Hello,

for example, no matter how initial root password had been created a call to a rotate-root converts it into the plain-text password, therefore it could be possible to read newly generated password.

On the picture below you may see the root user password in plain-text after the rotation had been performed by Vault with the call to openldap/rotate-root API endpoint

There is a option supported by OpenLDAP itself to store password hashes like SSHA, SHA512, and others per RFC 2307. So I see it could be implemented as additional parameter to the rotate-root API method, something like password_type and list of options SSHA, SHA, etc.

vault write -f openldap/rotate-root password_type='SSHA'

And if not specified it must be secure by default, e.g. SSHA.

Thank you!

Hello,

Is it possible to push my own password instead of generating a dynamic one?

My ldap server expects client certificates, which is not a problem, as I can supply them with tls_client_X in the config of the ldap backend.

The problem is how am I supposed to rotate the certificates? Vault itself generates those and I want to make them short lived. But I can't update them after the fact because the password is required for the /config endpoint and I don't have that any more after /rotate-root.

In general, it would be way more convenient to be able to specify certificate files, so I can just use the regular way of vault agent to keep renewing the certificates.

Most enterprise environment requires there own CA.
Please can you add a tls section to the config to be able to add custom TLS Paramters as the library support the tls.Config go-ldap/ldap#180 (comment)