From 1f880f85a55f4bd9bd1edae394400dba729dbfe5 Mon Sep 17 00:00:00 2001 From: Becca Petrin Date: Fri, 26 Apr 2019 16:31:11 -0700 Subject: [PATCH] changes from feedback --- website/source/api/secret/ad/index.html.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/website/source/api/secret/ad/index.html.md b/website/source/api/secret/ad/index.html.md index 4ebaf3b87a..840dd891d5 100644 --- a/website/source/api/secret/ad/index.html.md +++ b/website/source/api/secret/ad/index.html.md @@ -48,11 +48,12 @@ text that fulfills those requirements. `{{PASSWORD}}` must appear exactly once a ### Other parameters -* `last_rotation_tolerance` (string, optional) - Active Directory often shows a "pwdLastSet" time after Vault's because it takes +* `last_rotation_tolerance` (string, optional) - Tolerance duration to use when checking the last rotation time. +Active Directory often shows a "pwdLastSet" time after Vault's because it takes a while for password updates to be propagated across a large cluster. By default, if Active Directory's last rotation time is within 5 seconds of Vault's, Vault considers itself to have been the last entity that rotated the password. However, if it's been more than 5 seconds, Vault thinks that something rotated the password out-of-band, and re-rotates it so it will "know" it and be -able to continue returning it. This may be too high for larger Active Directory clusters, and too low for smaller ones. +able to continue returning it. This may be too low for larger Active Directory clusters, and too high for smaller ones. ## Config management