hashicorp · kevin-loehfelm · Oct 2, 2025 · Oct 2, 2025 · Oct 2, 2025 · Oct 3, 2025
@@ -60,8 +60,12 @@ This endpoint configures the LDAP auth method.
   username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid`
 - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a
   user.
-- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing
-  authentication when providing an empty password.
+- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication 
+  attempts when the user provides an empty password (null binds). Setting
+  `deny_null_bind` to `false` tells Vault to defer the handling of empty-password
+  authentication attempts to the LDAP server. You may want to allow LDAP
+  anonymous bind operations for directory configurations using anonymous search
+  or discovery.
 - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN
   string for the authenticating user. The constructed UPN will appear as
   `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind

@@ -126,7 +126,7 @@ There are two alternate methods of resolving the user object used to authenticat
 - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com`
 - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid`
 - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`.
-- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`.
+- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`.
 - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`.
 
 @include 'ldap-auth-userfilter-warning.mdx'

@@ -65,8 +65,12 @@ This endpoint configures the LDAP auth method.
   username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid`
 - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a
   user.
-- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing
-  authentication when providing an empty password.
+- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication 
+  attempts when the user provides an empty password (null binds). Setting
+  `deny_null_bind` to `false` tells Vault to defer the handling of empty-password
+  authentication attempts to the LDAP server. You may want to allow LDAP
+  anonymous bind operations for directory configurations using anonymous search
+  or discovery.
 - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN
   string for the authenticating user. The constructed UPN will appear as
   `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind

@@ -128,7 +128,7 @@ There are two alternate methods of resolving the user object used to authenticat
 - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com`
 - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid`
 - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`.
-- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`.
+- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`.
 - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`.
 
 @include 'ldap-auth-userfilter-warning.mdx'

@@ -65,8 +65,12 @@ This endpoint configures the LDAP auth method.
   username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid`
 - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a
   user.
-- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing
-  authentication when providing an empty password.
+- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication 
+  attempts when the user provides an empty password (null binds). Setting
+  `deny_null_bind` to `false` tells Vault to defer the handling of empty-password
+  authentication attempts to the LDAP server. You may want to allow LDAP
+  anonymous bind operations for directory configurations using anonymous search
+  or discovery.
 - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN
   string for the authenticating user. The constructed UPN will appear as
   `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind

@@ -128,7 +128,7 @@ There are two alternate methods of resolving the user object used to authenticat
 - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com`
 - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid`
 - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`.
-- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`.
+- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`.
 - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`.
 
 @include 'ldap-auth-userfilter-warning.mdx'

@@ -65,8 +65,12 @@ This endpoint configures the LDAP auth method.
   username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid`
 - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a
   user.
-- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing
-  authentication when providing an empty password.
+- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication 
+  attempts when the user provides an empty password (null binds). Setting
+  `deny_null_bind` to `false` tells Vault to defer the handling of empty-password
+  authentication attempts to the LDAP server. You may want to allow LDAP
+  anonymous bind operations for directory configurations using anonymous search
+  or discovery.
 - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN
   string for the authenticating user. The constructed UPN will appear as
   `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind

@@ -128,7 +128,7 @@ There are two alternate methods of resolving the user object used to authenticat
 - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com`
 - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid`
 - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`.
-- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`.
+- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`.
 - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`.
 
 @include 'ldap-auth-userfilter-warning.mdx'

@@ -65,8 +65,12 @@ This endpoint configures the LDAP auth method.
   username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid`
 - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a
   user.
-- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing
-  authentication when providing an empty password.
+- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication 
+  attempts when the user provides an empty password (null binds). Setting
+  `deny_null_bind` to `false` tells Vault to defer the handling of empty-password
+  authentication attempts to the LDAP server. You may want to allow LDAP
+  anonymous bind operations for directory configurations using anonymous search
+  or discovery.
 - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN
   string for the authenticating user. The constructed UPN will appear as
   `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind

@@ -128,7 +128,7 @@ There are two alternate methods of resolving the user object used to authenticat
 - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com`
 - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid`
 - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`.
-- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`.
+- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`.
 - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`.
 
 @include 'ldap-auth-userfilter-warning.mdx'

@@ -65,8 +65,12 @@ This endpoint configures the LDAP auth method.
   username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid`
 - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a
   user.
-- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing
-  authentication when providing an empty password.
+- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication 
+  attempts when the user provides an empty password (null binds). Setting
+  `deny_null_bind` to `false` tells Vault to defer the handling of empty-password
+  authentication attempts to the LDAP server. You may want to allow LDAP
+  anonymous bind operations for directory configurations using anonymous search
+  or discovery.
 - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN
   string for the authenticating user. The constructed UPN will appear as
   `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind

@@ -132,7 +132,7 @@ For anonymous search, `discoverdn` must be set to `true`, and `deny_null_bind` m
 - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com`
 - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid`
 - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`.
-- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`.
+- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`.
 - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`.
 
 @include 'ldap-auth-userfilter-warning.mdx'

@@ -65,8 +65,12 @@ This endpoint configures the LDAP auth method.
   username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid`
 - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a
   user.
-- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing
-  authentication when providing an empty password.
+- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication 
+  attempts when the user provides an empty password (null binds). Setting
+  `deny_null_bind` to `false` tells Vault to defer the handling of empty-password
+  authentication attempts to the LDAP server. You may want to allow LDAP
+  anonymous bind operations for directory configurations using anonymous search
+  or discovery.
 - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN
   string for the authenticating user. The constructed UPN will appear as
   `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind

@@ -132,7 +132,7 @@ For anonymous search, `discoverdn` must be set to `true`, and `deny_null_bind` m
 - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com`
 - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid`
 - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`.
-- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`.
+- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`.
 - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`.
 
 @include 'ldap-auth-userfilter-warning.mdx'

@@ -65,8 +65,12 @@ This endpoint configures the LDAP auth method.
   username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid`
 - `discoverdn` `(bool: false)` – Use anonymous bind to discover the bind DN of a
   user.
-- `deny_null_bind` `(bool: true)` – This option prevents users from bypassing
-  authentication when providing an empty password.
+- `deny_null_bind` `(bool: true)` – By default, Vault prevents LDAP authentication 
+  attempts when the user provides an empty password (null binds). Setting
+  `deny_null_bind` to `false` tells Vault to defer the handling of empty-password
+  authentication attempts to the LDAP server. You may want to allow LDAP
+  anonymous bind operations for directory configurations using anonymous search
+  or discovery.
 - `upndomain` `(string: "")` – The userPrincipalDomain used to construct the UPN
   string for the authenticating user. The constructed UPN will appear as
   `[username]@UPNDomain`. Example: `example.com`, which will cause vault to bind