docs: ldap secrets hierarchical paths (#27203)

* docs: ldap secrets hierarchical paths * changelog * Apply suggestions from code review Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> * role_name => set_name --------- Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
2025-08-17 20:17:00 +02:00 · 2024-05-24 09:10:59 -05:00 · 2024-05-24 09:10:59 -05:00 · f528036e45
commit f528036e45
parent 7438d63f81
3 changed files with 163 additions and 34 deletions
--- a/changelog/27203.txt
+++ b/changelog/27203.txt
@ -0,0 +1,3 @@
+```release-note:feature
+**LDAP Secrets engine hierarchical path support**: Hierarchical path handling is now supported for role and set APIs.
+```
--- a/website/content/api-docs/secret/ldap.mdx
+++ b/website/content/api-docs/secret/ldap.mdx
@ -166,11 +166,15 @@ The `static-role` endpoint configures Vault to manage the passwords of existing
 | :------- | :--------------------------------- |
 | `GET`    | `/ldap/static-role`            |
 | `GET`    | `/ldap/static-role/:role_name` |
+| `LIST`   | `/ldap/static-role/:role_name` |
 | `POST`   | `/ldap/static-role/:role_name` |
 | `DELETE` | `/ldap/static-role/:role_name` |

 ### Parameters

+- `role_name` `(string: <required>)` – URL parameter specifying the name of the
+  role. Role name can contain an arbitrary number of forward slashes to define a
+  [hierarchical path](/vault/docs/secrets/ldap#hierarchical-paths).
 - `username` `(string: <required>)` - The username of the existing LDAP entry to manage
  password rotation for. LDAP search for the username will be rooted at the [userdn](/vault/api-docs/secret/ldap#userdn)
  configuration value. The attribute to use when searching for the user can be configured
@ -245,7 +249,12 @@ The `static-cred` endpoint offers the credential information for a given static-
 | :----- | :--------------------------------- |
 | `GET`  | `/ldap/static-cred/:role_name` |

-#### Sample get request
+### Parameters
+
+- `role_name` `(string: <required>)` – URL parameter specifying the name of the
+  role.
+
+#### Sample GET request

 ```shell-session
 $ curl \
@ -254,7 +263,7 @@ $ curl \
    http://127.0.0.1:8200/v1/ldap/static-cred/hashicorp
 ```

-#### Sample get response
+#### Sample GET response

 ```json
 {
@ -276,6 +285,11 @@ The `rotate-role` endpoint rotates the password of an existing static role.
 | :----- | :--------------------------------- |
 | `POST` | `/ldap/rotate-role/:role_name` |

+### Parameters
+
+- `role_name` `(string: <required>)` – URL parameter specifying the name of the
+  role.
+
 ### Sample request

 ```shell-session
@ -296,6 +310,7 @@ Creates, updates, or deletes a dynamic role.

 | Method   | Path                        |
 | :------- | :-------------------------- |
+| `GET`    | `/ldap/role/:role_name` |
 | `POST`   | `/ldap/role/:role_name` |
 | `DELETE` | `/ldap/role/:role_name` |

@ -305,7 +320,9 @@ empty string as the value. Example: `vault write ldap/role/myrole default_ttl=""

 #### Parameters

- `role_name` `(string, required)` - The name of the dynamic role.
+- `role_name` `(string: <required>)` – URL parameter specifying the name of the
+  role. Role name can contain an arbitrary number of forward slashes to define a
+  [hierarchical path](/vault/docs/secrets/ldap#hierarchical-paths).
 - `creation_ldif` `(string, required)` - A templatized LDIF string used to create a user account. This may contain
  multiple LDIF entries. The `creation_ldif` can also be used to add the user account to an **_existing_** group.
  All LDIF entries are performed in order. If Vault encounters an error while executing the `creation_ldif` it will
@ -409,29 +426,6 @@ $ curl \
    http://127.0.0.1:8200/v1/ldap/role/dynamic-role
 ```

-### Read dynamic role configuration
-
-Retrieves a dynamic role's configuration.
-
-| Method | Path                        |
-| ------ | --------------------------- |
-| `GET`  | `/ldap/role/:role_name` |
-
-#### Response
-
-`200 OK`
-
-```json
-{
-  "creation_ldif": "...",
-  "default_ttl": 1800,
-  "deletion_ldif": "...",
-  "max_ttl": 0,
-  "rollback_ldif": "...",
-  "username_template": "..."
-}
-```
-
 ### Templates

 LDIF and username templates use the [Go template syntax](https://golang.org/pkg/text/template/) to construct the
@ -567,7 +561,12 @@ The `creds` endpoint offers the credential information for a given dynamic role.
 | :----- | :--------------------------------- |
 | `GET`  | `/ldap/creds/:role_name` |

-#### Sample get request
+### Parameters
+
+- `role_name` `(string: <required>)` – URL parameter specifying the name of the
+  role.
+
+#### Sample GET request

 ```shell-session
 $ curl \
@ -576,7 +575,7 @@ $ curl \
    http://127.0.0.1:8200/v1/ldap/creds/dynamic-role
 ```

-#### Sample get response
+#### Sample GET response

 ```json
 {
@ -595,6 +594,7 @@ The `library` endpoint configures the sets of service accounts that Vault will o
 | Method   | Path                    |
 | :------- | :---------------------- |
 | `LIST`   | `/ldap/library`           |
+| `LIST`   | `/ldap/library/:set_name` |
 | `POST`   | `/ldap/library/:set_name` |
 | `GET`    | `/ldap/library/:set_name` |
 | `DELETE` | `/ldap/library/:set_name` |
@ -603,7 +603,8 @@ When adding a service account to the library, Vault verifies it already exists i

 ### Parameters

- `name` `(string: "", required)` - The name of the set of service accounts.
+- `set_name` `(string: <required>)` – URL parameter specifying the name of the
+  set.
 - `service_account_names` `(string: "", or list: [] required)` - The names of all the service accounts that can be
  checked out from this set. These service accounts must only be used by Vault, and may only be in one set. These
  service accounts must already exist in the LDAP directory.
@ -648,12 +649,48 @@ $ curl \
 }
 ```

-### Sample LIST response
+### Sample LIST request

-Performing a `LIST` on the `/ldap/library` endpoint will list the names of all the sets of service accounts Vault contains.
+Use the `/ldap/library` endpoint to list the top-level set names of service
+accounts in Vault. Refer to the LDAP secrets engine
+[hierarchical paths](/vault/docs/secrets/ldap#hierarchical-paths) documentation
+for more information on path-based names.
+
+For example:
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/ldap/library
+```
+
+#### Sample LIST response

 ```json
-["accounting-team"]
+["accounting-team", "dev/"]
+```
+
+### Sample LIST request
+
+Use the `/ldap/library` endpoint to list the top-level set names of service
+accounts in Vault at the given path. Refer to the LDAP secrets engine
+[hierarchical paths](/vault/docs/secrets/ldap#hierarchical-paths) documentation
+for more information on path-based names.
+
+For example:
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/ldap/library/dev
+```
+
+#### Sample LIST response
+
+```json
+["backend", "frontend"]
 ```

 ## Library set status check
@ -664,6 +701,12 @@ This endpoint provides the check-out status of service accounts in a library set
 | :----- | :----------------------------- |
 | `GET`  | `/ldap/library/:set_name/status` |

+### Parameters
+
+- `set_name` `(string: "", required)` - URL parameter specifying the set name of
+  the requested service accounts. The set name can contain an arbitrary number of
+  forward slashes to define a [hierarchical path](/vault/docs/secrets/ldap#hierarchical-paths).
+
 ### Sample GET request

 ```shell-session
@ -709,7 +752,9 @@ Returns a `200` if a credential is available, and a `400` if no credential is av

 ### Parameters

- `name` `(string: "", required)` - The name of the set of service accounts.
+- `set_name` `(string: "", required)` - URL parameter specifying the set name of
+  the requested service accounts. The set name can contain an arbitrary number of
+  forward slashes to define a [hierarchical path](/vault/docs/secrets/ldap#hierarchical-paths).
 - `ttl` `(duration: "", optional)` - The maximum amount of time a check-out lasts before Vault
  automatically checks it back in. Setting it to zero reflects an unlimited lending period.
  Defaults to the set's `ttl`. If the requested `ttl` is higher than the set's, the set's will be used.
@ -771,7 +816,9 @@ in _by this particular call_.

 ### Parameters

- `name` `(string: "", required)` - The name of the set of service accounts.
+- `set_name` `(string: "", required)` - URL parameter specifying the set name of
+  the requested service accounts. The set name can contain an arbitrary number of
+  forward slashes to define a [hierarchical path](/vault/docs/secrets/ldap#hierarchical-paths).
 - `service_account_names` `(string: "", or list: [] optional)` - The names of all the service accounts to be
  checked in. May be omitted if only one is checked out.

--- a/website/content/docs/secrets/ldap.mdx
+++ b/website/content/docs/secrets/ldap.mdx
@ -462,6 +462,85 @@ olcPPolicyHashCleartext: TRUE
 olcPPolicyUseLockout: TRUE
 ```

+## Hierarchical paths
+
+The LDAP secrets engine lets you define role and set names that contain an
+arbitrary number of forward slashes. Names with forward slashes define
+hierarchical path structures.
+
+For example, you can configure two static roles with the names `org/secure` and `org/platform/dev`:
+
+```shell-session
+$ vault write ldap/static-role/org/secure \
+    username="user1" \
+    rotation_period="1h"
+Success! Data written to: ldap/static-role/org/secure
+
+$ vault write ldap/static-role/org/platform/dev \
+    username="user2" \
+    rotation_period="1h"
+Success! Data written to: ldap/static-role/org/platform/dev
+```
+
+Names with hierarchical paths let you use the Vault API to query the available
+roles at a specific path with arbitrary depth. Names that end with a forward
+slash indicate that sub-paths reside under that path.
+
+For example, to list all direct children under the `org/` path:
+
+```shell-session
+$ vault list ldap/static-role/org/
+Keys
+----
+platform/
+secure
+```
+
+The `platform/` key also ends in a forward slash. To list the `platform` sub-keys:
+
+```shell-session
+$ vault list ldap/static-role/org/platform
+Keys
+----
+dev
+```
+
+You can read and rotate credentials using the same role name and the respective
+APIs. For example,
+
+```shell-session
+$ vault read ldap/static-cred/org/platform/dev
+Key                    Value
+---                    -----
+dn                     n/a
+last_password          a3sQ6OkmXKt2dtx22kAt36YLkkxLsg4RmhMZCLYCBCbvvv67ILROaOokdCaGPEAE
+last_vault_rotation    2024-05-03T16:39:27.174164-05:00
+password               ECf7ZoxfDxGuJEYZrzgzTffSIDI4tx5TojBR9wuEGp8bqUXbl4Kr9eAgPjmizcvg
+rotation_period        5m
+ttl                    4m58s
+username               user2
+```
+
+```shell-session
+$ vault write -f ldap/rotate-role/org/platform/dev
+```
+
+Since [Vault policies](/vault/docs/concepts/policies) are also path-based,
+hierarchical names also let you define policies that map 1-1 to LDAP secrets
+engine roles and set paths.
+
+The following Vault API endpoints support hierarchical path handling:
+
+- [Static roles](/vault/api-docs/secret/ldap#static-roles)
+- [Static role passwords](/vault/api-docs/secret/ldap#static-role-passwords)
+- [Manually rotate static role password](/vault/api-docs/secret/ldap#manually-rotate-static-role-password)
+- [Dynamic roles](/vault/api-docs/secret/ldap#dynamic-roles)
+- [Dynamic role passwords](/vault/api-docs/secret/ldap#dynamic-role-passwords)
+- [Library set management](/vault/api-docs/secret/ldap#library-set-management)
+- [Library set status check](/vault/api-docs/secret/ldap#library-set-status-check)
+- [Check-Out management](/vault/api-docs/secret/ldap#check-out-management)
+- [Check-In management](/vault/api-docs/secret/ldap#check-in-management)
+
 ## Tutorial

 Refer to the [LDAP Secrets Engine](/vault/tutorials/secrets-management/openldap)