hashicorp · fairclothjm · Oct 15, 2025 · Oct 13, 2025 · Oct 14, 2025 · Oct 14, 2025
@@ -51,15 +51,15 @@ The secrets engine has three primary features:
    Note: it's not possible to retrieve the generated password once rotated by Vault.
    It's recommended a dedicated entry management account be created specifically for Vault.
 
-### Schemas
+## Schemas
 
 The LDAP Secret Engine supports three different schemas:
 
 - `openldap` (default)
 - `racf`
 - `ad`
 
-#### OpenLDAP
+### OpenLDAP
 
 By default, the LDAP Secret Engine assumes the entry password is stored in `userPassword`.
 There are many object classes that provide `userPassword` including for example:
@@ -71,24 +71,54 @@ There are many object classes that provide `userPassword` including for example:
 - `person`
 - `posixAccount`
 
-#### Resource access control facility (RACF)
+### Resource access control facility (RACF)
 
-For managing IBM's Resource Access Control Facility (RACF) security system, the secret
-engine must be configured to use the schema `racf`.
+To manage credentials for an IBM Resource Access Control Facility (RACF), 
+configure the LDAP secrets engine with the `racf` schema to enable the
+behaviors required for RACF compatibility.
 
-Generated passwords must be 8 characters or less to support RACF. The length of the
-password can be configured using a [password policy](/vault/docs/concepts/password-policies):
+#### Password vs. password phrase credentials
 
-```bash
+The LDAP plugin supports traditional 8-character passwords and modern,
+longer password phrases through th
+[`credential_type`](/vault/api-docs/secret/ldap#credential_type) parameter:
+
+- `password` (Default): Configure the plugin to generate and manage standard RACF passwords.
+
+- `phrase`: Configure the plugin to generate and manage case-sensitive password phrases.
+
+#### Configure password rules
+
+The RACF schema does not control the credential complexity rules directly.
+To enforce site-specific complexity requirements, define and link a
+standard Vault [password policy](/vault/docs/concepts/password-policies)
+to your RACF schema.
+
+#### Example configuration
+
+The following example configures the LDAP engine for RACF, sets it to manage
+password phrases, and links a password policy to enforce length and
+complexity.
+
+```shell-session
+$ cat > /tmp/password_policy.hcl <<-EOF
+length = 20
+rule "charset" {
+  charset = "abcdefghijklmnopqrstuvwxyz"
+  min-chars = 1
+}
+EOF
+$ vault write sys/policies/password/racf_password_policy policy=@/tmp/password_policy.hcl
 $ vault write ldap/config \
-	binddn=$USERNAME \
-	bindpass=$PASSWORD \
-	url=ldaps://138.91.247.105 \
-	schema=racf \
-	password_policy=racf_password_policy
+    binddn="$USERNAME" \
+    bindpass="$PASSWORD" \
+    url="ldaps://138.91.247.105" \
+    schema="racf" \
+    credential_type="phrase" \
+    password_policy="racf_password_policy"
 ```
 
-#### Active directory (AD)
+### Active directory (AD)
 
 For managing Active Directory instances, the secret engine must be configured to use the
 schema `ad`.

@@ -51,15 +51,15 @@ The secrets engine has three primary features:
    Note: it's not possible to retrieve the generated password once rotated by Vault.
    It's recommended a dedicated entry management account be created specifically for Vault.
 
-### Schemas
+## Schemas
 
 The LDAP Secret Engine supports three different schemas:
 
 - `openldap` (default)
 - `racf`
 - `ad`
 
-#### OpenLDAP
+### OpenLDAP
 
 By default, the LDAP Secret Engine assumes the entry password is stored in `userPassword`.
 There are many object classes that provide `userPassword` including for example:
@@ -71,24 +71,55 @@ There are many object classes that provide `userPassword` including for example:
 - `person`
 - `posixAccount`
 
-#### Resource access control facility (RACF)
+### Resource access control facility (RACF)
 
-For managing IBM's Resource Access Control Facility (RACF) security system, the secret
-engine must be configured to use the schema `racf`.
+To manage credentials for an IBM Resource Access Control Facility (RACF), 
+configure the LDAP secrets engine with the `racf` schema to enable the
+behaviors required for RACF compatibility.
 
-Generated passwords must be 8 characters or less to support RACF. The length of the
-password can be configured using a [password policy](/vault/docs/concepts/password-policies):
+#### Password vs. password phrase credentials
 
-```bash
+The LDAP plugin supports traditional 8-character passwords and modern,
+longer password phrases through th
+[`credential_type`](/vault/api-docs/secret/ldap#credential_type) parameter:
+
+- `password` (Default): Configure the plugin to generate and manage standard RACF passwords.
+- `phrase`: Configure the plugin to generate and manage case-sensitive password phrases.
+
+
+#### Configure password rules
+
+The RACF schema does not control the credential complexity rules directly.
+To enforce site-specific complexity requirements, define and link a
+standard Vault [password policy](/vault/docs/concepts/password-policies)
+to your RACF schema.
+
+
+#### Example configuration
+
+The following example configures the LDAP engine for RACF, sets it to manage
+password phrases, and links a password policy to enforce length and
+complexity.
+
+```shell-session
+$ cat > /tmp/password_policy.hcl <<-EOF
+length = 20
+rule "charset" {
+  charset = "abcdefghijklmnopqrstuvwxyz"
+  min-chars = 1
+}
+EOF
+$ vault write sys/policies/password/racf_password_policy policy=@/tmp/password_policy.hcl
 $ vault write ldap/config \
-	binddn=$USERNAME \
-	bindpass=$PASSWORD \
-	url=ldaps://138.91.247.105 \
-	schema=racf \
-	password_policy=racf_password_policy
+    binddn="$USERNAME" \
+    bindpass="$PASSWORD" \
+    url="ldaps://138.91.247.105" \
+    schema="racf" \
+    credential_type="phrase" \
+    password_policy="racf_password_policy"
 ```
 
-#### Active directory (AD)
+### Active directory (AD)
 
 For managing Active Directory instances, the secret engine must be configured to use the
 schema `ad`.

@@ -51,15 +51,15 @@ The secrets engine has three primary features:
    Note: it's not possible to retrieve the generated password once rotated by Vault.
    It's recommended a dedicated entry management account be created specifically for Vault.
 
-### Schemas
+## Schemas
 
 The LDAP Secret Engine supports three different schemas:
 
 - `openldap` (default)
 - `racf`
 - `ad`
 
-#### OpenLDAP
+### OpenLDAP
 
 By default, the LDAP Secret Engine assumes the entry password is stored in `userPassword`.
 There are many object classes that provide `userPassword` including for example:
@@ -71,24 +71,55 @@ There are many object classes that provide `userPassword` including for example:
 - `person`
 - `posixAccount`
 
-#### Resource access control facility (RACF)
+### Resource access control facility (RACF)
 
-For managing IBM's Resource Access Control Facility (RACF) security system, the secret
-engine must be configured to use the schema `racf`.
+To manage credentials for an IBM Resource Access Control Facility (RACF), 
+configure the LDAP secrets engine with the `racf` schema to enable the
+behaviors required for RACF compatibility.
 
-Generated passwords must be 8 characters or less to support RACF. The length of the
-password can be configured using a [password policy](/vault/docs/concepts/password-policies):
+#### Password vs. password phrase credentials
 
-```bash
+The LDAP plugin supports traditional 8-character passwords and modern,
+longer password phrases through th
+[`credential_type`](/vault/api-docs/secret/ldap#credential_type) parameter:
+
+- `password` (Default): Configure the plugin to generate and manage standard RACF passwords.
+- `phrase`: Configure the plugin to generate and manage case-sensitive password phrases.
+
+
+#### Configure password rules
+
+The RACF schema does not control the credential complexity rules directly.
+To enforce site-specific complexity requirements, define and link a
+standard Vault [password policy](/vault/docs/concepts/password-policies)
+to your RACF schema.
+
+
+#### Example configuration
+
+The following example configures the LDAP engine for RACF, sets it to manage
+password phrases, and links a password policy to enforce length and
+complexity.
+
+```shell-session
+$ cat > /tmp/password_policy.hcl <<-EOF
+length = 20
+rule "charset" {
+  charset = "abcdefghijklmnopqrstuvwxyz"
+  min-chars = 1
+}
+EOF
+$ vault write sys/policies/password/racf_password_policy policy=@/tmp/password_policy.hcl
 $ vault write ldap/config \
-	binddn=$USERNAME \
-	bindpass=$PASSWORD \
-	url=ldaps://138.91.247.105 \
-	schema=racf \
-	password_policy=racf_password_policy
+    binddn="$USERNAME" \
+    bindpass="$PASSWORD" \
+    url="ldaps://138.91.247.105" \
+    schema="racf" \
+    credential_type="phrase" \
+    password_policy="racf_password_policy"
 ```
 
-#### Active directory (AD)
+### Active directory (AD)
 
 For managing Active Directory instances, the secret engine must be configured to use the
 schema `ad`.

@@ -51,15 +51,15 @@ The secrets engine has three primary features:
    Note: it's not possible to retrieve the generated password once rotated by Vault.
    It's recommended a dedicated entry management account be created specifically for Vault.
 
-### Schemas
+## Schemas
 
 The LDAP Secret Engine supports three different schemas:
 
 - `openldap` (default)
 - `racf`
 - `ad`
 
-#### OpenLDAP
+### OpenLDAP
 
 By default, the LDAP Secret Engine assumes the entry password is stored in `userPassword`.
 There are many object classes that provide `userPassword` including for example:
@@ -71,24 +71,55 @@ There are many object classes that provide `userPassword` including for example:
 - `person`
 - `posixAccount`
 
-#### Resource access control facility (RACF)
+### Resource access control facility (RACF)
 
-For managing IBM's Resource Access Control Facility (RACF) security system, the secret
-engine must be configured to use the schema `racf`.
+To manage credentials for an IBM Resource Access Control Facility (RACF), 
+configure the LDAP secrets engine with the `racf` schema to enable the
+behaviors required for RACF compatibility.
 
-Generated passwords must be 8 characters or less to support RACF. The length of the
-password can be configured using a [password policy](/vault/docs/concepts/password-policies):
+#### Password vs. password phrase credentials
 
-```bash
+The LDAP plugin supports traditional 8-character passwords and modern,
+longer password phrases through th
+[`credential_type`](/vault/api-docs/secret/ldap#credential_type) parameter:
+
+- `password` (Default): Configure the plugin to generate and manage standard RACF passwords.
+- `phrase`: Configure the plugin to generate and manage case-sensitive password phrases.
+
+
+#### Configure password rules
+
+The RACF schema does not control the credential complexity rules directly.
+To enforce site-specific complexity requirements, define and link a
+standard Vault [password policy](/vault/docs/concepts/password-policies)
+to your RACF schema.
+
+
+#### Example configuration
+
+The following example configures the LDAP engine for RACF, sets it to manage
+password phrases, and links a password policy to enforce length and
+complexity.
+
+```shell-session
+$ cat > /tmp/password_policy.hcl <<-EOF
+length = 20
+rule "charset" {
+  charset = "abcdefghijklmnopqrstuvwxyz"
+  min-chars = 1
+}
+EOF
+$ vault write sys/policies/password/racf_password_policy policy=@/tmp/password_policy.hcl
 $ vault write ldap/config \
-	binddn=$USERNAME \
-	bindpass=$PASSWORD \
-	url=ldaps://138.91.247.105 \
-	schema=racf \
-	password_policy=racf_password_policy
+    binddn="$USERNAME" \
+    bindpass="$PASSWORD" \
+    url="ldaps://138.91.247.105" \
+    schema="racf" \
+    credential_type="phrase" \
+    password_policy="racf_password_policy"
 ```
 
-#### Active directory (AD)
+### Active directory (AD)
 
 For managing Active Directory instances, the secret engine must be configured to use the
 schema `ad`.