth/ldap.mdx index eec8772318..45a1ce4d17 100644 --- a/content/vault/v1.15.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.15.x/content/api-docs/auth/ldap.mdx @@ -65,8 +65,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing - authentication when providing an empty password. +- `deny_null_bind` `(bool: true)` – By default, Vault will prevent LDAP authentication + attempts where the user provides an empty password (null binds). Setting this parameter + to false allows Vault to support LDAP anonymous bind operations, which may be required + for certain directory configurations that use anonymous search or discovery. When set to + false, Vault defers the handling of empty-password authentication attempts to the LDAP + server. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.16.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.16.x/content/api-docs/auth/ldap.mdx index eec8772318..45a1ce4d17 100644 --- a/content/vault/v1.16.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.16.x/content/api-docs/auth/ldap.mdx @@ -65,8 +65,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing - authentication when providing an empty password. +- `deny_null_bind` `(bool: true)` – By default, Vault will prevent LDAP authentication + attempts where the user provides an empty password (null binds). Setting this parameter + to false allows Vault to support LDAP anonymous bind operations, which may be required + for certain directory configurations that use anonymous search or discovery. When set to + false, Vault defers the handling of empty-password authentication attempts to the LDAP + server. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.17.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.17.x/content/api-docs/auth/ldap.mdx index eec8772318..45a1ce4d17 100644 --- a/content/vault/v1.17.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.17.x/content/api-docs/auth/ldap.mdx @@ -65,8 +65,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing - authentication when providing an empty password. +- `deny_null_bind` `(bool: true)` – By default, Vault will prevent LDAP authentication + attempts where the user provides an empty password (null binds). Setting this parameter + to false allows Vault to support LDAP anonymous bind operations, which may be required + for certain directory configurations that use anonymous search or discovery. When set to + false, Vault defers the handling of empty-password authentication attempts to the LDAP + server. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.18.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.18.x/content/api-docs/auth/ldap.mdx index eec8772318..45a1ce4d17 100644 --- a/content/vault/v1.18.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.18.x/content/api-docs/auth/ldap.mdx @@ -65,8 +65,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing - authentication when providing an empty password. +- `deny_null_bind` `(bool: true)` – By default, Vault will prevent LDAP authentication + attempts where the user provides an empty password (null binds). Setting this parameter + to false allows Vault to support LDAP anonymous bind operations, which may be required + for certain directory configurations that use anonymous search or discovery. When set to + false, Vault defers the handling of empty-password authentication attempts to the LDAP + server. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.19.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.19.x/content/api-docs/auth/ldap.mdx index 02e518e536..467dd1cd6b 100644 --- a/content/vault/v1.19.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.19.x/content/api-docs/auth/ldap.mdx @@ -65,8 +65,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing - authentication when providing an empty password. +- `deny_null_bind` `(bool: true)` – By default, Vault will prevent LDAP authentication + attempts where the user provides an empty password (null binds). Setting this parameter + to false allows Vault to support LDAP anonymous bind operations, which may be required + for certain directory configurations that use anonymous search or discovery. When set to + false, Vault defers the handling of empty-password authentication attempts to the LDAP + server. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.20.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.20.x/content/api-docs/auth/ldap.mdx index 02e518e536..467dd1cd6b 100644 --- a/content/vault/v1.20.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.20.x/content/api-docs/auth/ldap.mdx @@ -65,8 +65,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing - authentication when providing an empty password. +- `deny_null_bind` `(bool: true)` – By default, Vault will prevent LDAP authentication + attempts where the user provides an empty password (null binds). Setting this parameter + to false allows Vault to support LDAP anonymous bind operations, which may be required + for certain directory configurations that use anonymous search or discovery. When set to + false, Vault defers the handling of empty-password authentication attempts to the LDAP + server. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.4.x/content/api-docs/auth/ldap/index.mdx b/content/vault/v1.4.x/content/api-docs/auth/ldap/index.mdx index 3e0a90df6f..e63f66f020 100644 --- a/content/vault/v1.4.x/content/api-docs/auth/ldap/index.mdx +++ b/content/vault/v1.4.x/content/api-docs/auth/ldap/index.mdx @@ -57,8 +57,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing - authentication when providing an empty password. +- `deny_null_bind` `(bool: true)` – By default, Vault will prevent LDAP authentication + attempts where the user provides an empty password (null binds). Setting this parameter + to false allows Vault to support LDAP anonymous bind operations, which may be required + for certain directory configurations that use anonymous search or discovery. When set to + false, Vault defers the handling of empty-password authentication attempts to the LDAP + server. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.5.x/content/api-docs/auth/ldap/index.mdx b/content/vault/v1.5.x/content/api-docs/auth/ldap/index.mdx index 0801e9ddc3..7e617f2e70 100644 --- a/content/vault/v1.5.x/content/api-docs/auth/ldap/index.mdx +++ b/content/vault/v1.5.x/content/api-docs/auth/ldap/index.mdx @@ -61,8 +61,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing - authentication when providing an empty password. +- `deny_null_bind` `(bool: true)` – By default, Vault will prevent LDAP authentication + attempts where the user provides an empty password (null binds). Setting this parameter + to false allows Vault to support LDAP anonymous bind operations, which may be required + for certain directory configurations that use anonymous search or discovery. When set to + false, Vault defers the handling of empty-password authentication attempts to the LDAP + server. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.6.x/content/api-docs/auth/ldap/index.mdx b/content/vault/v1.6.x/content/api-docs/auth/ldap/index.mdx index 0801e9ddc3..7e617f2e70 100644 --- a/content/vault/v1.6.x/content/api-docs/auth/ldap/index.mdx +++ b/content/vault/v1.6.x/content/api-docs/auth/ldap/index.mdx @@ -61,8 +61,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing - authentication when providing an empty password. +- `deny_null_bind` `(bool: true)` – By default, Vault will prevent LDAP authentication + attempts where the user provides an empty password (null binds). Setting this parameter + to false allows Vault to support LDAP anonymous bind operations, which may be required + for certain directory configurations that use anonymous search or discovery. When set to + false, Vault defers the handling of empty-password authentication attempts to the LDAP + server. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.7.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.7.x/content/api-docs/auth/ldap.mdx index 0801e9ddc3..7e617f2e70 100644 --- a/content/vault/v1.7.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.7.x/content/api-docs/auth/ldap.mdx @@ -61,8 +61,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing - authentication when providing an empty password. +- `deny_null_bind` `(bool: true)` – By default, Vault will prevent LDAP authentication + attempts where the user provides an empty password (null binds). Setting this parameter + to false allows Vault to support LDAP anonymous bind operations, which may be required + for certain directory configurations that use anonymous search or discovery. When set to + false, Vault defers the handling of empty-password authentication attempts to the LDAP + server. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.8.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.8.x/content/api-docs/auth/ldap.mdx index f00ddc24a4..a230ab244f 100644 --- a/content/vault/v1.8.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.8.x/content/api-docs/auth/ldap.mdx @@ -60,8 +60,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing - authentication when providing an empty password. +- `deny_null_bind` `(bool: true)` – By default, Vault will prevent LDAP authentication + attempts where the user provides an empty password (null binds). Setting this parameter + to false allows Vault to support LDAP anonymous bind operations, which may be required + for certain directory configurations that use anonymous search or discovery. When set to + false, Vault defers the handling of empty-password authentication attempts to the LDAP + server. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.9.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.9.x/content/api-docs/auth/ldap.mdx index 28a27f448b..f9830c238c 100644 --- a/content/vault/v1.9.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.9.x/content/api-docs/auth/ldap.mdx @@ -60,8 +60,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing - authentication when providing an empty password. +- `deny_null_bind` `(bool: true)` – By default, Vault will prevent LDAP authentication + attempts where the user provides an empty password (null binds). Setting this parameter + to false allows Vault to support LDAP anonymous bind operations, which may be required + for certain directory configurations that use anonymous search or discovery. When set to + false, Vault defers the handling of empty-password authentication attempts to the LDAP + server. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind From a7146c808ba160e50f414ab87fe4513084cc2be0 Mon Sep 17 00:00:00 2001 From: kevin-loehfelm Date: Thu, 2 Oct 2025 16:42:51 -0400 Subject: [PATCH 02/13] update description for deny_null_bind in ldap auth docs --- content/vault/v1.10.x/content/docs/auth/ldap.mdx | 2 +- content/vault/v1.11.x/content/docs/auth/ldap.mdx | 2 +- content/vault/v1.12.x/content/docs/auth/ldap.mdx | 2 +- content/vault/v1.13.x/content/docs/auth/ldap.mdx | 2 +- content/vault/v1.14.x/content/docs/auth/ldap.mdx | 2 +- content/vault/v1.15.x/content/docs/auth/ldap.mdx | 2 +- content/vault/v1.16.x/content/docs/auth/ldap.mdx | 2 +- content/vault/v1.17.x/content/docs/auth/ldap.mdx | 2 +- content/vault/v1.18.x/content/docs/auth/ldap.mdx | 2 +- content/vault/v1.19.x/content/docs/auth/ldap.mdx | 2 +- content/vault/v1.20.x/content/docs/auth/ldap.mdx | 2 +- content/vault/v1.4.x/content/docs/auth/ldap.mdx | 2 +- content/vault/v1.5.x/content/docs/auth/ldap.mdx | 2 +- content/vault/v1.6.x/content/docs/auth/ldap.mdx | 2 +- content/vault/v1.7.x/content/docs/auth/ldap.mdx | 2 +- content/vault/v1.8.x/content/docs/auth/ldap.mdx | 2 +- content/vault/v1.9.x/content/docs/auth/ldap.mdx | 2 +- 17 files changed, 17 insertions(+), 17 deletions(-) diff --git a/content/vault/v1.10.x/content/docs/auth/ldap.mdx b/content/vault/v1.10.x/content/docs/auth/ldap.mdx index b9a7505515..93b55785f0 100644 --- a/content/vault/v1.10.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.10.x/content/docs/auth/ldap.mdx @@ -126,7 +126,7 @@ There are two alternate methods of resolving the user object used to authenticat - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`. -- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault will prevent LDAP authentication attempts where the user provides an empty password (null binds). Setting this parameter to false allows Vault to support LDAP anonymous bind operations, which may be required for certain directory configurations that use anonymous search or discovery. When set to false, Vault defers the handling of empty-password authentication attempts to the LDAP server. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. @include 'ldap-auth-userfilter-warning.mdx' diff --git a/content/vault/v1.11.x/content/docs/auth/ldap.mdx b/content/vault/v1.11.x/content/docs/auth/ldap.mdx index 6d5ab2f1c3..006ace0e77 100644 --- a/content/vault/v1.11.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.11.x/content/docs/auth/ldap.mdx @@ -128,7 +128,7 @@ There are two alternate methods of resolving the user object used to authenticat - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`. -- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault will prevent LDAP authentication attempts where the user provides an empty password (null binds). Setting this parameter to false allows Vault to support LDAP anonymous bind operations, which may be required for certain directory configurations that use anonymous search or discovery. When set to false, Vault defers the handling of empty-password authentication attempts to the LDAP server. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. @include 'ldap-auth-userfilter-warning.mdx' diff --git a/content/vault/v1.12.x/content/docs/auth/ldap.mdx b/content/vault/v1.12.x/content/docs/auth/ldap.mdx index 6d5ab2f1c3..006ace0e77 100644 --- a/content/vault/v1.12.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.12.x/content/docs/auth/ldap.mdx @@ -128,7 +128,7 @@ There are two alternate methods of resolving the user object used to authenticat - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`. -- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault will prevent LDAP authentication attempts where the user provides an empty password (null binds). Setting this parameter to false allows Vault to support LDAP anonymous bind operations, which may be required for certain directory configurations that use anonymous search or discovery. When set to false, Vault defers the handling of empty-password authentication attempts to the LDAP server. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. @include 'ldap-auth-userfilter-warning.mdx' diff --git a/content/vault/v1.13.x/content/docs/auth/ldap.mdx b/content/vault/v1.13.x/content/docs/auth/ldap.mdx index 3be8de89ca..fddcd37548 100644 --- a/content/vault/v1.13.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.13.x/content/docs/auth/ldap.mdx @@ -128,7 +128,7 @@ There are two alternate methods of resolving the user object used to authenticat - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`. -- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault will prevent LDAP authentication attempts where the user provides an empty password (null binds). Setting this parameter to false allows Vault to support LDAP anonymous bind operations, which may be required for certain directory configurations that use anonymous search or discovery. When set to false, Vault defers the handling of empty-password authentication attempts to the LDAP server. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. @include 'ldap-auth-userfilter-warning.mdx' diff --git a/content/vault/v1.14.x/content/docs/auth/ldap.mdx b/content/vault/v1.14.x/content/docs/auth/ldap.mdx index 2b6e799eea..8a73a14b16 100644 --- a/content/vault/v1.14.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.14.x/content/docs/auth/ldap.mdx @@ -128,7 +128,7 @@ There are two alternate methods of resolving the user object used to authenticat - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`. -- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault will prevent LDAP authentication attempts where the user provides an empty password (null binds). Setting this parameter to false allows Vault to support LDAP anonymous bind operations, which may be required for certain directory configurations that use anonymous search or discovery. When set to false, Vault defers the handling of empty-password authentication attempts to the LDAP server. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. @include 'ldap-auth-userfilter-warning.mdx' diff --git a/content/vault/v1.15.x/content/docs/auth/ldap.mdx b/content/vault/v1.15.x/content/docs/auth/ldap.mdx index 409af5e271..44c2cb471d 100644 --- a/content/vault/v1.15.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.15.x/content/docs/auth/ldap.mdx @@ -132,7 +132,7 @@ For anonymous search, `discoverdn` must be set to `true`, and `deny_null_bind` m - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`. -- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault will prevent LDAP authentication attempts where the user provides an empty password (null binds). Setting this parameter to false allows Vault to support LDAP anonymous bind operations, which may be required for certain directory configurations that use anonymous search or discovery. When set to false, Vault defers the handling of empty-password authentication attempts to the LDAP server. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. @include 'ldap-auth-userfilter-warning.mdx' diff --git a/content/vault/v1.16.x/content/docs/auth/ldap.mdx b/content/vault/v1.16.x/content/docs/auth/ldap.mdx index cead3960ef..fb3e4aa8f7 100644 --- a/content/vault/v1.16.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.16.x/content/docs/auth/ldap.mdx @@ -132,7 +132,7 @@ For anonymous search, `discoverdn` must be set to `true`, and `deny_null_bind` m - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`. -- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault will prevent LDAP authentication attempts where the user provides an empty password (null binds). Setting this parameter to false allows Vault to support LDAP anonymous bind operations, which may be required for certain directory configurations that use anonymous search or discovery. When set to false, Vault defers the handling of empty-password authentication attempts to the LDAP server. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. @include 'ldap-auth-userfilter-warning.mdx' diff --git a/content/vault/v1.17.x/content/docs/auth/ldap.mdx b/content/vault/v1.17.x/content/docs/auth/ldap.mdx index cead3960ef..fb3e4aa8f7 100644 --- a/content/vault/v1.17.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.17.x/content/docs/auth/ldap.mdx @@ -132,7 +132,7 @@ For anonymous search, `discoverdn` must be set to `true`, and `deny_null_bind` m - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`. -- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault will prevent LDAP authentication attempts where the user provides an empty password (null binds). Setting this parameter to false allows Vault to support LDAP anonymous bind operations, which may be required for certain directory configurations that use anonymous search or discovery. When set to false, Vault defers the handling of empty-password authentication attempts to the LDAP server. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. @include 'ldap-auth-userfilter-warning.mdx' diff --git a/content/vault/v1.18.x/content/docs/auth/ldap.mdx b/content/vault/v1.18.x/content/docs/auth/ldap.mdx index cead3960ef..fb3e4aa8f7 100644 --- a/content/vault/v1.18.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.18.x/content/docs/auth/ldap.mdx @@ -132,7 +132,7 @@ For anonymous search, `discoverdn` must be set to `true`, and `deny_null_bind` m - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`. -- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault will prevent LDAP authentication attempts where the user provides an empty password (null binds). Setting this parameter to false allows Vault to support LDAP anonymous bind operations, which may be required for certain directory configurations that use anonymous search or discovery. When set to false, Vault defers the handling of empty-password authentication attempts to the LDAP server. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. @include 'ldap-auth-userfilter-warning.mdx' diff --git a/content/vault/v1.19.x/content/docs/auth/ldap.mdx b/content/vault/v1.19.x/content/docs/auth/ldap.mdx index 27dda923f6..32cf7f3ccd 100644 --- a/content/vault/v1.19.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.19.x/content/docs/auth/ldap.mdx @@ -132,7 +132,7 @@ For anonymous search, `discoverdn` must be set to `true`, and `deny_null_bind` m - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`. -- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault will prevent LDAP authentication attempts where the user provides an empty password (null binds). Setting this parameter to false allows Vault to support LDAP anonymous bind operations, which may be required for certain directory configurations that use anonymous search or discovery. When set to false, Vault defers the handling of empty-password authentication attempts to the LDAP server. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. @include 'ldap-auth-userfilter-warning.mdx' diff --git a/content/vault/v1.20.x/content/docs/auth/ldap.mdx b/content/vault/v1.20.x/content/docs/auth/ldap.mdx index 1082ade2a6..c3c07cc699 100644 --- a/content/vault/v1.20.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.20.x/content/docs/auth/ldap.mdx @@ -134,7 +134,7 @@ For anonymous search, `discoverdn` must be set to `true`, and `deny_null_bind` m - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`. -- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault will prevent LDAP authentication attempts where the user provides an empty password (null binds). Setting this parameter to false allows Vault to support LDAP anonymous bind operations, which may be required for certain directory configurations that use anonymous search or discovery. When set to false, Vault defers the handling of empty-password authentication attempts to the LDAP server. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. @include 'ldap-auth-userfilter-warning.mdx' diff --git a/content/vault/v1.4.x/content/docs/auth/ldap.mdx b/content/vault/v1.4.x/content/docs/auth/ldap.mdx index a4b7c05ead..021a77cf98 100644 --- a/content/vault/v1.4.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.4.x/content/docs/auth/ldap.mdx @@ -121,7 +121,7 @@ There are two alternate methods of resolving the user object used to authenticat - `discoverdn` (bool, optional) - If true, use anonymous bind to discover the bind DN of a user - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` -- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault will prevent LDAP authentication attempts where the user provides an empty password (null binds). Setting this parameter to false allows Vault to support LDAP anonymous bind operations, which may be required for certain directory configurations that use anonymous search or discovery. When set to false, Vault defers the handling of empty-password authentication attempts to the LDAP server. The default is `true`. #### Binding - User Principal Name (AD) diff --git a/content/vault/v1.5.x/content/docs/auth/ldap.mdx b/content/vault/v1.5.x/content/docs/auth/ldap.mdx index dae5bd04a9..1897bc89af 100644 --- a/content/vault/v1.5.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.5.x/content/docs/auth/ldap.mdx @@ -123,7 +123,7 @@ There are two alternate methods of resolving the user object used to authenticat - `discoverdn` (bool, optional) - If true, use anonymous bind to discover the bind DN of a user - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` -- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault will prevent LDAP authentication attempts where the user provides an empty password (null binds). Setting this parameter to false allows Vault to support LDAP anonymous bind operations, which may be required for certain directory configurations that use anonymous search or discovery. When set to false, Vault defers the handling of empty-password authentication attempts to the LDAP server. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. #### Binding - User Principal Name (AD) diff --git a/content/vault/v1.6.x/content/docs/auth/ldap.mdx b/content/vault/v1.6.x/content/docs/auth/ldap.mdx index dae5bd04a9..1897bc89af 100644 --- a/content/vault/v1.6.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.6.x/content/docs/auth/ldap.mdx @@ -123,7 +123,7 @@ There are two alternate methods of resolving the user object used to authenticat - `discoverdn` (bool, optional) - If true, use anonymous bind to discover the bind DN of a user - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` -- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault will prevent LDAP authentication attempts where the user provides an empty password (null binds). Setting this parameter to false allows Vault to support LDAP anonymous bind operations, which may be required for certain directory configurations that use anonymous search or discovery. When set to false, Vault defers the handling of empty-password authentication attempts to the LDAP server. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. #### Binding - User Principal Name (AD) diff --git a/content/vault/v1.7.x/content/docs/auth/ldap.mdx b/content/vault/v1.7.x/content/docs/auth/ldap.mdx index dae5bd04a9..1897bc89af 100644 --- a/content/vault/v1.7.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.7.x/content/docs/auth/ldap.mdx @@ -123,7 +123,7 @@ There are two alternate methods of resolving the user object used to authenticat - `discoverdn` (bool, optional) - If true, use anonymous bind to discover the bind DN of a user - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` -- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault will prevent LDAP authentication attempts where the user provides an empty password (null binds). Setting this parameter to false allows Vault to support LDAP anonymous bind operations, which may be required for certain directory configurations that use anonymous search or discovery. When set to false, Vault defers the handling of empty-password authentication attempts to the LDAP server. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. #### Binding - User Principal Name (AD) diff --git a/content/vault/v1.8.x/content/docs/auth/ldap.mdx b/content/vault/v1.8.x/content/docs/auth/ldap.mdx index de701e8537..ae61397a72 100644 --- a/content/vault/v1.8.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.8.x/content/docs/auth/ldap.mdx @@ -122,7 +122,7 @@ There are two alternate methods of resolving the user object used to authenticat - `discoverdn` (bool, optional) - If true, use anonymous bind to discover the bind DN of a user - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` -- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault will prevent LDAP authentication attempts where the user provides an empty password (null binds). Setting this parameter to false allows Vault to support LDAP anonymous bind operations, which may be required for certain directory configurations that use anonymous search or discovery. When set to false, Vault defers the handling of empty-password authentication attempts to the LDAP server. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. #### Binding - User Principal Name (AD) diff --git a/content/vault/v1.9.x/content/docs/auth/ldap.mdx b/content/vault/v1.9.x/content/docs/auth/ldap.mdx index 95c8ec79eb..ece01733dd 100644 --- a/content/vault/v1.9.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.9.x/content/docs/auth/ldap.mdx @@ -124,7 +124,7 @@ There are two alternate methods of resolving the user object used to authenticat - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`. -- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault will prevent LDAP authentication attempts where the user provides an empty password (null binds). Setting this parameter to false allows Vault to support LDAP anonymous bind operations, which may be required for certain directory configurations that use anonymous search or discovery. When set to false, Vault defers the handling of empty-password authentication attempts to the LDAP server. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. #### Binding - User Principal Name (AD) From f4f39621289c9a86502fbd3a3030123e809bc9be Mon Sep 17 00:00:00 2001 From: kevin-loehfelm <37027455+kevin-loehfelm@users.noreply.github.com> Date: Thu, 2 Oct 2025 19:59:08 -0400 Subject: [PATCH 03/13] Update content/vault/v1.10.x/content/api-docs/auth/ldap.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- content/vault/v1.10.x/content/api-docs/auth/ldap.mdx | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/content/vault/v1.10.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.10.x/content/api-docs/auth/ldap.mdx index de591b0fb3..bcfef5fd36 100644 --- a/content/vault/v1.10.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.10.x/content/api-docs/auth/ldap.mdx @@ -60,12 +60,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – By default, Vault will prevent LDAP authentication - attempts where the user provides an empty password (null binds). Setting this parameter - to false allows Vault to support LDAP anonymous bind operations, which may be required - for certain directory configurations that use anonymous search or discovery. When set to - false, Vault defers the handling of empty-password authentication attempts to the LDAP - server. +- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication + attempts when the user provides an empty password (null binds). Setting + `deny_null_bind` to `false` tells Vault to defer the handling of empty-password + authentication attempts to the LDAP server. You may want to allow LDAP + anonymous bind operations for directory configurations using anonymous search + or discovery. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind From 48ab6d8b48666d635a7a841147d6778635c0a617 Mon Sep 17 00:00:00 2001 From: kevin-loehfelm <37027455+kevin-loehfelm@users.noreply.github.com> Date: Thu, 2 Oct 2025 20:02:17 -0400 Subject: [PATCH 04/13] Update content/vault/v1.10.x/content/docs/auth/ldap.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- content/vault/v1.10.x/content/docs/auth/ldap.mdx | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/content/vault/v1.10.x/content/docs/auth/ldap.mdx b/content/vault/v1.10.x/content/docs/auth/ldap.mdx index 93b55785f0..2b22fa24a6 100644 --- a/content/vault/v1.10.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.10.x/content/docs/auth/ldap.mdx @@ -126,7 +126,12 @@ There are two alternate methods of resolving the user object used to authenticat - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`. -- `deny_null_bind` (bool, optional) - By default, Vault will prevent LDAP authentication attempts where the user provides an empty password (null binds). Setting this parameter to false allows Vault to support LDAP anonymous bind operations, which may be required for certain directory configurations that use anonymous search or discovery. When set to false, Vault defers the handling of empty-password authentication attempts to the LDAP server. The default is `true`. +- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication + attempts when the user provides an empty password (null binds). Setting + `deny_null_bind` to `false` tells Vault to defer the handling of empty-password + authentication attempts to the LDAP server. You may want to allow LDAP + anonymous bind operations for directory configurations using anonymous search + or discovery. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. @include 'ldap-auth-userfilter-warning.mdx' From 1a0031fc1c48f911ad490329c4252a60d096da01 Mon Sep 17 00:00:00 2001 From: kevin-loehfelm <37027455+kevin-loehfelm@users.noreply.github.com> Date: Thu, 2 Oct 2025 20:02:24 -0400 Subject: [PATCH 05/13] Update content/vault/v1.11.x/content/api-docs/auth/ldap.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- content/vault/v1.11.x/content/api-docs/auth/ldap.mdx | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/content/vault/v1.11.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.11.x/content/api-docs/auth/ldap.mdx index ee178bd030..edc02cc83e 100644 --- a/content/vault/v1.11.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.11.x/content/api-docs/auth/ldap.mdx @@ -65,12 +65,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – By default, Vault will prevent LDAP authentication - attempts where the user provides an empty password (null binds). Setting this parameter - to false allows Vault to support LDAP anonymous bind operations, which may be required - for certain directory configurations that use anonymous search or discovery. When set to - false, Vault defers the handling of empty-password authentication attempts to the LDAP - server. +- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication + attempts when the user provides an empty password (null binds). Setting + `deny_null_bind` to `false` tells Vault to defer the handling of empty-password + authentication attempts to the LDAP server. You may want to allow LDAP + anonymous bind operations for directory configurations using anonymous search + or discovery. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind From d3446069a23067043757ade1ef48f252914fd109 Mon Sep 17 00:00:00 2001 From: kevin-loehfelm <37027455+kevin-loehfelm@users.noreply.github.com> Date: Thu, 2 Oct 2025 20:02:31 -0400 Subject: [PATCH 06/13] Update content/vault/v1.11.x/content/docs/auth/ldap.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- content/vault/v1.11.x/content/docs/auth/ldap.mdx | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/content/vault/v1.11.x/content/docs/auth/ldap.mdx b/content/vault/v1.11.x/content/docs/auth/ldap.mdx index 006ace0e77..51508b8b21 100644 --- a/content/vault/v1.11.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.11.x/content/docs/auth/ldap.mdx @@ -128,7 +128,12 @@ There are two alternate methods of resolving the user object used to authenticat - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`. -- `deny_null_bind` (bool, optional) - By default, Vault will prevent LDAP authentication attempts where the user provides an empty password (null binds). Setting this parameter to false allows Vault to support LDAP anonymous bind operations, which may be required for certain directory configurations that use anonymous search or discovery. When set to false, Vault defers the handling of empty-password authentication attempts to the LDAP server. The default is `true`. +- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication + attempts when the user provides an empty password (null binds). Setting + `deny_null_bind` to `false` tells Vault to defer the handling of empty-password + authentication attempts to the LDAP server. You may want to allow LDAP + anonymous bind operations for directory configurations using anonymous search + or discovery. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. @include 'ldap-auth-userfilter-warning.mdx' From 40a889770cb748724f3c24b107ba9313ae59982b Mon Sep 17 00:00:00 2001 From: kevin-loehfelm <37027455+kevin-loehfelm@users.noreply.github.com> Date: Thu, 2 Oct 2025 20:02:41 -0400 Subject: [PATCH 07/13] Update content/vault/v1.12.x/content/api-docs/auth/ldap.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- content/vault/v1.12.x/content/api-docs/auth/ldap.mdx | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/content/vault/v1.12.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.12.x/content/api-docs/auth/ldap.mdx index ee178bd030..edc02cc83e 100644 --- a/content/vault/v1.12.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.12.x/content/api-docs/auth/ldap.mdx @@ -65,12 +65,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – By default, Vault will prevent LDAP authentication - attempts where the user provides an empty password (null binds). Setting this parameter - to false allows Vault to support LDAP anonymous bind operations, which may be required - for certain directory configurations that use anonymous search or discovery. When set to - false, Vault defers the handling of empty-password authentication attempts to the LDAP - server. +- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication + attempts when the user provides an empty password (null binds). Setting + `deny_null_bind` to `false` tells Vault to defer the handling of empty-password + authentication attempts to the LDAP server. You may want to allow LDAP + anonymous bind operations for directory configurations using anonymous search + or discovery. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind From 57b2225f2e968235b217a5b9a5954f75d3271b76 Mon Sep 17 00:00:00 2001 From: kevin-loehfelm <37027455+kevin-loehfelm@users.noreply.github.com> Date: Thu, 2 Oct 2025 20:02:48 -0400 Subject: [PATCH 08/13] Update content/vault/v1.7.x/content/docs/auth/ldap.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- content/vault/v1.7.x/content/docs/auth/ldap.mdx | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/content/vault/v1.7.x/content/docs/auth/ldap.mdx b/content/vault/v1.7.x/content/docs/auth/ldap.mdx index 1897bc89af..774c894895 100644 --- a/content/vault/v1.7.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.7.x/content/docs/auth/ldap.mdx @@ -123,7 +123,12 @@ There are two alternate methods of resolving the user object used to authenticat - `discoverdn` (bool, optional) - If true, use anonymous bind to discover the bind DN of a user - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` -- `deny_null_bind` (bool, optional) - By default, Vault will prevent LDAP authentication attempts where the user provides an empty password (null binds). Setting this parameter to false allows Vault to support LDAP anonymous bind operations, which may be required for certain directory configurations that use anonymous search or discovery. When set to false, Vault defers the handling of empty-password authentication attempts to the LDAP server. The default is `true`. +- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication + attempts when the user provides an empty password (null binds). Setting + `deny_null_bind` to `false` tells Vault to defer the handling of empty-password + authentication attempts to the LDAP server. You may want to allow LDAP + anonymous bind operations for directory configurations using anonymous search + or discovery. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. #### Binding - User Principal Name (AD) From b34ff798840c535c4ab963217ceda44a53a73cda Mon Sep 17 00:00:00 2001 From: kevin-loehfelm <37027455+kevin-loehfelm@users.noreply.github.com> Date: Thu, 2 Oct 2025 20:02:54 -0400 Subject: [PATCH 09/13] Update content/vault/v1.8.x/content/api-docs/auth/ldap.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- content/vault/v1.8.x/content/api-docs/auth/ldap.mdx | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/content/vault/v1.8.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.8.x/content/api-docs/auth/ldap.mdx index a230ab244f..af23a2e587 100644 --- a/content/vault/v1.8.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.8.x/content/api-docs/auth/ldap.mdx @@ -60,12 +60,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – By default, Vault will prevent LDAP authentication - attempts where the user provides an empty password (null binds). Setting this parameter - to false allows Vault to support LDAP anonymous bind operations, which may be required - for certain directory configurations that use anonymous search or discovery. When set to - false, Vault defers the handling of empty-password authentication attempts to the LDAP - server. +- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication + attempts when the user provides an empty password (null binds). Setting + `deny_null_bind` to `false` tells Vault to defer the handling of empty-password + authentication attempts to the LDAP server. You may want to allow LDAP + anonymous bind operations for directory configurations using anonymous search + or discovery. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind From 85ec6c878938accd3bbf0e765aa3cbbd88181756 Mon Sep 17 00:00:00 2001 From: kevin-loehfelm <37027455+kevin-loehfelm@users.noreply.github.com> Date: Thu, 2 Oct 2025 20:02:59 -0400 Subject: [PATCH 10/13] Update content/vault/v1.8.x/content/docs/auth/ldap.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- content/vault/v1.8.x/content/docs/auth/ldap.mdx | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/content/vault/v1.8.x/content/docs/auth/ldap.mdx b/content/vault/v1.8.x/content/docs/auth/ldap.mdx index ae61397a72..38ca7ddd48 100644 --- a/content/vault/v1.8.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.8.x/content/docs/auth/ldap.mdx @@ -122,7 +122,12 @@ There are two alternate methods of resolving the user object used to authenticat - `discoverdn` (bool, optional) - If true, use anonymous bind to discover the bind DN of a user - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` -- `deny_null_bind` (bool, optional) - By default, Vault will prevent LDAP authentication attempts where the user provides an empty password (null binds). Setting this parameter to false allows Vault to support LDAP anonymous bind operations, which may be required for certain directory configurations that use anonymous search or discovery. When set to false, Vault defers the handling of empty-password authentication attempts to the LDAP server. The default is `true`. +- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication + attempts when the user provides an empty password (null binds). Setting + `deny_null_bind` to `false` tells Vault to defer the handling of empty-password + authentication attempts to the LDAP server. You may want to allow LDAP + anonymous bind operations for directory configurations using anonymous search + or discovery. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. #### Binding - User Principal Name (AD) From 0d2cdb7684329b0e15778994c542c2e051bd332e Mon Sep 17 00:00:00 2001 From: kevin-loehfelm <37027455+kevin-loehfelm@users.noreply.github.com> Date: Thu, 2 Oct 2025 20:03:11 -0400 Subject: [PATCH 11/13] Update content/vault/v1.9.x/content/api-docs/auth/ldap.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- content/vault/v1.9.x/content/api-docs/auth/ldap.mdx | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/content/vault/v1.9.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.9.x/content/api-docs/auth/ldap.mdx index f9830c238c..ded546cd2d 100644 --- a/content/vault/v1.9.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.9.x/content/api-docs/auth/ldap.mdx @@ -60,12 +60,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – By default, Vault will prevent LDAP authentication - attempts where the user provides an empty password (null binds). Setting this parameter - to false allows Vault to support LDAP anonymous bind operations, which may be required - for certain directory configurations that use anonymous search or discovery. When set to - false, Vault defers the handling of empty-password authentication attempts to the LDAP - server. +- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication + attempts when the user provides an empty password (null binds). Setting + `deny_null_bind` to `false` tells Vault to defer the handling of empty-password + authentication attempts to the LDAP server. You may want to allow LDAP + anonymous bind operations for directory configurations using anonymous search + or discovery. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind From 09a885d3d22e62e4a47920ec6586a97ec120cd01 Mon Sep 17 00:00:00 2001 From: kevin-loehfelm Date: Thu, 2 Oct 2025 20:09:25 -0400 Subject: [PATCH 12/13] Update style on API docs --- content/vault/v1.13.x/content/api-docs/auth/ldap.mdx | 12 ++++++------ content/vault/v1.14.x/content/api-docs/auth/ldap.mdx | 12 ++++++------ content/vault/v1.15.x/content/api-docs/auth/ldap.mdx | 12 ++++++------ content/vault/v1.16.x/content/api-docs/auth/ldap.mdx | 12 ++++++------ content/vault/v1.17.x/content/api-docs/auth/ldap.mdx | 12 ++++++------ content/vault/v1.18.x/content/api-docs/auth/ldap.mdx | 12 ++++++------ content/vault/v1.19.x/content/api-docs/auth/ldap.mdx | 12 ++++++------ content/vault/v1.20.x/content/api-docs/auth/ldap.mdx | 12 ++++++------ .../v1.4.x/content/api-docs/auth/ldap/index.mdx | 12 ++++++------ .../v1.5.x/content/api-docs/auth/ldap/index.mdx | 12 ++++++------ .../v1.6.x/content/api-docs/auth/ldap/index.mdx | 12 ++++++------ content/vault/v1.7.x/content/api-docs/auth/ldap.mdx | 12 ++++++------ 12 files changed, 72 insertions(+), 72 deletions(-) diff --git a/content/vault/v1.13.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.13.x/content/api-docs/auth/ldap.mdx index 4eaa85881d..9d0a8317e3 100644 --- a/content/vault/v1.13.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.13.x/content/api-docs/auth/ldap.mdx @@ -65,12 +65,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – By default, Vault will prevent LDAP authentication - attempts where the user provides an empty password (null binds). Setting this parameter - to false allows Vault to support LDAP anonymous bind operations, which may be required - for certain directory configurations that use anonymous search or discovery. When set to - false, Vault defers the handling of empty-password authentication attempts to the LDAP - server. +- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication + attempts when the user provides an empty password (null binds). Setting + `deny_null_bind` to `false` tells Vault to defer the handling of empty-password + authentication attempts to the LDAP server. You may want to allow LDAP + anonymous bind operations for directory configurations using anonymous search + or discovery. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.14.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.14.x/content/api-docs/auth/ldap.mdx index 3ea8ddbeb4..2cbabd16bc 100644 --- a/content/vault/v1.14.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.14.x/content/api-docs/auth/ldap.mdx @@ -65,12 +65,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – By default, Vault will prevent LDAP authentication - attempts where the user provides an empty password (null binds). Setting this parameter - to false allows Vault to support LDAP anonymous bind operations, which may be required - for certain directory configurations that use anonymous search or discovery. When set to - false, Vault defers the handling of empty-password authentication attempts to the LDAP - server. +- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication + attempts when the user provides an empty password (null binds). Setting + `deny_null_bind` to `false` tells Vault to defer the handling of empty-password + authentication attempts to the LDAP server. You may want to allow LDAP + anonymous bind operations for directory configurations using anonymous search + or discovery. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.15.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.15.x/content/api-docs/auth/ldap.mdx index 45a1ce4d17..1dda4a1f71 100644 --- a/content/vault/v1.15.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.15.x/content/api-docs/auth/ldap.mdx @@ -65,12 +65,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – By default, Vault will prevent LDAP authentication - attempts where the user provides an empty password (null binds). Setting this parameter - to false allows Vault to support LDAP anonymous bind operations, which may be required - for certain directory configurations that use anonymous search or discovery. When set to - false, Vault defers the handling of empty-password authentication attempts to the LDAP - server. +- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication + attempts when the user provides an empty password (null binds). Setting + `deny_null_bind` to `false` tells Vault to defer the handling of empty-password + authentication attempts to the LDAP server. You may want to allow LDAP + anonymous bind operations for directory configurations using anonymous search + or discovery. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.16.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.16.x/content/api-docs/auth/ldap.mdx index 45a1ce4d17..1dda4a1f71 100644 --- a/content/vault/v1.16.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.16.x/content/api-docs/auth/ldap.mdx @@ -65,12 +65,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – By default, Vault will prevent LDAP authentication - attempts where the user provides an empty password (null binds). Setting this parameter - to false allows Vault to support LDAP anonymous bind operations, which may be required - for certain directory configurations that use anonymous search or discovery. When set to - false, Vault defers the handling of empty-password authentication attempts to the LDAP - server. +- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication + attempts when the user provides an empty password (null binds). Setting + `deny_null_bind` to `false` tells Vault to defer the handling of empty-password + authentication attempts to the LDAP server. You may want to allow LDAP + anonymous bind operations for directory configurations using anonymous search + or discovery. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.17.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.17.x/content/api-docs/auth/ldap.mdx index 45a1ce4d17..1dda4a1f71 100644 --- a/content/vault/v1.17.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.17.x/content/api-docs/auth/ldap.mdx @@ -65,12 +65,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – By default, Vault will prevent LDAP authentication - attempts where the user provides an empty password (null binds). Setting this parameter - to false allows Vault to support LDAP anonymous bind operations, which may be required - for certain directory configurations that use anonymous search or discovery. When set to - false, Vault defers the handling of empty-password authentication attempts to the LDAP - server. +- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication + attempts when the user provides an empty password (null binds). Setting + `deny_null_bind` to `false` tells Vault to defer the handling of empty-password + authentication attempts to the LDAP server. You may want to allow LDAP + anonymous bind operations for directory configurations using anonymous search + or discovery. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.18.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.18.x/content/api-docs/auth/ldap.mdx index 45a1ce4d17..1dda4a1f71 100644 --- a/content/vault/v1.18.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.18.x/content/api-docs/auth/ldap.mdx @@ -65,12 +65,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – By default, Vault will prevent LDAP authentication - attempts where the user provides an empty password (null binds). Setting this parameter - to false allows Vault to support LDAP anonymous bind operations, which may be required - for certain directory configurations that use anonymous search or discovery. When set to - false, Vault defers the handling of empty-password authentication attempts to the LDAP - server. +- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication + attempts when the user provides an empty password (null binds). Setting + `deny_null_bind` to `false` tells Vault to defer the handling of empty-password + authentication attempts to the LDAP server. You may want to allow LDAP + anonymous bind operations for directory configurations using anonymous search + or discovery. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.19.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.19.x/content/api-docs/auth/ldap.mdx index 467dd1cd6b..33f9ed49db 100644 --- a/content/vault/v1.19.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.19.x/content/api-docs/auth/ldap.mdx @@ -65,12 +65,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – By default, Vault will prevent LDAP authentication - attempts where the user provides an empty password (null binds). Setting this parameter - to false allows Vault to support LDAP anonymous bind operations, which may be required - for certain directory configurations that use anonymous search or discovery. When set to - false, Vault defers the handling of empty-password authentication attempts to the LDAP - server. +- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication + attempts when the user provides an empty password (null binds). Setting + `deny_null_bind` to `false` tells Vault to defer the handling of empty-password + authentication attempts to the LDAP server. You may want to allow LDAP + anonymous bind operations for directory configurations using anonymous search + or discovery. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.20.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.20.x/content/api-docs/auth/ldap.mdx index 467dd1cd6b..33f9ed49db 100644 --- a/content/vault/v1.20.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.20.x/content/api-docs/auth/ldap.mdx @@ -65,12 +65,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – By default, Vault will prevent LDAP authentication - attempts where the user provides an empty password (null binds). Setting this parameter - to false allows Vault to support LDAP anonymous bind operations, which may be required - for certain directory configurations that use anonymous search or discovery. When set to - false, Vault defers the handling of empty-password authentication attempts to the LDAP - server. +- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication + attempts when the user provides an empty password (null binds). Setting + `deny_null_bind` to `false` tells Vault to defer the handling of empty-password + authentication attempts to the LDAP server. You may want to allow LDAP + anonymous bind operations for directory configurations using anonymous search + or discovery. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.4.x/content/api-docs/auth/ldap/index.mdx b/content/vault/v1.4.x/content/api-docs/auth/ldap/index.mdx index e63f66f020..8c716900c5 100644 --- a/content/vault/v1.4.x/content/api-docs/auth/ldap/index.mdx +++ b/content/vault/v1.4.x/content/api-docs/auth/ldap/index.mdx @@ -57,12 +57,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – By default, Vault will prevent LDAP authentication - attempts where the user provides an empty password (null binds). Setting this parameter - to false allows Vault to support LDAP anonymous bind operations, which may be required - for certain directory configurations that use anonymous search or discovery. When set to - false, Vault defers the handling of empty-password authentication attempts to the LDAP - server. +- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication + attempts when the user provides an empty password (null binds). Setting + `deny_null_bind` to `false` tells Vault to defer the handling of empty-password + authentication attempts to the LDAP server. You may want to allow LDAP + anonymous bind operations for directory configurations using anonymous search + or discovery. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.5.x/content/api-docs/auth/ldap/index.mdx b/content/vault/v1.5.x/content/api-docs/auth/ldap/index.mdx index 7e617f2e70..3b8bf67438 100644 --- a/content/vault/v1.5.x/content/api-docs/auth/ldap/index.mdx +++ b/content/vault/v1.5.x/content/api-docs/auth/ldap/index.mdx @@ -61,12 +61,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – By default, Vault will prevent LDAP authentication - attempts where the user provides an empty password (null binds). Setting this parameter - to false allows Vault to support LDAP anonymous bind operations, which may be required - for certain directory configurations that use anonymous search or discovery. When set to - false, Vault defers the handling of empty-password authentication attempts to the LDAP - server. +- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication + attempts when the user provides an empty password (null binds). Setting + `deny_null_bind` to `false` tells Vault to defer the handling of empty-password + authentication attempts to the LDAP server. You may want to allow LDAP + anonymous bind operations for directory configurations using anonymous search + or discovery. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.6.x/content/api-docs/auth/ldap/index.mdx b/content/vault/v1.6.x/content/api-docs/auth/ldap/index.mdx index 7e617f2e70..3b8bf67438 100644 --- a/content/vault/v1.6.x/content/api-docs/auth/ldap/index.mdx +++ b/content/vault/v1.6.x/content/api-docs/auth/ldap/index.mdx @@ -61,12 +61,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – By default, Vault will prevent LDAP authentication - attempts where the user provides an empty password (null binds). Setting this parameter - to false allows Vault to support LDAP anonymous bind operations, which may be required - for certain directory configurations that use anonymous search or discovery. When set to - false, Vault defers the handling of empty-password authentication attempts to the LDAP - server. +- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication + attempts when the user provides an empty password (null binds). Setting + `deny_null_bind` to `false` tells Vault to defer the handling of empty-password + authentication attempts to the LDAP server. You may want to allow LDAP + anonymous bind operations for directory configurations using anonymous search + or discovery. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind diff --git a/content/vault/v1.7.x/content/api-docs/auth/ldap.mdx b/content/vault/v1.7.x/content/api-docs/auth/ldap.mdx index 7e617f2e70..3b8bf67438 100644 --- a/content/vault/v1.7.x/content/api-docs/auth/ldap.mdx +++ b/content/vault/v1.7.x/content/api-docs/auth/ldap.mdx @@ -61,12 +61,12 @@ This endpoint configures the LDAP auth method. username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a user. -- `deny_null_bind` `(bool: true)` – By default, Vault will prevent LDAP authentication - attempts where the user provides an empty password (null binds). Setting this parameter - to false allows Vault to support LDAP anonymous bind operations, which may be required - for certain directory configurations that use anonymous search or discovery. When set to - false, Vault defers the handling of empty-password authentication attempts to the LDAP - server. +- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication + attempts when the user provides an empty password (null binds). Setting + `deny_null_bind` to `false` tells Vault to defer the handling of empty-password + authentication attempts to the LDAP server. You may want to allow LDAP + anonymous bind operations for directory configurations using anonymous search + or discovery. - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN string for the authenticating user. The constructed UPN will appear as `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind From 733fd6e0a15b5ce55ad80c5314d241caf118e4a2 Mon Sep 17 00:00:00 2001 From: kevin-loehfelm Date: Thu, 2 Oct 2025 20:18:49 -0400 Subject: [PATCH 13/13] Update style on content docs --- content/vault/v1.10.x/content/docs/auth/ldap.mdx | 7 +------ content/vault/v1.11.x/content/docs/auth/ldap.mdx | 7 +------ content/vault/v1.12.x/content/docs/auth/ldap.mdx | 2 +- content/vault/v1.13.x/content/docs/auth/ldap.mdx | 2 +- content/vault/v1.14.x/content/docs/auth/ldap.mdx | 2 +- content/vault/v1.15.x/content/docs/auth/ldap.mdx | 2 +- content/vault/v1.16.x/content/docs/auth/ldap.mdx | 2 +- content/vault/v1.17.x/content/docs/auth/ldap.mdx | 2 +- content/vault/v1.18.x/content/docs/auth/ldap.mdx | 2 +- content/vault/v1.19.x/content/docs/auth/ldap.mdx | 2 +- content/vault/v1.20.x/content/docs/auth/ldap.mdx | 2 +- content/vault/v1.4.x/content/docs/auth/ldap.mdx | 2 +- content/vault/v1.5.x/content/docs/auth/ldap.mdx | 2 +- content/vault/v1.6.x/content/docs/auth/ldap.mdx | 2 +- content/vault/v1.7.x/content/docs/auth/ldap.mdx | 7 +------ content/vault/v1.8.x/content/docs/auth/ldap.mdx | 7 +------ content/vault/v1.9.x/content/docs/auth/ldap.mdx | 2 +- 17 files changed, 17 insertions(+), 37 deletions(-) diff --git a/content/vault/v1.10.x/content/docs/auth/ldap.mdx b/content/vault/v1.10.x/content/docs/auth/ldap.mdx index 2b22fa24a6..14c4b411ad 100644 --- a/content/vault/v1.10.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.10.x/content/docs/auth/ldap.mdx @@ -126,12 +126,7 @@ There are two alternate methods of resolving the user object used to authenticat - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`. -- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication - attempts when the user provides an empty password (null binds). Setting - `deny_null_bind` to `false` tells Vault to defer the handling of empty-password - authentication attempts to the LDAP server. You may want to allow LDAP - anonymous bind operations for directory configurations using anonymous search - or discovery. +- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. @include 'ldap-auth-userfilter-warning.mdx' diff --git a/content/vault/v1.11.x/content/docs/auth/ldap.mdx b/content/vault/v1.11.x/content/docs/auth/ldap.mdx index 51508b8b21..6b3d77a42c 100644 --- a/content/vault/v1.11.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.11.x/content/docs/auth/ldap.mdx @@ -128,12 +128,7 @@ There are two alternate methods of resolving the user object used to authenticat - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`. -- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication - attempts when the user provides an empty password (null binds). Setting - `deny_null_bind` to `false` tells Vault to defer the handling of empty-password - authentication attempts to the LDAP server. You may want to allow LDAP - anonymous bind operations for directory configurations using anonymous search - or discovery. +- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. @include 'ldap-auth-userfilter-warning.mdx' diff --git a/content/vault/v1.12.x/content/docs/auth/ldap.mdx b/content/vault/v1.12.x/content/docs/auth/ldap.mdx index 006ace0e77..6b3d77a42c 100644 --- a/content/vault/v1.12.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.12.x/content/docs/auth/ldap.mdx @@ -128,7 +128,7 @@ There are two alternate methods of resolving the user object used to authenticat - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`. -- `deny_null_bind` (bool, optional) - By default, Vault will prevent LDAP authentication attempts where the user provides an empty password (null binds). Setting this parameter to false allows Vault to support LDAP anonymous bind operations, which may be required for certain directory configurations that use anonymous search or discovery. When set to false, Vault defers the handling of empty-password authentication attempts to the LDAP server. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. @include 'ldap-auth-userfilter-warning.mdx' diff --git a/content/vault/v1.13.x/content/docs/auth/ldap.mdx b/content/vault/v1.13.x/content/docs/auth/ldap.mdx index fddcd37548..82055bb81b 100644 --- a/content/vault/v1.13.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.13.x/content/docs/auth/ldap.mdx @@ -128,7 +128,7 @@ There are two alternate methods of resolving the user object used to authenticat - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`. -- `deny_null_bind` (bool, optional) - By default, Vault will prevent LDAP authentication attempts where the user provides an empty password (null binds). Setting this parameter to false allows Vault to support LDAP anonymous bind operations, which may be required for certain directory configurations that use anonymous search or discovery. When set to false, Vault defers the handling of empty-password authentication attempts to the LDAP server. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. @include 'ldap-auth-userfilter-warning.mdx' diff --git a/content/vault/v1.14.x/content/docs/auth/ldap.mdx b/content/vault/v1.14.x/content/docs/auth/ldap.mdx index 8a73a14b16..a91cb226fd 100644 --- a/content/vault/v1.14.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.14.x/content/docs/auth/ldap.mdx @@ -128,7 +128,7 @@ There are two alternate methods of resolving the user object used to authenticat - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`. -- `deny_null_bind` (bool, optional) - By default, Vault will prevent LDAP authentication attempts where the user provides an empty password (null binds). Setting this parameter to false allows Vault to support LDAP anonymous bind operations, which may be required for certain directory configurations that use anonymous search or discovery. When set to false, Vault defers the handling of empty-password authentication attempts to the LDAP server. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. @include 'ldap-auth-userfilter-warning.mdx' diff --git a/content/vault/v1.15.x/content/docs/auth/ldap.mdx b/content/vault/v1.15.x/content/docs/auth/ldap.mdx index 44c2cb471d..2e33e2ebd2 100644 --- a/content/vault/v1.15.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.15.x/content/docs/auth/ldap.mdx @@ -132,7 +132,7 @@ For anonymous search, `discoverdn` must be set to `true`, and `deny_null_bind` m - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`. -- `deny_null_bind` (bool, optional) - By default, Vault will prevent LDAP authentication attempts where the user provides an empty password (null binds). Setting this parameter to false allows Vault to support LDAP anonymous bind operations, which may be required for certain directory configurations that use anonymous search or discovery. When set to false, Vault defers the handling of empty-password authentication attempts to the LDAP server. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. @include 'ldap-auth-userfilter-warning.mdx' diff --git a/content/vault/v1.16.x/content/docs/auth/ldap.mdx b/content/vault/v1.16.x/content/docs/auth/ldap.mdx index fb3e4aa8f7..baba84912e 100644 --- a/content/vault/v1.16.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.16.x/content/docs/auth/ldap.mdx @@ -132,7 +132,7 @@ For anonymous search, `discoverdn` must be set to `true`, and `deny_null_bind` m - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`. -- `deny_null_bind` (bool, optional) - By default, Vault will prevent LDAP authentication attempts where the user provides an empty password (null binds). Setting this parameter to false allows Vault to support LDAP anonymous bind operations, which may be required for certain directory configurations that use anonymous search or discovery. When set to false, Vault defers the handling of empty-password authentication attempts to the LDAP server. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. @include 'ldap-auth-userfilter-warning.mdx' diff --git a/content/vault/v1.17.x/content/docs/auth/ldap.mdx b/content/vault/v1.17.x/content/docs/auth/ldap.mdx index fb3e4aa8f7..baba84912e 100644 --- a/content/vault/v1.17.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.17.x/content/docs/auth/ldap.mdx @@ -132,7 +132,7 @@ For anonymous search, `discoverdn` must be set to `true`, and `deny_null_bind` m - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`. -- `deny_null_bind` (bool, optional) - By default, Vault will prevent LDAP authentication attempts where the user provides an empty password (null binds). Setting this parameter to false allows Vault to support LDAP anonymous bind operations, which may be required for certain directory configurations that use anonymous search or discovery. When set to false, Vault defers the handling of empty-password authentication attempts to the LDAP server. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. @include 'ldap-auth-userfilter-warning.mdx' diff --git a/content/vault/v1.18.x/content/docs/auth/ldap.mdx b/content/vault/v1.18.x/content/docs/auth/ldap.mdx index fb3e4aa8f7..baba84912e 100644 --- a/content/vault/v1.18.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.18.x/content/docs/auth/ldap.mdx @@ -132,7 +132,7 @@ For anonymous search, `discoverdn` must be set to `true`, and `deny_null_bind` m - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`. -- `deny_null_bind` (bool, optional) - By default, Vault will prevent LDAP authentication attempts where the user provides an empty password (null binds). Setting this parameter to false allows Vault to support LDAP anonymous bind operations, which may be required for certain directory configurations that use anonymous search or discovery. When set to false, Vault defers the handling of empty-password authentication attempts to the LDAP server. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. @include 'ldap-auth-userfilter-warning.mdx' diff --git a/content/vault/v1.19.x/content/docs/auth/ldap.mdx b/content/vault/v1.19.x/content/docs/auth/ldap.mdx index 32cf7f3ccd..03dca31732 100644 --- a/content/vault/v1.19.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.19.x/content/docs/auth/ldap.mdx @@ -132,7 +132,7 @@ For anonymous search, `discoverdn` must be set to `true`, and `deny_null_bind` m - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`. -- `deny_null_bind` (bool, optional) - By default, Vault will prevent LDAP authentication attempts where the user provides an empty password (null binds). Setting this parameter to false allows Vault to support LDAP anonymous bind operations, which may be required for certain directory configurations that use anonymous search or discovery. When set to false, Vault defers the handling of empty-password authentication attempts to the LDAP server. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. @include 'ldap-auth-userfilter-warning.mdx' diff --git a/content/vault/v1.20.x/content/docs/auth/ldap.mdx b/content/vault/v1.20.x/content/docs/auth/ldap.mdx index c3c07cc699..87ac4da924 100644 --- a/content/vault/v1.20.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.20.x/content/docs/auth/ldap.mdx @@ -134,7 +134,7 @@ For anonymous search, `discoverdn` must be set to `true`, and `deny_null_bind` m - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`. -- `deny_null_bind` (bool, optional) - By default, Vault will prevent LDAP authentication attempts where the user provides an empty password (null binds). Setting this parameter to false allows Vault to support LDAP anonymous bind operations, which may be required for certain directory configurations that use anonymous search or discovery. When set to false, Vault defers the handling of empty-password authentication attempts to the LDAP server. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. @include 'ldap-auth-userfilter-warning.mdx' diff --git a/content/vault/v1.4.x/content/docs/auth/ldap.mdx b/content/vault/v1.4.x/content/docs/auth/ldap.mdx index 021a77cf98..517deac755 100644 --- a/content/vault/v1.4.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.4.x/content/docs/auth/ldap.mdx @@ -121,7 +121,7 @@ There are two alternate methods of resolving the user object used to authenticat - `discoverdn` (bool, optional) - If true, use anonymous bind to discover the bind DN of a user - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` -- `deny_null_bind` (bool, optional) - By default, Vault will prevent LDAP authentication attempts where the user provides an empty password (null binds). Setting this parameter to false allows Vault to support LDAP anonymous bind operations, which may be required for certain directory configurations that use anonymous search or discovery. When set to false, Vault defers the handling of empty-password authentication attempts to the LDAP server. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`. #### Binding - User Principal Name (AD) diff --git a/content/vault/v1.5.x/content/docs/auth/ldap.mdx b/content/vault/v1.5.x/content/docs/auth/ldap.mdx index 1897bc89af..a7a9f9f635 100644 --- a/content/vault/v1.5.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.5.x/content/docs/auth/ldap.mdx @@ -123,7 +123,7 @@ There are two alternate methods of resolving the user object used to authenticat - `discoverdn` (bool, optional) - If true, use anonymous bind to discover the bind DN of a user - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` -- `deny_null_bind` (bool, optional) - By default, Vault will prevent LDAP authentication attempts where the user provides an empty password (null binds). Setting this parameter to false allows Vault to support LDAP anonymous bind operations, which may be required for certain directory configurations that use anonymous search or discovery. When set to false, Vault defers the handling of empty-password authentication attempts to the LDAP server. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. #### Binding - User Principal Name (AD) diff --git a/content/vault/v1.6.x/content/docs/auth/ldap.mdx b/content/vault/v1.6.x/content/docs/auth/ldap.mdx index 1897bc89af..a7a9f9f635 100644 --- a/content/vault/v1.6.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.6.x/content/docs/auth/ldap.mdx @@ -123,7 +123,7 @@ There are two alternate methods of resolving the user object used to authenticat - `discoverdn` (bool, optional) - If true, use anonymous bind to discover the bind DN of a user - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` -- `deny_null_bind` (bool, optional) - By default, Vault will prevent LDAP authentication attempts where the user provides an empty password (null binds). Setting this parameter to false allows Vault to support LDAP anonymous bind operations, which may be required for certain directory configurations that use anonymous search or discovery. When set to false, Vault defers the handling of empty-password authentication attempts to the LDAP server. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. #### Binding - User Principal Name (AD) diff --git a/content/vault/v1.7.x/content/docs/auth/ldap.mdx b/content/vault/v1.7.x/content/docs/auth/ldap.mdx index 774c894895..a7a9f9f635 100644 --- a/content/vault/v1.7.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.7.x/content/docs/auth/ldap.mdx @@ -123,12 +123,7 @@ There are two alternate methods of resolving the user object used to authenticat - `discoverdn` (bool, optional) - If true, use anonymous bind to discover the bind DN of a user - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` -- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication - attempts when the user provides an empty password (null binds). Setting - `deny_null_bind` to `false` tells Vault to defer the handling of empty-password - authentication attempts to the LDAP server. You may want to allow LDAP - anonymous bind operations for directory configurations using anonymous search - or discovery. +- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. #### Binding - User Principal Name (AD) diff --git a/content/vault/v1.8.x/content/docs/auth/ldap.mdx b/content/vault/v1.8.x/content/docs/auth/ldap.mdx index 38ca7ddd48..6611d8b712 100644 --- a/content/vault/v1.8.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.8.x/content/docs/auth/ldap.mdx @@ -122,12 +122,7 @@ There are two alternate methods of resolving the user object used to authenticat - `discoverdn` (bool, optional) - If true, use anonymous bind to discover the bind DN of a user - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` -- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication - attempts when the user provides an empty password (null binds). Setting - `deny_null_bind` to `false` tells Vault to defer the handling of empty-password - authentication attempts to the LDAP server. You may want to allow LDAP - anonymous bind operations for directory configurations using anonymous search - or discovery. +- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. #### Binding - User Principal Name (AD) diff --git a/content/vault/v1.9.x/content/docs/auth/ldap.mdx b/content/vault/v1.9.x/content/docs/auth/ldap.mdx index ece01733dd..ab049213af 100644 --- a/content/vault/v1.9.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.9.x/content/docs/auth/ldap.mdx @@ -124,7 +124,7 @@ There are two alternate methods of resolving the user object used to authenticat - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com` - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid` - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`. -- `deny_null_bind` (bool, optional) - By default, Vault will prevent LDAP authentication attempts where the user provides an empty password (null binds). Setting this parameter to false allows Vault to support LDAP anonymous bind operations, which may be required for certain directory configurations that use anonymous search or discovery. When set to false, Vault defers the handling of empty-password authentication attempts to the LDAP server. The default is `true`. +- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`. - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`. #### Binding - User Principal Name (AD)