IBM Vault Enterprise 2.0 Ships LDAP Secrets Management
What shipped
HashiCorp (now IBM Vault Enterprise) has added native LDAP secrets management to Vault 2.0. The feature lets Vault rotate, lease and audit LDAP credentials the same way it already handles database, cloud-IAM and SSH credentials β without your apps having to know how LDAP works.
Why LDAP still matters in 2026
For a lot of mid-market and enterprise environments we walk into, LDAP / Active Directory is still the **root of trust** for human identities, machine identities and service accounts. Even when the front-end app is fully cloud-native, the credential that opens the door to the file share, the printer, the line-of-business app β that's still an LDAP credential, often with a 2017-era rotation policy of "we changed it once".
Why this matters for KYAX clients
If you run any of the following, this release is relevant:
- A static LDAP service account hard-coded into a config file somewhere.
- LDAP credentials that haven't been rotated since the person who issued them left the company.
- Apps that bind to LDAP directly, with no audit trail of which workload used which credential.
Routing those bindings through Vault gives you short-lived credentials, an audit log, and a circuit-breaker if a workload is compromised. We typically combine this with Vault's existing PKI engine to also rotate the TLS certs your apps use to talk to the directory. Both should be table-stakes by now; this release removes the last "we'd need to write our own plugin" excuse.
---
*Source: [HashiCorp Blog](https://www.hashicorp.com/blog/ldap-secrets-management-now-available-in-ibm-vault-enterprise-20) β David Mills, 2026-05-07. Commentary is original to KYAX.*