Refactor common token fields and operations into a helper (#5953)

2019-01-30 16:23:28 -05:00 · 2019-01-30 16:23:28 -05:00 · 85a560abba
parent 3592bfdcb0
commit 85a560abba
40 changed files with 1139 additions and 757 deletions
--- a/audit/format.go
+++ b/audit/format.go
@ -131,6 +131,7 @@ func (f *AuditFormatter) FormatRequest(ctx context.Context, w io.Writer, config
 			TokenPolicies:             auth.TokenPolicies,
 			IdentityPolicies:          auth.IdentityPolicies,
 			ExternalNamespacePolicies: auth.ExternalNamespacePolicies,
 			NoDefaultPolicy:           auth.NoDefaultPolicy,
 			Metadata:                  auth.Metadata,
 			EntityID:                  auth.EntityID,
 			RemainingUses:             req.ClientTokenRemainingUses,
@ -303,6 +304,7 @@ func (f *AuditFormatter) FormatResponse(ctx context.Context, w io.Writer, config
 			TokenPolicies:             resp.Auth.TokenPolicies,
 			IdentityPolicies:          resp.Auth.IdentityPolicies,
 			ExternalNamespacePolicies: resp.Auth.ExternalNamespacePolicies,
 			NoDefaultPolicy:           resp.Auth.NoDefaultPolicy,
 			Metadata:                  resp.Auth.Metadata,
 			NumUses:                   resp.Auth.NumUses,
 			EntityID:                  resp.Auth.EntityID,
@ -344,6 +346,7 @@ func (f *AuditFormatter) FormatResponse(ctx context.Context, w io.Writer, config
 			TokenPolicies:             auth.TokenPolicies,
 			IdentityPolicies:          auth.IdentityPolicies,
 			ExternalNamespacePolicies: auth.ExternalNamespacePolicies,
 			NoDefaultPolicy:           auth.NoDefaultPolicy,
 			Metadata:                  auth.Metadata,
 			RemainingUses:             req.ClientTokenRemainingUses,
 			EntityID:                  auth.EntityID,
@ -437,6 +440,7 @@ type AuditAuth struct {
 	TokenPolicies             []string            `json:"token_policies,omitempty"`
 	IdentityPolicies          []string            `json:"identity_policies,omitempty"`
 	ExternalNamespacePolicies map[string][]string `json:"external_namespace_policies,omitempty"`
 	NoDefaultPolicy           bool                `json:"no_default_policy,omitempty"`
 	Metadata                  map[string]string   `json:"metadata"`
 	NumUses                   int                 `json:"num_uses,omitempty"`
 	RemainingUses             int                 `json:"remaining_uses,omitempty"`
--- a/audit/format_json_test.go
+++ b/audit/format_json_test.go
@ -38,11 +38,12 @@ func TestFormatJSON_formatRequest(t *testing.T) {
 	}{
 		"auth, request": {
 			&logical.Auth{
-				ClientToken: "foo",
+				ClientToken:     "foo",
-				Accessor:    "bar",
+				Accessor:        "bar",
-				DisplayName: "testtoken",
+				DisplayName:     "testtoken",
-				Policies:    []string{"root"},
+				NoDefaultPolicy: true,
-				TokenType:   logical.TokenTypeService,
+				Policies:        []string{"root"},
 				TokenType:       logical.TokenTypeService,
 			},
 			&logical.Request{
 				Operation: logical.UpdateOperation,
@ -63,11 +64,12 @@ func TestFormatJSON_formatRequest(t *testing.T) {
 		},
 		"auth, request with prefix": {
 			&logical.Auth{
-				ClientToken: "foo",
+				ClientToken:     "foo",
-				Accessor:    "bar",
+				Accessor:        "bar",
-				DisplayName: "testtoken",
+				DisplayName:     "testtoken",
-				Policies:    []string{"root"},
+				NoDefaultPolicy: true,
-				TokenType:   logical.TokenTypeService,
+				Policies:        []string{"root"},
 				TokenType:       logical.TokenTypeService,
 			},
 			&logical.Request{
 				Operation: logical.UpdateOperation,
@ -139,5 +141,5 @@ func TestFormatJSON_formatRequest(t *testing.T) {
 	}
 }
-const testFormatJSONReqBasicStrFmt = `{"time":"2015-08-05T13:45:46Z","type":"request","auth":{"client_token":"%s","accessor":"bar","display_name":"testtoken","policies":["root"],"metadata":null,"entity_id":"","token_type":"service"},"request":{"operation":"update","path":"/foo","data":null,"wrap_ttl":60,"remote_address":"127.0.0.1","headers":{"foo":["bar"]}},"error":"this is an error"}
+const testFormatJSONReqBasicStrFmt = `{"time":"2015-08-05T13:45:46Z","type":"request","auth":{"client_token":"%s","accessor":"bar","display_name":"testtoken","policies":["root"],"no_default_policy":true,"metadata":null,"entity_id":"","token_type":"service"},"request":{"operation":"update","path":"/foo","data":null,"wrap_ttl":60,"remote_address":"127.0.0.1","headers":{"foo":["bar"]}},"error":"this is an error"}
 `
--- a/audit/format_jsonx_test.go
+++ b/audit/format_jsonx_test.go
@ -37,11 +37,12 @@ func TestFormatJSONx_formatRequest(t *testing.T) {
 	}{
 		"auth, request": {
 			&logical.Auth{
-				ClientToken: "foo",
+				ClientToken:     "foo",
-				Accessor:    "bar",
+				Accessor:        "bar",
-				DisplayName: "testtoken",
+				DisplayName:     "testtoken",
-				Policies:    []string{"root"},
+				Policies:        []string{"root"},
-				TokenType:   logical.TokenTypeService,
+				NoDefaultPolicy: true,
 				TokenType:       logical.TokenTypeService,
 			},
 			&logical.Request{
 				Operation: logical.UpdateOperation,
@ -59,16 +60,17 @@ func TestFormatJSONx_formatRequest(t *testing.T) {
 			errors.New("this is an error"),
 			"",
 			"",
-			fmt.Sprintf(`<json:object name="auth"><json:string name="accessor">bar</json:string><json:string name="client_token">%s</json:string><json:string name="display_name">testtoken</json:string><json:string name="entity_id"></json:string><json:null name="metadata" /><json:array name="policies"><json:string>root</json:string></json:array><json:string name="token_type">service</json:string></json:object><json:string name="error">this is an error</json:string><json:object name="request"><json:string name="client_token"></json:string><json:string name="client_token_accessor"></json:string><json:null name="data" /><json:object name="headers"><json:array name="foo"><json:string>bar</json:string></json:array></json:object><json:string name="id"></json:string><json:object name="namespace"><json:string name="id">root</json:string><json:string name="path"></json:string></json:object><json:string name="operation">update</json:string><json:string name="path">/foo</json:string><json:boolean name="policy_override">false</json:boolean><json:string name="remote_address">127.0.0.1</json:string><json:number name="wrap_ttl">60</json:number></json:object><json:string name="type">request</json:string>`,
+			fmt.Sprintf(`<json:object name="auth"><json:string name="accessor">bar</json:string><json:string name="client_token">%s</json:string><json:string name="display_name">testtoken</json:string><json:string name="entity_id"></json:string><json:null name="metadata" /><json:boolean name="no_default_policy">true</json:boolean><json:array name="policies"><json:string>root</json:string></json:array><json:string name="token_type">service</json:string></json:object><json:string name="error">this is an error</json:string><json:object name="request"><json:string name="client_token"></json:string><json:string name="client_token_accessor"></json:string><json:null name="data" /><json:object name="headers"><json:array name="foo"><json:string>bar</json:string></json:array></json:object><json:string name="id"></json:string><json:object name="namespace"><json:string name="id">root</json:string><json:string name="path"></json:string></json:object><json:string name="operation">update</json:string><json:string name="path">/foo</json:string><json:boolean name="policy_override">false</json:boolean><json:string name="remote_address">127.0.0.1</json:string><json:number name="wrap_ttl">60</json:number></json:object><json:string name="type">request</json:string>`,
 				fooSalted),
 		},
 		"auth, request with prefix": {
 			&logical.Auth{
-				ClientToken: "foo",
+				ClientToken:     "foo",
-				Accessor:    "bar",
+				Accessor:        "bar",
-				DisplayName: "testtoken",
+				DisplayName:     "testtoken",
-				Policies:    []string{"root"},
+				NoDefaultPolicy: true,
-				TokenType:   logical.TokenTypeService,
+				Policies:        []string{"root"},
 				TokenType:       logical.TokenTypeService,
 			},
 			&logical.Request{
 				Operation: logical.UpdateOperation,
@ -86,7 +88,7 @@ func TestFormatJSONx_formatRequest(t *testing.T) {
 			errors.New("this is an error"),
 			"",
 			"@cee: ",
-			fmt.Sprintf(`<json:object name="auth"><json:string name="accessor">bar</json:string><json:string name="client_token">%s</json:string><json:string name="display_name">testtoken</json:string><json:string name="entity_id"></json:string><json:null name="metadata" /><json:array name="policies"><json:string>root</json:string></json:array><json:string name="token_type">service</json:string></json:object><json:string name="error">this is an error</json:string><json:object name="request"><json:string name="client_token"></json:string><json:string name="client_token_accessor"></json:string><json:null name="data" /><json:object name="headers"><json:array name="foo"><json:string>bar</json:string></json:array></json:object><json:string name="id"></json:string><json:object name="namespace"><json:string name="id">root</json:string><json:string name="path"></json:string></json:object><json:string name="operation">update</json:string><json:string name="path">/foo</json:string><json:boolean name="policy_override">false</json:boolean><json:string name="remote_address">127.0.0.1</json:string><json:number name="wrap_ttl">60</json:number></json:object><json:string name="type">request</json:string>`,
+			fmt.Sprintf(`<json:object name="auth"><json:string name="accessor">bar</json:string><json:string name="client_token">%s</json:string><json:string name="display_name">testtoken</json:string><json:string name="entity_id"></json:string><json:null name="metadata" /><json:boolean name="no_default_policy">true</json:boolean><json:array name="policies"><json:string>root</json:string></json:array><json:string name="token_type">service</json:string></json:object><json:string name="error">this is an error</json:string><json:object name="request"><json:string name="client_token"></json:string><json:string name="client_token_accessor"></json:string><json:null name="data" /><json:object name="headers"><json:array name="foo"><json:string>bar</json:string></json:array></json:object><json:string name="id"></json:string><json:object name="namespace"><json:string name="id">root</json:string><json:string name="path"></json:string></json:object><json:string name="operation">update</json:string><json:string name="path">/foo</json:string><json:boolean name="policy_override">false</json:boolean><json:string name="remote_address">127.0.0.1</json:string><json:number name="wrap_ttl">60</json:number></json:object><json:string name="type">request</json:string>`,
 				fooSalted),
 		},
 	}
--- a/builtin/credential/app-id/path_login.go
+++ b/builtin/credential/app-id/path_login.go
@ -116,9 +116,6 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, data *fra
 			DisplayName: displayName,
 			Policies:    policies,
 			Metadata:    metadata,
 			LeaseOptions: logical.LeaseOptions{
 				Renewable: true,
 			},
 			Alias: &logical.Alias{
 				Name: appId,
 			},
--- a/builtin/credential/approle/path_login.go
+++ b/builtin/credential/approle/path_login.go
@ -294,9 +294,8 @@ func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, dat
 		Metadata: metadata,
 		Policies: role.Policies,
 		LeaseOptions: logical.LeaseOptions{
-			Renewable: true,
+			TTL:    role.TokenTTL,
-			TTL:       role.TokenTTL,
+			MaxTTL: role.TokenMaxTTL,
 			MaxTTL:    role.TokenMaxTTL,
 		},
 		Alias: &logical.Alias{
 			Name: role.RoleID,
--- a/builtin/credential/aws/path_login.go
+++ b/builtin/credential/aws/path_login.go
@ -825,9 +825,8 @@ func (b *backend) pathLoginUpdateEc2(ctx context.Context, req *logical.Request,
 				"ami_id":           identityDocParsed.AmiID,
 			},
 			LeaseOptions: logical.LeaseOptions{
-				Renewable: true,
+				TTL:    roleEntry.TTL,
-				TTL:       roleEntry.TTL,
+				MaxTTL: shortestMaxTTL,
 				MaxTTL:    shortestMaxTTL,
 			},
 			Alias: &logical.Alias{
 				Name: identityAlias,
@ -1338,9 +1337,8 @@ func (b *backend) pathLoginUpdateIam(ctx context.Context, req *logical.Request,
 			},
 			DisplayName: entity.FriendlyName,
 			LeaseOptions: logical.LeaseOptions{
-				Renewable: true,
+				TTL:    roleEntry.TTL,
-				TTL:       roleEntry.TTL,
+				MaxTTL: roleEntry.MaxTTL,
 				MaxTTL:    roleEntry.MaxTTL,
 			},
 			Alias: &logical.Alias{
 				Name: identityAlias,
--- a/builtin/credential/cert/backend_test.go
+++ b/builtin/credential/cert/backend_test.go
@ -21,14 +21,17 @@ import (
 	"testing"
 	"time"
 	"github.com/go-test/deep"
 	cleanhttp "github.com/hashicorp/go-cleanhttp"
 	log "github.com/hashicorp/go-hclog"
 	sockaddr "github.com/hashicorp/go-sockaddr"
 	"github.com/hashicorp/vault/api"
 	vaulthttp "github.com/hashicorp/vault/http"
 	rootcerts "github.com/hashicorp/go-rootcerts"
 	"github.com/hashicorp/vault/builtin/logical/pki"
 	"github.com/hashicorp/vault/helper/certutil"
 	"github.com/hashicorp/vault/helper/tokenhelper"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
 	logicaltest "github.com/hashicorp/vault/logical/testing"
@ -1788,3 +1791,68 @@ func Test_Renew(t *testing.T) {
 		t.Fatal("expected error")
 	}
 }
 func TestBackend_CertUpgrade(t *testing.T) {
 	s := &logical.InmemStorage{}
 	config := logical.TestBackendConfig()
 	config.StorageView = s
 	ctx := context.Background()
 	b := Backend()
 	if b == nil {
 		t.Fatalf("failed to create backend")
 	}
 	if err := b.Setup(ctx, config); err != nil {
 		t.Fatal(err)
 	}
 	type B struct {
 		Policies   []string
 		TTL        time.Duration
 		MaxTTL     time.Duration
 		Period     time.Duration
 		BoundCIDRs []*sockaddr.SockAddrMarshaler
 	}
 	foo := &B{
 		Policies:   []string{"foo"},
 		TTL:        time.Second,
 		MaxTTL:     time.Second,
 		Period:     time.Second,
 		BoundCIDRs: []*sockaddr.SockAddrMarshaler{&sockaddr.SockAddrMarshaler{SockAddr: sockaddr.MustIPAddr("127.0.0.1")}},
 	}
 	entry, err := logical.StorageEntryJSON("cert/foo", foo)
 	if err != nil {
 		t.Fatal(err)
 	}
 	err = s.Put(ctx, entry)
 	if err != nil {
 		t.Fatal(err)
 	}
 	certEntry, err := b.Cert(ctx, s, "foo")
 	if err != nil {
 		t.Fatal(err)
 	}
 	exp := &CertEntry{
 		TokenParams: tokenhelper.TokenParams{
 			Policies:   []string{"foo"},
 			TTL:        time.Second,
 			MaxTTL:     time.Second,
 			Period:     time.Second,
 			BoundCIDRs: []*sockaddr.SockAddrMarshaler{&sockaddr.SockAddrMarshaler{SockAddr: sockaddr.MustIPAddr("127.0.0.1")}},
 		},
 		OldPolicies:   nil,
 		OldTTL:        0,
 		OldMaxTTL:     0,
 		OldPeriod:     0,
 		OldBoundCIDRs: nil,
 	}
 	if diff := deep.Equal(certEntry, exp); diff != nil {
 		t.Fatal(diff)
 	}
 }
--- a/builtin/credential/cert/path_certs.go
+++ b/builtin/credential/cert/path_certs.go
@ -4,12 +4,11 @@ import (
 	"context"
 	"crypto/x509"
 	"fmt"
 	"strings"
 	"time"
 	sockaddr "github.com/hashicorp/go-sockaddr"
-	"github.com/hashicorp/vault/helper/parseutil"
+	"github.com/hashicorp/vault/helper/consts"
-	"github.com/hashicorp/vault/helper/policyutil"
+	"github.com/hashicorp/vault/helper/tokenhelper"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
 )
@ -28,11 +27,11 @@ func pathListCerts(b *backend) *framework.Path {
 }
 func pathCerts(b *backend) *framework.Path {
-	return &framework.Path{
+	path := &framework.Path{
 		Pattern: "certs/" + framework.GenericNameRegex("name"),
 		Fields: map[string]*framework.FieldSchema{
 			"name": &framework.FieldSchema{
-				Type:        framework.TypeString,
+				Type:        framework.TypeLowerCaseString,
 				Description: "The name of the certificate",
 			},
@ -93,42 +92,11 @@ All values much match. Supports globbing on "value".`,
 certificate.`,
 			},
 			"policies": &framework.FieldSchema{
 				Type:        framework.TypeCommaStringSlice,
 				Description: "Comma-separated list of policies.",
 			},
 			"lease": &framework.FieldSchema{
 				Type: framework.TypeInt,
 				Description: `Deprecated: use "ttl" instead. TTL time in
 seconds. Defaults to system/backend default TTL.`,
 			},
 			"ttl": &framework.FieldSchema{
 				Type: framework.TypeDurationSecond,
 				Description: `TTL for tokens issued by this backend.
 Defaults to system/backend default TTL time.`,
 			},
 			"max_ttl": &framework.FieldSchema{
 				Type: framework.TypeDurationSecond,
 				Description: `Duration in either an integer number of seconds (3600) or
 an integer time unit (60m) after which the
 issued token can no longer be renewed.`,
 			},
 			"period": &framework.FieldSchema{
 				Type: framework.TypeDurationSecond,
 				Description: `If set, indicates that the token generated using this role
 should never expire. The token should be renewed within the
 duration specified by this value. At each renewal, the token's
 TTL will be set to the value of this parameter.`,
 			},
 			"bound_cidrs": &framework.FieldSchema{
 				Type: framework.TypeCommaStringSlice,
 				Description: `Comma separated string or list of CIDR blocks. If set, specifies the blocks of
 IP addresses which can perform the login operation.`,
 			},
 		},
 		Callbacks: map[logical.Operation]framework.OperationFunc{
@ -140,10 +108,13 @@ IP addresses which can perform the login operation.`,
 		HelpSynopsis:    pathCertHelpSyn,
 		HelpDescription: pathCertHelpDesc,
 	}
 	tokenhelper.AddTokenFields(path.Fields)
 	return path
 }
 func (b *backend) Cert(ctx context.Context, s logical.Storage, n string) (*CertEntry, error) {
-	entry, err := s.Get(ctx, "cert/"+strings.ToLower(n))
+	entry, err := s.Get(ctx, "cert/"+n)
 	if err != nil {
 		return nil, err
 	}
@ -155,11 +126,48 @@ func (b *backend) Cert(ctx context.Context, s logical.Storage, n string) (*CertE
 	if err := entry.DecodeJSON(&result); err != nil {
 		return nil, err
 	}
 	var needsUpgrade bool
 	if result.OldTTL != 0 {
 		needsUpgrade = true
 		result.TTL = result.OldTTL
 		result.OldTTL = 0
 	}
 	if result.OldMaxTTL != 0 {
 		needsUpgrade = true
 		result.MaxTTL = result.OldMaxTTL
 		result.OldMaxTTL = 0
 	}
 	if result.OldPeriod != 0 {
 		needsUpgrade = true
 		result.Period = result.OldPeriod
 		result.OldPeriod = 0
 	}
 	if len(result.OldPolicies) > 0 {
 		needsUpgrade = true
 		result.Policies = result.OldPolicies
 		result.OldPolicies = nil
 	}
 	if len(result.OldBoundCIDRs) > 0 {
 		needsUpgrade = true
 		result.BoundCIDRs = result.OldBoundCIDRs
 		result.OldBoundCIDRs = nil
 	}
 	if needsUpgrade && (b.System().LocalMount() || !b.System().ReplicationState().HasState(consts.ReplicationPerformanceSecondary|consts.ReplicationPerformanceStandby)) {
 		entry, err := logical.StorageEntryJSON("cert/"+n, result)
 		if err != nil {
 			return nil, err
 		}
 		if err := s.Put(ctx, entry); err != nil {
 			return nil, err
 		}
 	}
 	return &result, nil
 }
 func (b *backend) pathCertDelete(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
-	err := req.Storage.Delete(ctx, "cert/"+strings.ToLower(d.Get("name").(string)))
+	err := req.Storage.Delete(ctx, "cert/"+d.Get("name").(string))
 	if err != nil {
 		return nil, err
 	}
@ -175,7 +183,7 @@ func (b *backend) pathCertList(ctx context.Context, req *logical.Request, d *fra
 }
 func (b *backend) pathCertRead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
-	cert, err := b.Cert(ctx, req.Storage, strings.ToLower(d.Get("name").(string)))
+	cert, err := b.Cert(ctx, req.Storage, d.Get("name").(string))
 	if err != nil {
 		return nil, err
 	}
@ -183,30 +191,27 @@ func (b *backend) pathCertRead(ctx context.Context, req *logical.Request, d *fra
 		return nil, nil
 	}
 	data := map[string]interface{}{
 		"certificate":                  cert.Certificate,
 		"display_name":                 cert.DisplayName,
 		"allowed_names":                cert.AllowedNames,
 		"allowed_common_names":         cert.AllowedCommonNames,
 		"allowed_dns_sans":             cert.AllowedDNSSANs,
 		"allowed_email_sans":           cert.AllowedEmailSANs,
 		"allowed_uri_sans":             cert.AllowedURISANs,
 		"allowed_organizational_units": cert.AllowedOrganizationalUnits,
 		"required_extensions":          cert.RequiredExtensions,
 	}
 	cert.PopulateTokenData(data)
 	return &logical.Response{
-		Data: map[string]interface{}{
+		Data: data,
 			"certificate":                  cert.Certificate,
 			"display_name":                 cert.DisplayName,
 			"policies":                     cert.Policies,
 			"ttl":                          cert.TTL / time.Second,
 			"max_ttl":                      cert.MaxTTL / time.Second,
 			"period":                       cert.Period / time.Second,
 			"allowed_names":                cert.AllowedNames,
 			"allowed_common_names":         cert.AllowedCommonNames,
 			"allowed_dns_sans":             cert.AllowedDNSSANs,
 			"allowed_email_sans":           cert.AllowedEmailSANs,
 			"allowed_uri_sans":             cert.AllowedURISANs,
 			"allowed_organizational_units": cert.AllowedOrganizationalUnits,
 			"required_extensions":          cert.RequiredExtensions,
 		},
 	}, nil
 }
 func (b *backend) pathCertWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
-	name := strings.ToLower(d.Get("name").(string))
+	name := d.Get("name").(string)
 	certificate := d.Get("certificate").(string)
 	displayName := d.Get("display_name").(string)
 	policies := policyutil.ParsePolicies(d.Get("policies"))
 	allowedNames := d.Get("allowed_names").([]string)
 	allowedCommonNames := d.Get("allowed_common_names").([]string)
 	allowedDNSSANs := d.Get("allowed_dns_sans").([]string)
@ -215,45 +220,32 @@ func (b *backend) pathCertWrite(ctx context.Context, req *logical.Request, d *fr
 	allowedOrganizationalUnits := d.Get("allowed_organizational_units").([]string)
 	requiredExtensions := d.Get("required_extensions").([]string)
 	certEntry := &CertEntry{}
 	var resp logical.Response
 	if err := certEntry.ParseTokenFields(req, d); err != nil {
 		return logical.ErrorResponse(err.Error()), nil
 	}
 	// Parse the ttl (or lease duration)
 	systemDefaultTTL := b.System().DefaultLeaseTTL()
-	ttl := time.Duration(d.Get("ttl").(int)) * time.Second
+	if certEntry.TTL > systemDefaultTTL {
-	if ttl == 0 {
+		resp.AddWarning(fmt.Sprintf("Given ttl of %d seconds is greater than current mount/system default of %d seconds", certEntry.TTL/time.Second, systemDefaultTTL/time.Second))
 		ttl = time.Duration(d.Get("lease").(int)) * time.Second
 	}
 	if ttl > systemDefaultTTL {
 		resp.AddWarning(fmt.Sprintf("Given ttl of %d seconds is greater than current mount/system default of %d seconds", ttl/time.Second, systemDefaultTTL/time.Second))
 	}
 	if ttl < time.Duration(0) {
 		return logical.ErrorResponse("ttl cannot be negative"), nil
 	}
 	// Parse max_ttl
 	systemMaxTTL := b.System().MaxLeaseTTL()
-	maxTTL := time.Duration(d.Get("max_ttl").(int)) * time.Second
+	if certEntry.MaxTTL > systemMaxTTL {
-	if maxTTL > systemMaxTTL {
+		resp.AddWarning(fmt.Sprintf("Given max_ttl of %d seconds is greater than current mount/system default of %d seconds", certEntry.MaxTTL/time.Second, systemMaxTTL/time.Second))
 		resp.AddWarning(fmt.Sprintf("Given max_ttl of %d seconds is greater than current mount/system default of %d seconds", maxTTL/time.Second, systemMaxTTL/time.Second))
 	}
-	if maxTTL < time.Duration(0) {
+	if certEntry.MaxTTL != 0 && certEntry.TTL > certEntry.MaxTTL {
 		return logical.ErrorResponse("max_ttl cannot be negative"), nil
 	}
 	if maxTTL != 0 && ttl > maxTTL {
 		return logical.ErrorResponse("ttl should be shorter than max_ttl"), nil
 	}
 	// Parse period
-	period := time.Duration(d.Get("period").(int)) * time.Second
+	if certEntry.Period > systemMaxTTL {
-	if period > systemMaxTTL {
+		resp.AddWarning(fmt.Sprintf("Given period of %d seconds is greater than the backend's maximum TTL of %d seconds", certEntry.Period/time.Second, systemMaxTTL/time.Second))
 		resp.AddWarning(fmt.Sprintf("Given period of %d seconds is greater than the backend's maximum TTL of %d seconds", period/time.Second, systemMaxTTL/time.Second))
 	}
 	if period < time.Duration(0) {
 		return logical.ErrorResponse("period cannot be negative"), nil
 	}
 	// Default the display name to the certificate name if not given
@ -280,28 +272,16 @@ func (b *backend) pathCertWrite(ctx context.Context, req *logical.Request, d *fr
 		}
 	}
-	parsedCIDRs, err := parseutil.ParseAddrs(d.Get("bound_cidrs"))
+	certEntry.Name = name
-	if err != nil {
+	certEntry.Certificate = certificate
-		return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
+	certEntry.DisplayName = displayName
-	}
+	certEntry.AllowedNames = allowedNames
-
+	certEntry.AllowedCommonNames = allowedCommonNames
-	certEntry := &CertEntry{
+	certEntry.AllowedDNSSANs = allowedDNSSANs
-		Name:                       name,
+	certEntry.AllowedEmailSANs = allowedEmailSANs
-		Certificate:                certificate,
+	certEntry.AllowedURISANs = allowedURISANs
-		DisplayName:                displayName,
+	certEntry.AllowedOrganizationalUnits = allowedOrganizationalUnits
-		Policies:                   policies,
+	certEntry.RequiredExtensions = requiredExtensions
 		AllowedNames:               allowedNames,
 		AllowedCommonNames:         allowedCommonNames,
 		AllowedDNSSANs:             allowedDNSSANs,
 		AllowedEmailSANs:           allowedEmailSANs,
 		AllowedURISANs:             allowedURISANs,
 		AllowedOrganizationalUnits: allowedOrganizationalUnits,
 		RequiredExtensions:         requiredExtensions,
 		TTL:                        ttl,
 		MaxTTL:                     maxTTL,
 		Period:                     period,
 		BoundCIDRs:                 parsedCIDRs,
 	}
 	// Store it
 	entry, err := logical.StorageEntryJSON("cert/"+name, certEntry)
@ -320,13 +300,11 @@ func (b *backend) pathCertWrite(ctx context.Context, req *logical.Request, d *fr
 }
 type CertEntry struct {
 	tokenhelper.TokenParams
 	Name                       string
 	Certificate                string
 	DisplayName                string
 	Policies                   []string
 	TTL                        time.Duration
 	MaxTTL                     time.Duration
 	Period                     time.Duration
 	AllowedNames               []string
 	AllowedCommonNames         []string
 	AllowedDNSSANs             []string
@ -334,7 +312,13 @@ type CertEntry struct {
 	AllowedURISANs             []string
 	AllowedOrganizationalUnits []string
 	RequiredExtensions         []string
-	BoundCIDRs                 []*sockaddr.SockAddrMarshaler
+
 	// These token-related fields have been moved to the embedded tokenhelper.TokenParams struct
 	OldPolicies   []string                      `json:"Policies"`
 	OldTTL        time.Duration                 `json:"TTL"`
 	OldMaxTTL     time.Duration                 `json:"MaxTTL"`
 	OldPeriod     time.Duration                 `json:"Period"`
 	OldBoundCIDRs []*sockaddr.SockAddrMarshaler `json:"BoundCIDRs"`
 }
 const pathCertHelpSyn = `
--- a/builtin/credential/cert/path_login.go
+++ b/builtin/credential/cert/path_login.go
@ -83,32 +83,27 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, data *fra
 	skid := base64.StdEncoding.EncodeToString(clientCerts[0].SubjectKeyId)
 	akid := base64.StdEncoding.EncodeToString(clientCerts[0].AuthorityKeyId)
-	resp := &logical.Response{
+	auth := &logical.Auth{
-		Auth: &logical.Auth{
+		InternalData: map[string]interface{}{
-			Period: matched.Entry.Period,
+			"subject_key_id":   skid,
-			InternalData: map[string]interface{}{
+			"authority_key_id": akid,
 				"subject_key_id":   skid,
 				"authority_key_id": akid,
 			},
 			Policies:    matched.Entry.Policies,
 			DisplayName: matched.Entry.DisplayName,
 			Metadata: map[string]string{
 				"cert_name":        matched.Entry.Name,
 				"common_name":      clientCerts[0].Subject.CommonName,
 				"serial_number":    clientCerts[0].SerialNumber.String(),
 				"subject_key_id":   certutil.GetHexFormatted(clientCerts[0].SubjectKeyId, ":"),
 				"authority_key_id": certutil.GetHexFormatted(clientCerts[0].AuthorityKeyId, ":"),
 			},
 			LeaseOptions: logical.LeaseOptions{
 				Renewable: true,
 				TTL:       matched.Entry.TTL,
 				MaxTTL:    matched.Entry.MaxTTL,
 			},
 			Alias: &logical.Alias{
 				Name: clientCerts[0].Subject.CommonName,
 			},
 			BoundCIDRs: matched.Entry.BoundCIDRs,
 		},
 		DisplayName: matched.Entry.DisplayName,
 		Metadata: map[string]string{
 			"cert_name":        matched.Entry.Name,
 			"common_name":      clientCerts[0].Subject.CommonName,
 			"serial_number":    clientCerts[0].SerialNumber.String(),
 			"subject_key_id":   certutil.GetHexFormatted(clientCerts[0].SubjectKeyId, ":"),
 			"authority_key_id": certutil.GetHexFormatted(clientCerts[0].AuthorityKeyId, ":"),
 		},
 		Alias: &logical.Alias{
 			Name: clientCerts[0].Subject.CommonName,
 		},
 	}
 	matched.Entry.PopulateTokenAuth(auth)
 	resp := &logical.Response{
 		Auth: auth,
 	}
 	// Generate a response
--- a/builtin/credential/github/path_config.go
+++ b/builtin/credential/github/path_config.go
@ -4,15 +4,15 @@ import (
 	"context"
 	"fmt"
 	"net/url"
 	"time"
 	"github.com/hashicorp/errwrap"
 	"github.com/hashicorp/vault/helper/tokenhelper"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
 )
 func pathConfig(b *backend) *framework.Path {
-	return &framework.Path{
+	ret := &framework.Path{
 		Pattern: "config",
 		Fields: map[string]*framework.FieldSchema{
 			"organization": &framework.FieldSchema{
@ -26,14 +26,6 @@ func pathConfig(b *backend) *framework.Path {
 are running GitHub Enterprise or an
 API-compatible authentication server.`,
 			},
 			"ttl": &framework.FieldSchema{
 				Type:        framework.TypeString,
 				Description: `Duration after which authentication will be expired`,
 			},
 			"max_ttl": &framework.FieldSchema{
 				Type:        framework.TypeString,
 				Description: `Maximum duration after which authentication will be expired`,
 			},
 		},
 		Callbacks: map[logical.Operation]framework.OperationFunc{
@ -41,6 +33,9 @@ API-compatible authentication server.`,
 			logical.ReadOperation:   b.pathConfigRead,
 		},
 	}
 	tokenhelper.AddTokenFields(ret.Fields)
 	return ret
 }
 func (b *backend) pathConfigWrite(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
@ -53,35 +48,16 @@ func (b *backend) pathConfigWrite(ctx context.Context, req *logical.Request, dat
 		}
 	}
-	var ttl time.Duration
+	cfg := &config{
 	var err error
 	ttlRaw, ok := data.GetOk("ttl")
 	if !ok || len(ttlRaw.(string)) == 0 {
 		ttl = 0
 	} else {
 		ttl, err = time.ParseDuration(ttlRaw.(string))
 		if err != nil {
 			return logical.ErrorResponse(fmt.Sprintf("Invalid 'ttl':%s", err)), nil
 		}
 	}
 	var maxTTL time.Duration
 	maxTTLRaw, ok := data.GetOk("max_ttl")
 	if !ok || len(maxTTLRaw.(string)) == 0 {
 		maxTTL = 0
 	} else {
 		maxTTL, err = time.ParseDuration(maxTTLRaw.(string))
 		if err != nil {
 			return logical.ErrorResponse(fmt.Sprintf("Invalid 'max_ttl':%s", err)), nil
 		}
 	}
 	entry, err := logical.StorageEntryJSON("config", config{
 		Organization: organization,
 		BaseURL:      baseURL,
-		TTL:          ttl,
+	}
-		MaxTTL:       maxTTL,
+
-	})
+	if err := cfg.ParseTokenFields(req, data); err != nil {
 		return logical.ErrorResponse(err.Error()), nil
 	}
 	entry, err := logical.StorageEntryJSON("config", cfg)
 	if err != nil {
 		return nil, err
@ -104,18 +80,15 @@ func (b *backend) pathConfigRead(ctx context.Context, req *logical.Request, data
 		return nil, fmt.Errorf("configuration object not found")
 	}
-	config.TTL /= time.Second
+	respData := map[string]interface{}{
-	config.MaxTTL /= time.Second
+		"organization": config.Organization,
-
+		"base_url":     config.BaseURL,
 	resp := &logical.Response{
 		Data: map[string]interface{}{
 			"organization": config.Organization,
 			"base_url":     config.BaseURL,
 			"ttl":          config.TTL,
 			"max_ttl":      config.MaxTTL,
 		},
 	}
-	return resp, nil
+	config.PopulateTokenData(respData)
 	return &logical.Response{
 		Data: respData,
 	}, nil
 }
 // Config returns the configuration for this backend.
@ -136,8 +109,8 @@ func (b *backend) Config(ctx context.Context, s logical.Storage) (*config, error
 }
 type config struct {
-	Organization string        `json:"organization" structs:"organization" mapstructure:"organization"`
+	tokenhelper.TokenParams
-	BaseURL      string        `json:"base_url" structs:"base_url" mapstructure:"base_url"`
+
-	TTL          time.Duration `json:"ttl" structs:"ttl" mapstructure:"ttl"`
+	Organization string `json:"organization" structs:"organization" mapstructure:"organization"`
-	MaxTTL       time.Duration `json:"max_ttl" structs:"max_ttl" mapstructure:"max_ttl"`
+	BaseURL      string `json:"base_url" structs:"base_url" mapstructure:"base_url"`
 }
--- a/builtin/credential/github/path_login.go
+++ b/builtin/credential/github/path_login.go
@ -9,6 +9,7 @@ import (
 	"github.com/google/go-github/github"
 	"github.com/hashicorp/errwrap"
 	"github.com/hashicorp/vault/helper/policyutil"
 	"github.com/hashicorp/vault/helper/strutil"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
 )
@ -68,38 +69,35 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, data *fra
 		return nil, err
 	}
-	resp := &logical.Response{
+	auth := &logical.Auth{
-		Auth: &logical.Auth{
+		InternalData: map[string]interface{}{
-			InternalData: map[string]interface{}{
+			"token": token,
-				"token": token,
+		},
-			},
+		Metadata: map[string]string{
-			Policies: verifyResp.Policies,
+			"username": *verifyResp.User.Login,
-			Metadata: map[string]string{
+			"org":      *verifyResp.Org.Login,
-				"username": *verifyResp.User.Login,
+		},
-				"org":      *verifyResp.Org.Login,
+		DisplayName: *verifyResp.User.Login,
-			},
+		Alias: &logical.Alias{
-			DisplayName: *verifyResp.User.Login,
+			Name: *verifyResp.User.Login,
 			LeaseOptions: logical.LeaseOptions{
 				TTL:       config.TTL,
 				MaxTTL:    config.MaxTTL,
 				Renewable: true,
 			},
 			Alias: &logical.Alias{
 				Name: *verifyResp.User.Login,
 			},
 		},
 	}
 	config.PopulateTokenAuth(auth)
 	auth.Policies = append(auth.Policies, verifyResp.Policies...)
 	auth.Policies = strutil.RemoveDuplicates(auth.Policies, false)
 	for _, teamName := range verifyResp.TeamNames {
 		if teamName == "" {
 			continue
 		}
-		resp.Auth.GroupAliases = append(resp.Auth.GroupAliases, &logical.Alias{
+		auth.GroupAliases = append(auth.GroupAliases, &logical.Alias{
 			Name: teamName,
 		})
 	}
-	return resp, nil
+	return &logical.Response{
 		Auth: auth,
 	}, nil
 }
 func (b *backend) pathLoginRenew(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
--- a/builtin/credential/ldap/path_config.go
+++ b/builtin/credential/ldap/path_config.go
@ -12,7 +12,7 @@ import (
 func pathConfig(b *backend) *framework.Path {
 	return &framework.Path{
 		Pattern: `config`,
-		Fields:  ldaputil.ConfigFields(),
+		Fields:  ldaputil.ConfigFields(true),
 		Callbacks: map[logical.Operation]framework.OperationFunc{
 			logical.ReadOperation:   b.pathConfigRead,
@ -89,8 +89,11 @@ func (b *backend) pathConfigRead(ctx context.Context, req *logical.Request, d *f
 		return nil, nil
 	}
 	data := cfg.PasswordlessMap()
 	cfg.PopulateTokenData(data)
 	resp := &logical.Response{
-		Data: cfg.PasswordlessMap(),
+		Data: data,
 	}
 	return resp, nil
 }
@ -109,6 +112,10 @@ func (b *backend) pathConfigWrite(ctx context.Context, req *logical.Request, d *
 		*cfg.CaseSensitiveNames = false
 	}
 	if err := cfg.ParseTokenFields(req, d); err != nil {
 		return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
 	}
 	entry, err := logical.StorageEntryJSON("config", cfg)
 	if err != nil {
 		return nil, err
--- a/builtin/credential/ldap/path_login.go
+++ b/builtin/credential/ldap/path_login.go
@ -3,9 +3,9 @@ package ldap
 import (
 	"context"
 	"fmt"
 	"sort"
 	"github.com/hashicorp/vault/helper/policyutil"
 	"github.com/hashicorp/vault/helper/strutil"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
 )
@ -54,6 +54,14 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
 	username := d.Get("username").(string)
 	password := d.Get("password").(string)
 	cfg, err := b.Config(ctx, req)
 	if err != nil {
 		return nil, err
 	}
 	if cfg == nil {
 		return logical.ErrorResponse("ldap backend not configured"), nil
 	}
 	policies, resp, groupNames, err := b.Login(ctx, req, username, password)
 	// Handle an internal error
 	if err != nil {
@ -68,10 +76,7 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
 		resp = &logical.Response{}
 	}
-	sort.Strings(policies)
+	auth := &logical.Auth{
 	resp.Auth = &logical.Auth{
 		Policies: policies,
 		Metadata: map[string]string{
 			"username": username,
 		},
@ -79,22 +84,24 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
 			"password": password,
 		},
 		DisplayName: username,
 		LeaseOptions: logical.LeaseOptions{
 			Renewable: true,
 		},
 		Alias: &logical.Alias{
 			Name: username,
 		},
 	}
 	cfg.PopulateTokenAuth(auth)
 	auth.Policies = append(auth.Policies, policies...)
 	auth.Policies = strutil.RemoveDuplicates(auth.Policies, false)
 	for _, groupName := range groupNames {
 		if groupName == "" {
 			continue
 		}
-		resp.Auth.GroupAliases = append(resp.Auth.GroupAliases, &logical.Alias{
+		auth.GroupAliases = append(auth.GroupAliases, &logical.Alias{
 			Name: groupName,
 		})
 	}
 	resp.Auth = auth
 	return resp, nil
 }
--- a/builtin/credential/okta/path_config.go
+++ b/builtin/credential/okta/path_config.go
@ -5,10 +5,9 @@ import (
 	"fmt"
 	"net/url"
 	"time"
 	"github.com/chrismalek/oktasdk-go/okta"
 	cleanhttp "github.com/hashicorp/go-cleanhttp"
 	"github.com/hashicorp/vault/helper/tokenhelper"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
 )
@ -19,7 +18,7 @@ const (
 )
 func pathConfig(b *backend) *framework.Path {
-	return &framework.Path{
+	ret := &framework.Path{
 		Pattern: `config`,
 		Fields: map[string]*framework.FieldSchema{
 			"organization": &framework.FieldSchema{
@ -46,14 +45,6 @@ func pathConfig(b *backend) *framework.Path {
 				Type:        framework.TypeBool,
 				Description: `(DEPRECATED) Use base_url.`,
 			},
 			"ttl": &framework.FieldSchema{
 				Type:        framework.TypeDurationSecond,
 				Description: `Duration after which authentication will be expired`,
 			},
 			"max_ttl": &framework.FieldSchema{
 				Type:        framework.TypeDurationSecond,
 				Description: `Maximum duration after which authentication will be expired`,
 			},
 			"bypass_okta_mfa": &framework.FieldSchema{
 				Type:        framework.TypeBool,
 				Description: `When set true, requests by Okta for a MFA check will be bypassed. This also disallows certain status checks on the account, such as whether the password is expired.`,
@ -70,6 +61,9 @@ func pathConfig(b *backend) *framework.Path {
 		HelpSynopsis: pathConfigHelp,
 	}
 	tokenhelper.AddTokenFields(ret.Fields)
 	return ret
 }
 // Config returns the configuration for this backend.
@ -101,15 +95,17 @@ func (b *backend) pathConfigRead(ctx context.Context, req *logical.Request, d *f
 		return nil, nil
 	}
-	resp := &logical.Response{
+	data := map[string]interface{}{
-		Data: map[string]interface{}{
+		"organization":    cfg.Org,
-			"organization":    cfg.Org,
+		"org_name":        cfg.Org,
-			"org_name":        cfg.Org,
+		"bypass_okta_mfa": cfg.BypassOktaMFA,
 			"ttl":             cfg.TTL.Seconds(),
 			"max_ttl":         cfg.MaxTTL.Seconds(),
 			"bypass_okta_mfa": cfg.BypassOktaMFA,
 		},
 	}
 	cfg.PopulateTokenData(data)
 	resp := &logical.Response{
 		Data: data,
 	}
 	if cfg.BaseURL != "" {
 		resp.Data["base_url"] = cfg.BaseURL
 	}
@ -185,18 +181,8 @@ func (b *backend) pathConfigWrite(ctx context.Context, req *logical.Request, d *
 		cfg.BypassOktaMFA = bypass.(bool)
 	}
-	ttl, ok := d.GetOk("ttl")
+	if err := cfg.ParseTokenFields(req, d); err != nil {
-	if ok {
+		return logical.ErrorResponse(err.Error()), nil
 		cfg.TTL = time.Duration(ttl.(int)) * time.Second
 	} else if req.Operation == logical.CreateOperation {
 		cfg.TTL = time.Duration(d.Get("ttl").(int)) * time.Second
 	}
 	maxTTL, ok := d.GetOk("max_ttl")
 	if ok {
 		cfg.MaxTTL = time.Duration(maxTTL.(int)) * time.Second
 	} else if req.Operation == logical.CreateOperation {
 		cfg.MaxTTL = time.Duration(d.Get("max_ttl").(int)) * time.Second
 	}
 	jsonCfg, err := logical.StorageEntryJSON("config", cfg)
@ -244,13 +230,13 @@ func (c *ConfigEntry) OktaClient() *okta.Client {
 // ConfigEntry for Okta
 type ConfigEntry struct {
-	Org           string        `json:"organization"`
+	tokenhelper.TokenParams
-	Token         string        `json:"token"`
+
-	BaseURL       string        `json:"base_url"`
+	Org           string `json:"organization"`
-	Production    *bool         `json:"is_production,omitempty"`
+	Token         string `json:"token"`
-	TTL           time.Duration `json:"ttl"`
+	BaseURL       string `json:"base_url"`
-	MaxTTL        time.Duration `json:"max_ttl"`
+	Production    *bool  `json:"is_production,omitempty"`
-	BypassOktaMFA bool          `json:"bypass_okta_mfa"`
+	BypassOktaMFA bool   `json:"bypass_okta_mfa"`
 }
 const pathConfigHelp = `
--- a/builtin/credential/okta/path_login.go
+++ b/builtin/credential/okta/path_login.go
@ -8,6 +8,7 @@ import (
 	"github.com/go-errors/errors"
 	"github.com/hashicorp/vault/helper/policyutil"
 	"github.com/hashicorp/vault/helper/strutil"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
 )
@ -77,8 +78,7 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
 		return nil, err
 	}
-	resp.Auth = &logical.Auth{
+	auth := &logical.Auth{
 		Policies: policies,
 		Metadata: map[string]string{
 			"username": username,
 			"policies": strings.Join(policies, ","),
@ -87,15 +87,15 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
 			"password": password,
 		},
 		DisplayName: username,
 		LeaseOptions: logical.LeaseOptions{
 			TTL:       cfg.TTL,
 			MaxTTL:    cfg.MaxTTL,
 			Renewable: true,
 		},
 		Alias: &logical.Alias{
 			Name: username,
 		},
 	}
 	cfg.PopulateTokenAuth(auth)
 	auth.Policies = append(auth.Policies, policies...)
 	auth.Policies = strutil.RemoveDuplicates(auth.Policies, false)
 	resp.Auth = auth
 	for _, groupName := range groupNames {
 		if groupName == "" {
--- a/builtin/credential/radius/path_config.go
+++ b/builtin/credential/radius/path_config.go
@ -4,12 +4,13 @@ import (
 	"context"
 	"strings"
 	"github.com/hashicorp/vault/helper/tokenhelper"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
 )
 func pathConfig(b *backend) *framework.Path {
-	return &framework.Path{
+	ret := &framework.Path{
 		Pattern: "config",
 		Fields: map[string]*framework.FieldSchema{
 			"host": &framework.FieldSchema{
@ -64,6 +65,9 @@ func pathConfig(b *backend) *framework.Path {
 		HelpSynopsis:    pathConfigHelpSyn,
 		HelpDescription: pathConfigHelpDesc,
 	}
 	tokenhelper.AddTokenFields(ret.Fields)
 	return ret
 }
 // Establishes dichotomy of request operation between CreateOperation and UpdateOperation.
@ -107,18 +111,20 @@ func (b *backend) pathConfigRead(ctx context.Context, req *logical.Request, d *f
 		return nil, nil
 	}
-	resp := &logical.Response{
+	data := map[string]interface{}{
-		Data: map[string]interface{}{
+		"host":                       cfg.Host,
-			"host":                       cfg.Host,
+		"port":                       cfg.Port,
-			"port":                       cfg.Port,
+		"unregistered_user_policies": cfg.UnregisteredUserPolicies,
-			"unregistered_user_policies": cfg.UnregisteredUserPolicies,
+		"dial_timeout":               cfg.DialTimeout,
-			"dial_timeout":               cfg.DialTimeout,
+		"read_timeout":               cfg.ReadTimeout,
-			"read_timeout":               cfg.ReadTimeout,
+		"nas_port":                   cfg.NasPort,
-			"nas_port":                   cfg.NasPort,
+		"nas_identifier":             cfg.NasIdentifier,
 			"nas_identifier":             cfg.NasIdentifier,
 		},
 	}
-	return resp, nil
+	cfg.PopulateTokenData(data)
 	return &logical.Response{
 		Data: data,
 	}, nil
 }
 func (b *backend) pathConfigCreateUpdate(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
@ -203,6 +209,10 @@ func (b *backend) pathConfigCreateUpdate(ctx context.Context, req *logical.Reque
 		cfg.NasIdentifier = d.Get("nas_identifier").(string)
 	}
 	if err := cfg.ParseTokenFields(req, d); err != nil {
 		return logical.ErrorResponse(err.Error()), nil
 	}
 	entry, err := logical.StorageEntryJSON("config", cfg)
 	if err != nil {
 		return nil, err
@ -215,6 +225,8 @@ func (b *backend) pathConfigCreateUpdate(ctx context.Context, req *logical.Reque
 }
 type ConfigEntry struct {
 	tokenhelper.TokenParams
 	Host                     string   `json:"host" structs:"host" mapstructure:"host"`
 	Port                     int      `json:"port" structs:"port" mapstructure:"port"`
 	Secret                   string   `json:"secret" structs:"secret" mapstructure:"secret"`
--- a/builtin/credential/radius/path_login.go
+++ b/builtin/credential/radius/path_login.go
@ -12,6 +12,7 @@ import (
 	. "layeh.com/radius/rfc2865"
 	"github.com/hashicorp/vault/helper/policyutil"
 	"github.com/hashicorp/vault/helper/strutil"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
 )
@ -76,6 +77,14 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
 		return logical.ErrorResponse("password cannot be empty"), nil
 	}
 	cfg, err := b.Config(ctx, req)
 	if err != nil {
 		return nil, err
 	}
 	if cfg == nil {
 		return logical.ErrorResponse("radius backend not configured"), nil
 	}
 	policies, resp, err := b.RadiusLogin(ctx, req, username, password)
 	// Handle an internal error
 	if err != nil {
@ -88,8 +97,7 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
 		}
 	}
-	resp.Auth = &logical.Auth{
+	auth := &logical.Auth{
 		Policies: policies,
 		Metadata: map[string]string{
 			"username": username,
 			"policies": strings.Join(policies, ","),
@ -98,13 +106,16 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
 			"password": password,
 		},
 		DisplayName: username,
 		LeaseOptions: logical.LeaseOptions{
 			Renewable: true,
 		},
 		Alias: &logical.Alias{
 			Name: username,
 		},
 	}
 	cfg.PopulateTokenAuth(auth)
 	auth.Policies = append(auth.Policies, policies...)
 	auth.Policies = strutil.RemoveDuplicates(auth.Policies, false)
 	resp.Auth = auth
 	return resp, nil
 }
--- a/builtin/credential/userpass/backend_test.go
+++ b/builtin/credential/userpass/backend_test.go
@ -9,7 +9,10 @@ import (
 	"crypto/tls"
 	"github.com/go-test/deep"
 	sockaddr "github.com/hashicorp/go-sockaddr"
 	"github.com/hashicorp/vault/helper/policyutil"
 	"github.com/hashicorp/vault/helper/tokenhelper"
 	"github.com/hashicorp/vault/logical"
 	logicaltest "github.com/hashicorp/vault/logical/testing"
 	"github.com/mitchellh/mapstructure"
@ -20,6 +23,63 @@ const (
 	testSysMaxTTL = time.Hour * 20
 )
 func TestBackend_UserUpgrade(t *testing.T) {
 	s := &logical.InmemStorage{}
 	config := logical.TestBackendConfig()
 	config.StorageView = s
 	ctx := context.Background()
 	b := Backend()
 	if b == nil {
 		t.Fatalf("failed to create backend")
 	}
 	if err := b.Setup(ctx, config); err != nil {
 		t.Fatal(err)
 	}
 	type B struct {
 		Policies   []string
 		TTL        time.Duration
 		MaxTTL     time.Duration
 		BoundCIDRs []*sockaddr.SockAddrMarshaler
 	}
 	foo := &B{
 		Policies:   []string{"foo"},
 		TTL:        time.Second,
 		MaxTTL:     time.Second,
 		BoundCIDRs: []*sockaddr.SockAddrMarshaler{&sockaddr.SockAddrMarshaler{SockAddr: sockaddr.MustIPAddr("127.0.0.1")}},
 	}
 	entry, err := logical.StorageEntryJSON("user/foo", foo)
 	if err != nil {
 		t.Fatal(err)
 	}
 	err = s.Put(ctx, entry)
 	if err != nil {
 		t.Fatal(err)
 	}
 	userEntry, err := b.user(ctx, s, "foo")
 	if err != nil {
 		t.Fatal(err)
 	}
 	exp := &UserEntry{
 		TokenParams: tokenhelper.TokenParams{
 			Policies:   []string{"foo"},
 			TTL:        time.Second,
 			MaxTTL:     time.Second,
 			BoundCIDRs: []*sockaddr.SockAddrMarshaler{&sockaddr.SockAddrMarshaler{SockAddr: sockaddr.MustIPAddr("127.0.0.1")}},
 		},
 	}
 	if diff := deep.Equal(userEntry, exp); diff != nil {
 		t.Fatal(diff)
 	}
 }
 func TestBackend_TTL(t *testing.T) {
 	var resp *logical.Response
 	var err error
--- a/builtin/credential/userpass/path_login.go
+++ b/builtin/credential/userpass/path_login.go
@ -108,23 +108,19 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
 		return logical.ErrorResponse("login request originated from invalid CIDR"), nil
 	}
-	return &logical.Response{
+	auth := &logical.Auth{
-		Auth: &logical.Auth{
+		Metadata: map[string]string{
-			Policies: user.Policies,
+			"username": username,
 			Metadata: map[string]string{
 				"username": username,
 			},
 			DisplayName: username,
 			LeaseOptions: logical.LeaseOptions{
 				TTL:       user.TTL,
 				MaxTTL:    user.MaxTTL,
 				Renewable: true,
 			},
 			Alias: &logical.Alias{
 				Name: username,
 			},
 			BoundCIDRs: user.BoundCIDRs,
 		},
 		DisplayName: username,
 		Alias: &logical.Alias{
 			Name: username,
 		},
 	}
 	user.PopulateTokenAuth(auth)
 	return &logical.Response{
 		Auth: auth,
 	}, nil
 }
--- a/builtin/credential/userpass/path_users.go
+++ b/builtin/credential/userpass/path_users.go
@ -7,8 +7,8 @@ import (
 	"time"
 	sockaddr "github.com/hashicorp/go-sockaddr"
-	"github.com/hashicorp/vault/helper/parseutil"
+	"github.com/hashicorp/vault/helper/consts"
-	"github.com/hashicorp/vault/helper/policyutil"
+	"github.com/hashicorp/vault/helper/tokenhelper"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
 )
@ -27,7 +27,7 @@ func pathUsersList(b *backend) *framework.Path {
 }
 func pathUsers(b *backend) *framework.Path {
-	return &framework.Path{
+	p := &framework.Path{
 		Pattern: "users/" + framework.GenericNameRegex("username"),
 		Fields: map[string]*framework.FieldSchema{
 			"username": &framework.FieldSchema{
@ -39,27 +39,6 @@ func pathUsers(b *backend) *framework.Path {
 				Type:        framework.TypeString,
 				Description: "Password for this user.",
 			},
 			"policies": &framework.FieldSchema{
 				Type:        framework.TypeCommaStringSlice,
 				Description: "Comma-separated list of policies",
 			},
 			"ttl": &framework.FieldSchema{
 				Type:        framework.TypeDurationSecond,
 				Description: "Duration after which authentication will be expired",
 			},
 			"max_ttl": &framework.FieldSchema{
 				Type:        framework.TypeDurationSecond,
 				Description: "Maximum duration after which authentication will be expired",
 			},
 			"bound_cidrs": &framework.FieldSchema{
 				Type: framework.TypeCommaStringSlice,
 				Description: `Comma separated string or list of CIDR blocks. If set, specifies the blocks of
 IP addresses which can perform the login operation.`,
 			},
 		},
 		Callbacks: map[logical.Operation]framework.OperationFunc{
@ -74,6 +53,10 @@ IP addresses which can perform the login operation.`,
 		HelpSynopsis:    pathUserHelpSyn,
 		HelpDescription: pathUserHelpDesc,
 	}
 	tokenhelper.AddTokenFields(p.Fields)
 	return p
 }
 func (b *backend) userExistenceCheck(ctx context.Context, req *logical.Request, data *framework.FieldData) (bool, error) {
@ -103,6 +86,33 @@ func (b *backend) user(ctx context.Context, s logical.Storage, username string)
 		return nil, err
 	}
 	var needsUpgrade bool
 	if result.OldTTL != 0 {
 		needsUpgrade = true
 		result.TTL = result.OldTTL
 		result.OldTTL = 0
 	}
 	if result.OldMaxTTL != 0 {
 		needsUpgrade = true
 		result.MaxTTL = result.OldMaxTTL
 		result.OldMaxTTL = 0
 	}
 	if len(result.OldPolicies) != 0 {
 		needsUpgrade = true
 		result.Policies = result.OldPolicies
 		result.OldPolicies = nil
 	}
 	if result.OldBoundCIDRs != nil {
 		needsUpgrade = true
 		result.BoundCIDRs = result.OldBoundCIDRs
 		result.OldBoundCIDRs = nil
 	}
 	if needsUpgrade && (b.System().LocalMount() || !b.System().ReplicationState().HasState(consts.ReplicationPerformanceSecondary|consts.ReplicationPerformanceStandby)) {
 		if err := b.setUser(ctx, s, strings.ToLower(username), &result); err != nil {
 			return nil, err
 		}
 	}
 	return &result, nil
 }
@ -141,13 +151,10 @@ func (b *backend) pathUserRead(ctx context.Context, req *logical.Request, d *fra
 		return nil, nil
 	}
 	data := map[string]interface{}{}
 	user.PopulateTokenData(data)
 	return &logical.Response{
-		Data: map[string]interface{}{
+		Data: data,
 			"policies":    user.Policies,
 			"ttl":         user.TTL.Seconds(),
 			"max_ttl":     user.MaxTTL.Seconds(),
 			"bound_cidrs": user.BoundCIDRs,
 		},
 	}, nil
 }
@ -172,25 +179,9 @@ func (b *backend) userCreateUpdate(ctx context.Context, req *logical.Request, d
 		}
 	}
-	if policiesRaw, ok := d.GetOk("policies"); ok {
+	if err := userEntry.ParseTokenFields(req, d); err != nil {
 		userEntry.Policies = policyutil.ParsePolicies(policiesRaw)
 	}
 	ttl, ok := d.GetOk("ttl")
 	if ok {
 		userEntry.TTL = time.Duration(ttl.(int)) * time.Second
 	}
 	maxTTL, ok := d.GetOk("max_ttl")
 	if ok {
 		userEntry.MaxTTL = time.Duration(maxTTL.(int)) * time.Second
 	}
 	boundCIDRs, err := parseutil.ParseAddrs(d.Get("bound_cidrs"))
 	if err != nil {
 		return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
 	}
 	userEntry.BoundCIDRs = boundCIDRs
 	return nil, b.setUser(ctx, req.Storage, username, userEntry)
 }
@ -204,6 +195,8 @@ func (b *backend) pathUserWrite(ctx context.Context, req *logical.Request, d *fr
 }
 type UserEntry struct {
 	tokenhelper.TokenParams
 	// Password is deprecated in Vault 0.2 in favor of
 	// PasswordHash, but is retained for backwards compatibility.
 	Password string
@ -212,15 +205,16 @@ type UserEntry struct {
 	// used instead of the actual password in Vault 0.2+.
 	PasswordHash []byte
-	Policies []string
+	// These token-related fields have been moved to the embedded tokenhelper.TokenParams struct
 	OldPolicies []string `json:"Policies"`
 	// Duration after which the user will be revoked unless renewed
-	TTL time.Duration
+	OldTTL time.Duration `json:"TTL"`
 	// Maximum duration for which user can be valid
-	MaxTTL time.Duration
+	OldMaxTTL time.Duration `json:"MaxTTL"`
-	BoundCIDRs []*sockaddr.SockAddrMarshaler
+	OldBoundCIDRs []*sockaddr.SockAddrMarshaler `json:"BoundCIDRs"`
 }
 const pathUserHelpSyn = `
--- a/builtin/logical/database/dbplugin/database.pb.go
+++ b/builtin/logical/database/dbplugin/database.pb.go
@ -5,15 +5,11 @@ package dbplugin
 import (
 	fmt "fmt"
 	math "math"
 	proto "github.com/golang/protobuf/proto"
 	timestamp "github.com/golang/protobuf/ptypes/timestamp"
 )
 import (
 	context "golang.org/x/net/context"
 	grpc "google.golang.org/grpc"
 	math "math"
 )
 // Reference imports to suppress errors if they are not otherwise used.
@ -679,6 +675,60 @@ func init() {
 	proto.RegisterType((*Empty)(nil), "dbplugin.Empty")
 }
 func init() {
 	proto.RegisterFile("builtin/logical/database/dbplugin/database.proto", fileDescriptor_7bf7b4c7fef2f66e)
 }
 var fileDescriptor_7bf7b4c7fef2f66e = []byte{
 	// 724 bytes of a gzipped FileDescriptorProto
 	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x55, 0xd1, 0x4e, 0xdb, 0x4a,
 	0x10, 0x95, 0x93, 0x00, 0xc9, 0x80, 0x80, 0xec, 0x05, 0x64, 0xf9, 0x72, 0x6f, 0x91, 0x1f, 0x28,
 	0x55, 0xd5, 0xb8, 0x82, 0x56, 0x54, 0xa8, 0xa2, 0x2a, 0xa1, 0xaa, 0x2a, 0x55, 0x3c, 0x2c, 0xf0,
 	0x52, 0x55, 0x42, 0x1b, 0x67, 0x49, 0x56, 0x38, 0x5e, 0xd7, 0xbb, 0x0e, 0x4d, 0x7f, 0xa0, 0xfd,
 	0x8c, 0x7e, 0x4e, 0x1f, 0xfb, 0x49, 0x95, 0x37, 0x59, 0xef, 0x26, 0x86, 0xf2, 0x40, 0xfb, 0xe6,
 	0xd9, 0x99, 0x33, 0x73, 0xe6, 0x78, 0x76, 0x16, 0x9e, 0x76, 0x32, 0x16, 0x49, 0x16, 0x07, 0x11,
 	0xef, 0xb1, 0x90, 0x44, 0x41, 0x97, 0x48, 0xd2, 0x21, 0x82, 0x06, 0xdd, 0x4e, 0x12, 0x65, 0x3d,
 	0x16, 0x17, 0x27, 0xad, 0x24, 0xe5, 0x92, 0xa3, 0xba, 0x76, 0x78, 0x0f, 0x7a, 0x9c, 0xf7, 0x22,
 	0x1a, 0xa8, 0xf3, 0x4e, 0x76, 0x19, 0x48, 0x36, 0xa0, 0x42, 0x92, 0x41, 0x32, 0x0e, 0xf5, 0x3f,
 	0x42, 0xf3, 0x5d, 0xcc, 0x24, 0x23, 0x11, 0xfb, 0x42, 0x31, 0xfd, 0x94, 0x51, 0x21, 0xd1, 0x06,
 	0xcc, 0x87, 0x3c, 0xbe, 0x64, 0x3d, 0xd7, 0xd9, 0x72, 0x76, 0x96, 0xf0, 0xc4, 0x42, 0x8f, 0xa1,
 	0x39, 0xa4, 0x29, 0xbb, 0x1c, 0x5d, 0x84, 0x3c, 0x8e, 0x69, 0x28, 0x19, 0x8f, 0xdd, 0xca, 0x96,
 	0xb3, 0x53, 0xc7, 0xab, 0x63, 0x47, 0xbb, 0x38, 0x3f, 0xa8, 0xb8, 0x8e, 0x8f, 0x61, 0x31, 0xcf,
 	0xfe, 0x27, 0xf3, 0xfa, 0x3f, 0x1c, 0x68, 0xb6, 0x53, 0x4a, 0x24, 0x3d, 0x17, 0x34, 0xd5, 0xa9,
 	0x9f, 0x01, 0x08, 0x49, 0x24, 0x1d, 0xd0, 0x58, 0x0a, 0x95, 0x7e, 0x71, 0x77, 0xad, 0xa5, 0x75,
 	0x68, 0x9d, 0x16, 0x3e, 0x6c, 0xc5, 0xa1, 0xd7, 0xb0, 0x92, 0x09, 0x9a, 0xc6, 0x64, 0x40, 0x2f,
 	0x26, 0xcc, 0x2a, 0x0a, 0xea, 0x1a, 0xe8, 0xf9, 0x24, 0xa0, 0xad, 0xfc, 0x78, 0x39, 0x9b, 0xb2,
 	0xd1, 0x01, 0x00, 0xfd, 0x9c, 0xb0, 0x94, 0x28, 0xd2, 0x55, 0x85, 0xf6, 0x5a, 0x63, 0xd9, 0x5b,
 	0x5a, 0xf6, 0xd6, 0x99, 0x96, 0x1d, 0x5b, 0xd1, 0xfe, 0x77, 0x07, 0x56, 0x31, 0x8d, 0xe9, 0xf5,
 	0xfd, 0x3b, 0xf1, 0xa0, 0xae, 0x89, 0xa9, 0x16, 0x1a, 0xb8, 0xb0, 0xef, 0x45, 0x91, 0x42, 0x13,
 	0xd3, 0x21, 0xbf, 0xa2, 0x7f, 0x95, 0xa2, 0x7f, 0x08, 0x9b, 0x98, 0xe7, 0xa1, 0x98, 0x73, 0xd9,
 	0x4e, 0x69, 0x97, 0xc6, 0xf9, 0x4c, 0x0a, 0x5d, 0xf1, 0xff, 0x99, 0x8a, 0xd5, 0x9d, 0x86, 0x9d,
 	0xdb, 0xff, 0x59, 0x01, 0x30, 0x65, 0xd1, 0x1e, 0xfc, 0x13, 0xe6, 0x23, 0xc2, 0x78, 0x7c, 0x31,
 	0xc3, 0xb4, 0x71, 0x54, 0x71, 0x1d, 0x8c, 0xb4, 0xdb, 0x02, 0xed, 0xc3, 0x7a, 0x4a, 0x87, 0x3c,
 	0x2c, 0xc1, 0x2a, 0x05, 0x6c, 0xcd, 0x04, 0x4c, 0x57, 0x4b, 0x79, 0x14, 0x75, 0x48, 0x78, 0x65,
 	0xc3, 0xaa, 0xa6, 0x9a, 0x76, 0x5b, 0xa0, 0x27, 0xb0, 0x9a, 0xe6, 0xbf, 0xde, 0x46, 0xd4, 0x0a,
 	0xc4, 0x8a, 0xf2, 0x9d, 0x4e, 0x89, 0xa7, 0x29, 0xbb, 0x73, 0xaa, 0xfd, 0xc2, 0xce, 0xc5, 0x31,
 	0xbc, 0xdc, 0xf9, 0xb1, 0x38, 0xe6, 0x24, 0xc7, 0x6a, 0x02, 0xee, 0xc2, 0x18, 0xab, 0x6d, 0xe4,
 	0xc2, 0x82, 0x2a, 0x45, 0x22, 0xb7, 0xae, 0x5c, 0xda, 0xf4, 0x4f, 0x60, 0x79, 0x7a, 0xf4, 0xd1,
 	0x16, 0x2c, 0x1e, 0x33, 0x91, 0x44, 0x64, 0x74, 0x92, 0xff, 0x43, 0xa5, 0x26, 0xb6, 0x8f, 0xf2,
 	0x4a, 0x98, 0x47, 0xf4, 0xc4, 0xfa, 0xc5, 0xda, 0xf6, 0xb7, 0x61, 0x69, 0xbc, 0x0b, 0x44, 0xc2,
 	0x63, 0x41, 0x6f, 0x5b, 0x06, 0xfe, 0x7b, 0x40, 0xf6, 0xf5, 0x9e, 0x44, 0xdb, 0xc3, 0xe3, 0xcc,
 	0xcc, 0xb7, 0x07, 0xf5, 0x84, 0x08, 0x71, 0xcd, 0xd3, 0xae, 0xae, 0xaa, 0x6d, 0xdf, 0x87, 0xa5,
 	0xb3, 0x51, 0x42, 0x8b, 0x3c, 0x08, 0x6a, 0x72, 0x94, 0xe8, 0x1c, 0xea, 0xdb, 0xdf, 0x87, 0xff,
 	0x6e, 0x19, 0xbe, 0x3b, 0xa8, 0x2e, 0xc0, 0xdc, 0x9b, 0x41, 0x22, 0x47, 0xbb, 0x5f, 0x6b, 0x50,
 	0x3f, 0x9e, 0xec, 0x60, 0x14, 0x40, 0x2d, 0x2f, 0x89, 0x56, 0xcc, 0x8d, 0x50, 0x51, 0xde, 0x86,
 	0x39, 0x98, 0xe2, 0xf4, 0x16, 0xc0, 0x74, 0x8c, 0xfe, 0x35, 0x51, 0xa5, 0x35, 0xe7, 0x6d, 0xde,
 	0xec, 0x9c, 0x24, 0x7a, 0x01, 0x8d, 0x62, 0x9d, 0x20, 0xcf, 0x84, 0xce, 0xee, 0x18, 0x6f, 0x96,
 	0x5a, 0xbe, 0x22, 0xcc, 0x35, 0xb7, 0x29, 0x94, 0x2e, 0x7f, 0x19, 0xdb, 0x87, 0xf5, 0x1b, 0xe5,
 	0x43, 0xdb, 0x56, 0x9a, 0xdf, 0x5c, 0x6e, 0xef, 0xe1, 0x9d, 0x71, 0x93, 0xfe, 0x9e, 0x43, 0x2d,
 	0x1f, 0x21, 0xb4, 0x6e, 0x00, 0xd6, 0xf3, 0x62, 0xeb, 0x3b, 0x35, 0x69, 0x8f, 0x60, 0xae, 0x1d,
 	0x71, 0x71, 0xc3, 0x1f, 0x29, 0xf5, 0xf2, 0x0a, 0xc0, 0x3c, 0x87, 0xb6, 0x0e, 0xa5, 0x47, 0xb2,
 	0x84, 0xf5, 0xab, 0xdf, 0x2a, 0xce, 0xd1, 0xe1, 0x87, 0x97, 0x3d, 0x26, 0xfb, 0x59, 0xa7, 0x15,
 	0xf2, 0x41, 0xd0, 0x27, 0xa2, 0xcf, 0x42, 0x9e, 0x26, 0xc1, 0x90, 0x64, 0x91, 0x0c, 0xee, 0x7c,
 	0xc9, 0x3b, 0xf3, 0x6a, 0x1f, 0xef, 0xfd, 0x0a, 0x00, 0x00, 0xff, 0xff, 0x9c, 0x49, 0x0b, 0x5b,
 	0xf5, 0x07, 0x00, 0x00,
 }
 // Reference imports to suppress errors if they are not otherwise used.
 var _ context.Context
 var _ grpc.ClientConn
@ -982,57 +1032,3 @@ var _Database_serviceDesc = grpc.ServiceDesc{
 	Streams:  []grpc.StreamDesc{},
 	Metadata: "builtin/logical/database/dbplugin/database.proto",
 }
 func init() {
 	proto.RegisterFile("builtin/logical/database/dbplugin/database.proto", fileDescriptor_7bf7b4c7fef2f66e)
 }
 var fileDescriptor_7bf7b4c7fef2f66e = []byte{
 	// 724 bytes of a gzipped FileDescriptorProto
 	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x55, 0xd1, 0x4e, 0xdb, 0x4a,
 	0x10, 0x95, 0x93, 0x00, 0xc9, 0x80, 0x80, 0xec, 0x05, 0x64, 0xf9, 0x72, 0x6f, 0x91, 0x1f, 0x28,
 	0x55, 0xd5, 0xb8, 0x82, 0x56, 0x54, 0xa8, 0xa2, 0x2a, 0xa1, 0xaa, 0x2a, 0x55, 0x3c, 0x2c, 0xf0,
 	0x52, 0x55, 0x42, 0x1b, 0x67, 0x49, 0x56, 0x38, 0x5e, 0xd7, 0xbb, 0x0e, 0x4d, 0x7f, 0xa0, 0xfd,
 	0x8c, 0x7e, 0x4e, 0x1f, 0xfb, 0x49, 0x95, 0x37, 0x59, 0xef, 0x26, 0x86, 0xf2, 0x40, 0xfb, 0xe6,
 	0xd9, 0x99, 0x33, 0x73, 0xe6, 0x78, 0x76, 0x16, 0x9e, 0x76, 0x32, 0x16, 0x49, 0x16, 0x07, 0x11,
 	0xef, 0xb1, 0x90, 0x44, 0x41, 0x97, 0x48, 0xd2, 0x21, 0x82, 0x06, 0xdd, 0x4e, 0x12, 0x65, 0x3d,
 	0x16, 0x17, 0x27, 0xad, 0x24, 0xe5, 0x92, 0xa3, 0xba, 0x76, 0x78, 0x0f, 0x7a, 0x9c, 0xf7, 0x22,
 	0x1a, 0xa8, 0xf3, 0x4e, 0x76, 0x19, 0x48, 0x36, 0xa0, 0x42, 0x92, 0x41, 0x32, 0x0e, 0xf5, 0x3f,
 	0x42, 0xf3, 0x5d, 0xcc, 0x24, 0x23, 0x11, 0xfb, 0x42, 0x31, 0xfd, 0x94, 0x51, 0x21, 0xd1, 0x06,
 	0xcc, 0x87, 0x3c, 0xbe, 0x64, 0x3d, 0xd7, 0xd9, 0x72, 0x76, 0x96, 0xf0, 0xc4, 0x42, 0x8f, 0xa1,
 	0x39, 0xa4, 0x29, 0xbb, 0x1c, 0x5d, 0x84, 0x3c, 0x8e, 0x69, 0x28, 0x19, 0x8f, 0xdd, 0xca, 0x96,
 	0xb3, 0x53, 0xc7, 0xab, 0x63, 0x47, 0xbb, 0x38, 0x3f, 0xa8, 0xb8, 0x8e, 0x8f, 0x61, 0x31, 0xcf,
 	0xfe, 0x27, 0xf3, 0xfa, 0x3f, 0x1c, 0x68, 0xb6, 0x53, 0x4a, 0x24, 0x3d, 0x17, 0x34, 0xd5, 0xa9,
 	0x9f, 0x01, 0x08, 0x49, 0x24, 0x1d, 0xd0, 0x58, 0x0a, 0x95, 0x7e, 0x71, 0x77, 0xad, 0xa5, 0x75,
 	0x68, 0x9d, 0x16, 0x3e, 0x6c, 0xc5, 0xa1, 0xd7, 0xb0, 0x92, 0x09, 0x9a, 0xc6, 0x64, 0x40, 0x2f,
 	0x26, 0xcc, 0x2a, 0x0a, 0xea, 0x1a, 0xe8, 0xf9, 0x24, 0xa0, 0xad, 0xfc, 0x78, 0x39, 0x9b, 0xb2,
 	0xd1, 0x01, 0x00, 0xfd, 0x9c, 0xb0, 0x94, 0x28, 0xd2, 0x55, 0x85, 0xf6, 0x5a, 0x63, 0xd9, 0x5b,
 	0x5a, 0xf6, 0xd6, 0x99, 0x96, 0x1d, 0x5b, 0xd1, 0xfe, 0x77, 0x07, 0x56, 0x31, 0x8d, 0xe9, 0xf5,
 	0xfd, 0x3b, 0xf1, 0xa0, 0xae, 0x89, 0xa9, 0x16, 0x1a, 0xb8, 0xb0, 0xef, 0x45, 0x91, 0x42, 0x13,
 	0xd3, 0x21, 0xbf, 0xa2, 0x7f, 0x95, 0xa2, 0x7f, 0x08, 0x9b, 0x98, 0xe7, 0xa1, 0x98, 0x73, 0xd9,
 	0x4e, 0x69, 0x97, 0xc6, 0xf9, 0x4c, 0x0a, 0x5d, 0xf1, 0xff, 0x99, 0x8a, 0xd5, 0x9d, 0x86, 0x9d,
 	0xdb, 0xff, 0x59, 0x01, 0x30, 0x65, 0xd1, 0x1e, 0xfc, 0x13, 0xe6, 0x23, 0xc2, 0x78, 0x7c, 0x31,
 	0xc3, 0xb4, 0x71, 0x54, 0x71, 0x1d, 0x8c, 0xb4, 0xdb, 0x02, 0xed, 0xc3, 0x7a, 0x4a, 0x87, 0x3c,
 	0x2c, 0xc1, 0x2a, 0x05, 0x6c, 0xcd, 0x04, 0x4c, 0x57, 0x4b, 0x79, 0x14, 0x75, 0x48, 0x78, 0x65,
 	0xc3, 0xaa, 0xa6, 0x9a, 0x76, 0x5b, 0xa0, 0x27, 0xb0, 0x9a, 0xe6, 0xbf, 0xde, 0x46, 0xd4, 0x0a,
 	0xc4, 0x8a, 0xf2, 0x9d, 0x4e, 0x89, 0xa7, 0x29, 0xbb, 0x73, 0xaa, 0xfd, 0xc2, 0xce, 0xc5, 0x31,
 	0xbc, 0xdc, 0xf9, 0xb1, 0x38, 0xe6, 0x24, 0xc7, 0x6a, 0x02, 0xee, 0xc2, 0x18, 0xab, 0x6d, 0xe4,
 	0xc2, 0x82, 0x2a, 0x45, 0x22, 0xb7, 0xae, 0x5c, 0xda, 0xf4, 0x4f, 0x60, 0x79, 0x7a, 0xf4, 0xd1,
 	0x16, 0x2c, 0x1e, 0x33, 0x91, 0x44, 0x64, 0x74, 0x92, 0xff, 0x43, 0xa5, 0x26, 0xb6, 0x8f, 0xf2,
 	0x4a, 0x98, 0x47, 0xf4, 0xc4, 0xfa, 0xc5, 0xda, 0xf6, 0xb7, 0x61, 0x69, 0xbc, 0x0b, 0x44, 0xc2,
 	0x63, 0x41, 0x6f, 0x5b, 0x06, 0xfe, 0x7b, 0x40, 0xf6, 0xf5, 0x9e, 0x44, 0xdb, 0xc3, 0xe3, 0xcc,
 	0xcc, 0xb7, 0x07, 0xf5, 0x84, 0x08, 0x71, 0xcd, 0xd3, 0xae, 0xae, 0xaa, 0x6d, 0xdf, 0x87, 0xa5,
 	0xb3, 0x51, 0x42, 0x8b, 0x3c, 0x08, 0x6a, 0x72, 0x94, 0xe8, 0x1c, 0xea, 0xdb, 0xdf, 0x87, 0xff,
 	0x6e, 0x19, 0xbe, 0x3b, 0xa8, 0x2e, 0xc0, 0xdc, 0x9b, 0x41, 0x22, 0x47, 0xbb, 0x5f, 0x6b, 0x50,
 	0x3f, 0x9e, 0xec, 0x60, 0x14, 0x40, 0x2d, 0x2f, 0x89, 0x56, 0xcc, 0x8d, 0x50, 0x51, 0xde, 0x86,
 	0x39, 0x98, 0xe2, 0xf4, 0x16, 0xc0, 0x74, 0x8c, 0xfe, 0x35, 0x51, 0xa5, 0x35, 0xe7, 0x6d, 0xde,
 	0xec, 0x9c, 0x24, 0x7a, 0x01, 0x8d, 0x62, 0x9d, 0x20, 0xcf, 0x84, 0xce, 0xee, 0x18, 0x6f, 0x96,
 	0x5a, 0xbe, 0x22, 0xcc, 0x35, 0xb7, 0x29, 0x94, 0x2e, 0x7f, 0x19, 0xdb, 0x87, 0xf5, 0x1b, 0xe5,
 	0x43, 0xdb, 0x56, 0x9a, 0xdf, 0x5c, 0x6e, 0xef, 0xe1, 0x9d, 0x71, 0x93, 0xfe, 0x9e, 0x43, 0x2d,
 	0x1f, 0x21, 0xb4, 0x6e, 0x00, 0xd6, 0xf3, 0x62, 0xeb, 0x3b, 0x35, 0x69, 0x8f, 0x60, 0xae, 0x1d,
 	0x71, 0x71, 0xc3, 0x1f, 0x29, 0xf5, 0xf2, 0x0a, 0xc0, 0x3c, 0x87, 0xb6, 0x0e, 0xa5, 0x47, 0xb2,
 	0x84, 0xf5, 0xab, 0xdf, 0x2a, 0xce, 0xd1, 0xe1, 0x87, 0x97, 0x3d, 0x26, 0xfb, 0x59, 0xa7, 0x15,
 	0xf2, 0x41, 0xd0, 0x27, 0xa2, 0xcf, 0x42, 0x9e, 0x26, 0xc1, 0x90, 0x64, 0x91, 0x0c, 0xee, 0x7c,
 	0xc9, 0x3b, 0xf3, 0x6a, 0x1f, 0xef, 0xfd, 0x0a, 0x00, 0x00, 0xff, 0xff, 0x9c, 0x49, 0x0b, 0x5b,
 	0xf5, 0x07, 0x00, 0x00,
 }
--- a/helper/forwarding/types.pb.go
+++ b/helper/forwarding/types.pb.go
@ -5,9 +5,8 @@ package forwarding
 import (
 	fmt "fmt"
 	math "math"
 	proto "github.com/golang/protobuf/proto"
 	math "math"
 )
 // Reference imports to suppress errors if they are not otherwise used.
--- a/helper/identity/mfa/types.pb.go
+++ b/helper/identity/mfa/types.pb.go
@ -6,9 +6,8 @@ package mfa
 import (
 	fmt "fmt"
 	math "math"
 	proto "github.com/golang/protobuf/proto"
 	math "math"
 )
 // Reference imports to suppress errors if they are not otherwise used.
--- a/helper/identity/types.pb.go
+++ b/helper/identity/types.pb.go
@ -5,11 +5,10 @@ package identity
 import (
 	fmt "fmt"
 	math "math"
 	proto "github.com/golang/protobuf/proto"
 	timestamp "github.com/golang/protobuf/ptypes/timestamp"
 	mfa "github.com/hashicorp/vault/helper/identity/mfa"
 	math "math"
 )
 // Reference imports to suppress errors if they are not otherwise used.
--- a/helper/ldaputil/config.go
+++ b/helper/ldaputil/config.go
@ -9,6 +9,7 @@ import (
 	"text/template"
 	"github.com/hashicorp/vault/helper/tlsutil"
 	"github.com/hashicorp/vault/helper/tokenhelper"
 	"github.com/hashicorp/vault/logical/framework"
 	"github.com/hashicorp/errwrap"
@ -16,8 +17,8 @@ import (
 // ConfigFields returns all the config fields that can potentially be used by the LDAP client.
 // Not all fields will be used by every integration.
-func ConfigFields() map[string]*framework.FieldSchema {
+func ConfigFields(tokenFields bool) map[string]*framework.FieldSchema {
-	return map[string]*framework.FieldSchema{
+	ret := map[string]*framework.FieldSchema{
 		"url": {
 			Type:        framework.TypeString,
 			Default:     "ldap://127.0.0.1",
@ -122,6 +123,12 @@ Default: cn`,
 			Description: "If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.",
 		},
 	}
 	if tokenFields {
 		tokenhelper.AddTokenFields(ret)
 	}
 	return ret
 }
 /*
@ -246,6 +253,8 @@ func NewConfigEntry(d *framework.FieldData) (*ConfigEntry, error) {
 }
 type ConfigEntry struct {
 	tokenhelper.TokenParams
 	Url            string `json:"url"`
 	UserDN         string `json:"userdn"`
 	GroupDN        string `json:"groupdn"`
--- a/helper/storagepacker/types.pb.go
+++ b/helper/storagepacker/types.pb.go
@ -5,10 +5,9 @@ package storagepacker
 import (
 	fmt "fmt"
 	math "math"
 	proto "github.com/golang/protobuf/proto"
 	any "github.com/golang/protobuf/ptypes/any"
 	math "math"
 )
 // Reference imports to suppress errors if they are not otherwise used.
--- a/helper/strutil/strutil.go
+++ b/helper/strutil/strutil.go
@ -14,6 +14,9 @@ import (
 // StrListContainsGlob looks for a string in a list of strings and allows
 // globs.
 func StrListContainsGlob(haystack []string, needle string) bool {
 	if len(haystack) == 0 {
 		return false
 	}
 	for _, item := range haystack {
 		if glob.Glob(item, needle) {
 			return true
@ -24,6 +27,9 @@ func StrListContainsGlob(haystack []string, needle string) bool {
 // StrListContains looks for a string in a list of strings.
 func StrListContains(haystack []string, needle string) bool {
 	if len(haystack) == 0 {
 		return false
 	}
 	for _, item := range haystack {
 		if item == needle {
 			return true
--- a/helper/tokenhelper/tokenhelper.go
+++ b/helper/tokenhelper/tokenhelper.go
@ -0,0 +1,210 @@
 package tokenhelper
 import (
 	"errors"
 	"fmt"
 	"time"
 	sockaddr "github.com/hashicorp/go-sockaddr"
 	"github.com/hashicorp/vault/helper/parseutil"
 	"github.com/hashicorp/vault/helper/strutil"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
 )
 type TokenParams struct {
 	// The set of CIDRs that tokens generated using this role will be bound to
 	BoundCIDRs []*sockaddr.SockAddrMarshaler `json:"bound_cidrs"`
 	// If set, the token entry will have an explicit maximum TTL set, rather
 	// than deferring to role/mount values
 	ExplicitMaxTTL time.Duration `json:"explicit_max_ttl" mapstructure:"explicit_max_ttl"`
 	// The max TTL to use for the token
 	MaxTTL time.Duration `json:"max_ttl" mapstructure:"max_ttl"`
 	// If set, core will not automatically add default to the policy list
 	NoDefaultPolicy bool `json:"no_default_policy" mapstructure:"no_default_policy"`
 	// If non-zero, tokens created using this role will be able to be renewed
 	// forever, but will have a fixed renewal period of this value
 	Period time.Duration `json:"period" mapstructure:"period"`
 	// The policies to set
 	Policies []string `json:"policies" mapstructure:"policies"`
 	// The type of token this role should issue
 	TokenType logical.TokenType `json:"token_type" mapstructure:"token_type"`
 	// The TTL to user for the token
 	TTL time.Duration `json:"ttl" mapstructure:"ttl"`
 }
 // AddTokenFields adds fields to an existing role. It panics if it would
 // overwrite an existing field.
 func AddTokenFields(m map[string]*framework.FieldSchema) {
 	AddTokenFieldsWithAllowList(m, nil)
 }
 func AddTokenFieldsWithAllowList(m map[string]*framework.FieldSchema, allowed []string) {
 	r := TokenFields()
 	for k, v := range r {
 		if len(allowed) > 0 && !strutil.StrListContains(allowed, k) {
 			continue
 		}
 		if _, has := m[k]; has {
 			panic(fmt.Sprintf("adding role field %s would overwrite existing field", k))
 		}
 		m[k] = v
 	}
 }
 func TokenFields() map[string]*framework.FieldSchema {
 	return map[string]*framework.FieldSchema{
 		"bound_cidrs": &framework.FieldSchema{
 			Type:        framework.TypeCommaStringSlice,
 			Description: `Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.`,
 		},
 		"explicit_max_ttl": &framework.FieldSchema{
 			Type:        framework.TypeDurationSecond,
 			Description: tokenExplicitMaxTTLHelp,
 		},
 		"max_ttl": &framework.FieldSchema{
 			Type:        framework.TypeDurationSecond,
 			Description: "The maximum lifetime of the generated token",
 		},
 		"no_default_policy": &framework.FieldSchema{
 			Type:        framework.TypeBool,
 			Description: "If true, the 'default' policy will not automatically be added to generated tokens",
 		},
 		"period": &framework.FieldSchema{
 			Type:        framework.TypeDurationSecond,
 			Description: tokenPeriodHelp,
 		},
 		"policies": &framework.FieldSchema{
 			Type:        framework.TypeCommaStringSlice,
 			Description: "Comma-separated list of policies",
 		},
 		"token_type": &framework.FieldSchema{
 			Type:        framework.TypeString,
 			Description: "The type of token to generate, service or batch",
 		},
 		"ttl": &framework.FieldSchema{
 			Type:        framework.TypeDurationSecond,
 			Description: "The initial ttl of the token to generate",
 		},
 	}
 }
 func (t *TokenParams) ParseTokenFields(req *logical.Request, d *framework.FieldData) error {
 	if boundCIDRsRaw, ok := d.GetOk("bound_cidrs"); ok {
 		boundCIDRs, err := parseutil.ParseAddrs(boundCIDRsRaw.([]string))
 		if err != nil {
 			return err
 		}
 		t.BoundCIDRs = boundCIDRs
 	}
 	if explicitMaxTTLRaw, ok := d.GetOk("explicit_max_ttl"); ok {
 		t.ExplicitMaxTTL = time.Duration(explicitMaxTTLRaw.(int)) * time.Second
 	}
 	if maxTTLRaw, ok := d.GetOk("max_ttl"); ok {
 		t.MaxTTL = time.Duration(maxTTLRaw.(int)) * time.Second
 	} else if maxTTLRaw, ok := d.GetOk("lease_max"); ok {
 		t.MaxTTL = time.Duration(maxTTLRaw.(int)) * time.Second
 	}
 	if t.MaxTTL < 0 {
 		return errors.New("'max_ttl' cannot be negative")
 	}
 	if noDefaultRaw, ok := d.GetOk("no_default_policy"); ok {
 		t.NoDefaultPolicy = noDefaultRaw.(bool)
 	}
 	if periodRaw, ok := d.GetOk("period"); ok {
 		t.Period = time.Duration(periodRaw.(int)) * time.Second
 	}
 	if t.Period < 0 {
 		return errors.New("'period' cannot be negative")
 	}
 	if policiesRaw, ok := d.GetOk("policies"); ok {
 		t.Policies = policiesRaw.([]string)
 	}
 	if tokenTypeRaw, ok := d.GetOk("token_type"); ok {
 		var tokenType logical.TokenType
 		tokenTypeStr := tokenTypeRaw.(string)
 		switch tokenTypeStr {
 		case "service":
 			tokenType = logical.TokenTypeService
 		case "batch":
 			tokenType = logical.TokenTypeBatch
 		case "default-service":
 			tokenType = logical.TokenTypeDefaultService
 		case "default-batch":
 			tokenType = logical.TokenTypeDefaultBatch
 		default:
 			return fmt.Errorf("invalid 'token_type' value %q", tokenTypeStr)
 		}
 		t.TokenType = tokenType
 	}
 	if ttlRaw, ok := d.GetOk("ttl"); ok {
 		t.TTL = time.Duration(ttlRaw.(int)) * time.Second
 	} else if ttlRaw, ok := d.GetOk("lease"); ok {
 		t.TTL = time.Duration(ttlRaw.(int)) * time.Second
 	}
 	if t.TTL < 0 {
 		return errors.New("'ttl' cannot be negative")
 	}
 	if t.TTL > 0 && t.MaxTTL > 0 && t.TTL > t.MaxTTL {
 		return errors.New("'ttl' cannot be greater than 'max_ttl'")
 	}
 	return nil
 }
 func (t *TokenParams) PopulateTokenData(m map[string]interface{}) {
 	m["bound_cidrs"] = t.BoundCIDRs
 	m["explicit_max_ttl"] = t.ExplicitMaxTTL.Seconds()
 	m["max_ttl"] = t.MaxTTL.Seconds()
 	m["no_default_policy"] = t.NoDefaultPolicy
 	m["period"] = t.Period.Seconds()
 	m["policies"] = t.Policies
 	m["token_type"] = t.TokenType.String()
 	m["ttl"] = t.TTL.Seconds()
 }
 func (t *TokenParams) PopulateTokenAuth(auth *logical.Auth) {
 	auth.BoundCIDRs = t.BoundCIDRs
 	auth.ExplicitMaxTTL = t.ExplicitMaxTTL
 	auth.MaxTTL = t.MaxTTL
 	auth.NoDefaultPolicy = t.NoDefaultPolicy
 	auth.Period = t.Period
 	auth.Policies = t.Policies
 	auth.TokenType = t.TokenType
 	auth.TTL = t.TTL
 }
 const (
 	tokenPeriodHelp = `If set, tokens created via this role
 will have no max lifetime; instead, their
 renewal period will be fixed to this value.
 This takes an integer number of seconds,
 or a string duration (e.g. "24h").`
 	tokenExplicitMaxTTLHelp = `If set, tokens created via this role
 carry an explicit maximum TTL. During renewal,
 the current maximum TTL values of the role
 and the mount are not checked for changes,
 and any updates to these values will have
 no effect on the token being renewed.`
 )
--- a/logical/auth.go
+++ b/logical/auth.go
@ -38,6 +38,11 @@ type Auth struct {
 	// different namespaces indexed by respective namespace identifiers
 	ExternalNamespacePolicies map[string][]string `json:"external_namespace_policies" mapstructure:"external_namespace_policies" structs:"external_namespace_policies"`
 	// Indicates that the default policy should not be added by core when
 	// creating a token. The default policy will still be added if it's
 	// explicitly defined.
 	NoDefaultPolicy bool `json:"no_default_policy" mapstructure:"no_default_policy" structs:"no_default_policy"`
 	// Metadata is used to attach arbitrary string-type metadata to
 	// an authenticated user. This metadata will be outputted into the
 	// audit log.
--- a/logical/identity.pb.go
+++ b/logical/identity.pb.go
@ -5,9 +5,8 @@ package logical
 import (
 	fmt "fmt"
 	math "math"
 	proto "github.com/golang/protobuf/proto"
 	math "math"
 )
 // Reference imports to suppress errors if they are not otherwise used.
--- a/logical/plugin.pb.go
+++ b/logical/plugin.pb.go
@ -5,9 +5,8 @@ package logical
 import (
 	fmt "fmt"
 	math "math"
 	proto "github.com/golang/protobuf/proto"
 	math "math"
 )
 // Reference imports to suppress errors if they are not otherwise used.
--- a/logical/plugin/pb/backend.pb.go
+++ b/logical/plugin/pb/backend.pb.go
@ -5,16 +5,12 @@ package pb
 import (
 	fmt "fmt"
 	math "math"
 	proto "github.com/golang/protobuf/proto"
 	timestamp "github.com/golang/protobuf/ptypes/timestamp"
 	logical "github.com/hashicorp/vault/logical"
 )
 import (
 	context "golang.org/x/net/context"
 	grpc "google.golang.org/grpc"
 	math "math"
 )
 // Reference imports to suppress errors if they are not otherwise used.
@ -530,7 +526,9 @@ type Auth struct {
 	// TTL is a hard limit and cannot be exceeded, also counts for periodic tokens.
 	ExplicitMaxTTL int64 `sentinel:"" protobuf:"varint,16,opt,name=explicit_max_ttl,json=explicitMaxTtl,proto3" json:"explicit_max_ttl,omitempty"`
 	// TokenType is the type of token being requested
-	TokenType            uint32   `sentinel:"" protobuf:"varint,17,opt,name=token_type,json=tokenType,proto3" json:"token_type,omitempty"`
+	TokenType uint32 `sentinel:"" protobuf:"varint,17,opt,name=token_type,json=tokenType,proto3" json:"token_type,omitempty"`
 	// Whether the default policy should be added automatically by core
 	NoDefaultPolicy      bool     `sentinel:"" protobuf:"varint,18,opt,name=no_default_policy,json=noDefaultPolicy,proto3" json:"no_default_policy,omitempty"`
 	XXX_NoUnkeyedLiteral struct{} `json:"-"`
 	XXX_unrecognized     []byte   `json:"-"`
 	XXX_sizecache        int32    `json:"-"`
@ -680,6 +678,13 @@ func (m *Auth) GetTokenType() uint32 {
 	return 0
 }
 func (m *Auth) GetNoDefaultPolicy() bool {
 	if m != nil {
 		return m.NoDefaultPolicy
 	}
 	return false
 }
 type TokenEntry struct {
 	ID                   string            `sentinel:"" protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
 	Accessor             string            `sentinel:"" protobuf:"bytes,2,opt,name=accessor,proto3" json:"accessor,omitempty"`
@ -2702,6 +2707,169 @@ func init() {
 	proto.RegisterType((*Connection)(nil), "pb.Connection")
 }
 func init() { proto.RegisterFile("logical/plugin/pb/backend.proto", fileDescriptor_25821d34acc7c5ef) }
 var fileDescriptor_25821d34acc7c5ef = []byte{
 	// 2503 bytes of a gzipped FileDescriptorProto
 	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x59, 0xdd, 0x72, 0xdb, 0xc6,
 	0x15, 0x1e, 0x92, 0xe2, 0xdf, 0xe1, 0x9f, 0xb8, 0x56, 0x54, 0x98, 0x71, 0x6a, 0x06, 0xa9, 0x6d,
 	0xc5, 0xb5, 0x29, 0x5b, 0x69, 0x1a, 0xa7, 0x9d, 0xa4, 0xa3, 0xc8, 0x8a, 0xa3, 0x46, 0x4a, 0x34,
 	0x10, 0xdd, 0xf4, 0x6f, 0x06, 0x59, 0x02, 0x2b, 0x0a, 0x23, 0x10, 0x40, 0x17, 0x0b, 0x59, 0xbc,
 	0xea, 0x5b, 0xf4, 0x35, 0x7a, 0xdb, 0xbb, 0xde, 0x75, 0x3a, 0xed, 0x75, 0x5f, 0xa1, 0x97, 0x7d,
 	0x86, 0xce, 0x9e, 0x5d, 0x80, 0x00, 0x49, 0xc5, 0xce, 0x4c, 0x7b, 0xb7, 0x7b, 0xce, 0xd9, 0xbf,
 	0xb3, 0xdf, 0xf9, 0xce, 0x59, 0x00, 0xee, 0xfa, 0xe1, 0xd4, 0x73, 0xa8, 0xbf, 0x1b, 0xf9, 0xc9,
 	0xd4, 0x0b, 0x76, 0xa3, 0xc9, 0xee, 0x84, 0x3a, 0x97, 0x2c, 0x70, 0x47, 0x11, 0x0f, 0x45, 0x48,
 	0xca, 0xd1, 0x64, 0x70, 0x77, 0x1a, 0x86, 0x53, 0x9f, 0xed, 0xa2, 0x64, 0x92, 0x9c, 0xef, 0x0a,
 	0x6f, 0xc6, 0x62, 0x41, 0x67, 0x91, 0x32, 0x1a, 0x6c, 0xa7, 0xb3, 0x78, 0x2e, 0x0b, 0x84, 0x27,
 	0xe6, 0x5a, 0xbe, 0x55, 0x9c, 0x5d, 0x49, 0xcd, 0x3a, 0x54, 0x0f, 0x67, 0x91, 0x98, 0x9b, 0x43,
 	0xa8, 0x7d, 0xc1, 0xa8, 0xcb, 0x38, 0xd9, 0x86, 0xda, 0x05, 0xb6, 0x8c, 0xd2, 0xb0, 0xb2, 0xd3,
 	0xb4, 0x74, 0xcf, 0xfc, 0x1d, 0xc0, 0xa9, 0x1c, 0x73, 0xc8, 0x79, 0xc8, 0xc9, 0x6d, 0x68, 0x30,
 	0xce, 0x6d, 0x31, 0x8f, 0x98, 0x51, 0x1a, 0x96, 0x76, 0x3a, 0x56, 0x9d, 0x71, 0x3e, 0x9e, 0x47,
 	0x8c, 0xfc, 0x00, 0x64, 0xd3, 0x9e, 0xc5, 0x53, 0xa3, 0x3c, 0x2c, 0xc9, 0x19, 0x18, 0xe7, 0x27,
 	0xf1, 0x34, 0x1d, 0xe3, 0x84, 0x2e, 0x33, 0x2a, 0xc3, 0xd2, 0x4e, 0x05, 0xc7, 0x1c, 0x84, 0x2e,
 	0x33, 0xff, 0x54, 0x82, 0xea, 0x29, 0x15, 0x17, 0x31, 0x21, 0xb0, 0xc1, 0xc3, 0x50, 0xe8, 0xc5,
 	0xb1, 0x4d, 0x76, 0xa0, 0x97, 0x04, 0x34, 0x11, 0x17, 0xf2, 0x44, 0x0e, 0x15, 0xcc, 0x35, 0xca,
 	0xa8, 0x5e, 0x16, 0x93, 0xf7, 0xa0, 0xe3, 0x87, 0x0e, 0xf5, 0xed, 0x58, 0x84, 0x9c, 0x4e, 0xe5,
 	0x3a, 0xd2, 0xae, 0x8d, 0xc2, 0x33, 0x25, 0x23, 0x0f, 0xa1, 0x1f, 0x33, 0xea, 0xdb, 0xaf, 0x38,
 	0x8d, 0x32, 0xc3, 0x0d, 0x35, 0xa1, 0x54, 0x7c, 0xc3, 0x69, 0xa4, 0x6d, 0xcd, 0xbf, 0xd6, 0xa0,
 	0x6e, 0xb1, 0x3f, 0x24, 0x2c, 0x16, 0xa4, 0x0b, 0x65, 0xcf, 0xc5, 0xd3, 0x36, 0xad, 0xb2, 0xe7,
 	0x92, 0x11, 0x10, 0x8b, 0x45, 0xbe, 0x5c, 0xda, 0x0b, 0x83, 0x03, 0x3f, 0x89, 0x05, 0xe3, 0xfa,
 	0xcc, 0x6b, 0x34, 0xe4, 0x0e, 0x34, 0xc3, 0x88, 0x71, 0x94, 0xa1, 0x03, 0x9a, 0xd6, 0x42, 0x20,
 	0x0f, 0x1e, 0x51, 0x71, 0x61, 0x6c, 0xa0, 0x02, 0xdb, 0x52, 0xe6, 0x52, 0x41, 0x8d, 0xaa, 0x92,
 	0xc9, 0x36, 0x31, 0xa1, 0x16, 0x33, 0x87, 0x33, 0x61, 0xd4, 0x86, 0xa5, 0x9d, 0xd6, 0x1e, 0x8c,
 	0xa2, 0xc9, 0xe8, 0x0c, 0x25, 0x96, 0xd6, 0x90, 0x3b, 0xb0, 0x21, 0xfd, 0x62, 0xd4, 0xd1, 0xa2,
 	0x21, 0x2d, 0xf6, 0x13, 0x71, 0x61, 0xa1, 0x94, 0xec, 0x41, 0x5d, 0xdd, 0x69, 0x6c, 0x34, 0x86,
 	0x95, 0x9d, 0xd6, 0x9e, 0x21, 0x0d, 0xf4, 0x29, 0x47, 0x0a, 0x06, 0xf1, 0x61, 0x20, 0xf8, 0xdc,
 	0x4a, 0x0d, 0xc9, 0xbb, 0xd0, 0x76, 0x7c, 0x8f, 0x05, 0xc2, 0x16, 0xe1, 0x25, 0x0b, 0x8c, 0x26,
 	0xee, 0xa8, 0xa5, 0x64, 0x63, 0x29, 0x22, 0x7b, 0xf0, 0x56, 0xde, 0xc4, 0xa6, 0x8e, 0xc3, 0xe2,
 	0x38, 0xe4, 0x06, 0xa0, 0xed, 0xad, 0x9c, 0xed, 0xbe, 0x56, 0xc9, 0x69, 0x5d, 0x2f, 0x8e, 0x7c,
 	0x3a, 0xb7, 0x03, 0x3a, 0x63, 0x46, 0x4b, 0x4d, 0xab, 0x65, 0x5f, 0xd1, 0x19, 0x23, 0x77, 0xa1,
 	0x35, 0x0b, 0x93, 0x40, 0xd8, 0x51, 0xe8, 0x05, 0xc2, 0x68, 0xa3, 0x05, 0xa0, 0xe8, 0x54, 0x4a,
 	0xc8, 0x3b, 0xa0, 0x7a, 0x0a, 0x8c, 0x1d, 0xe5, 0x57, 0x94, 0x20, 0x1c, 0xef, 0x41, 0x57, 0xa9,
 	0xb3, 0xfd, 0x74, 0xd1, 0xa4, 0x83, 0xd2, 0x6c, 0x27, 0x4f, 0xa0, 0x89, 0x78, 0xf0, 0x82, 0xf3,
 	0xd0, 0xe8, 0xa1, 0xdf, 0x6e, 0xe5, 0xdc, 0x22, 0x31, 0x71, 0x14, 0x9c, 0x87, 0x56, 0xe3, 0x95,
 	0x6e, 0x91, 0x4f, 0xe0, 0xed, 0xc2, 0x79, 0x39, 0x9b, 0x51, 0x2f, 0xf0, 0x82, 0xa9, 0x9d, 0xc4,
 	0x2c, 0x36, 0x36, 0x11, 0xe1, 0x46, 0xee, 0xd4, 0x56, 0x6a, 0xf0, 0x32, 0x66, 0x31, 0x79, 0x1b,
 	0x9a, 0x2a, 0x40, 0x6d, 0xcf, 0x35, 0xfa, 0xb8, 0xa5, 0x86, 0x12, 0x1c, 0xb9, 0xe4, 0x01, 0xf4,
 	0xa2, 0xd0, 0xf7, 0x9c, 0xb9, 0x1d, 0x5e, 0x31, 0xce, 0x3d, 0x97, 0x19, 0x64, 0x58, 0xda, 0x69,
 	0x58, 0x5d, 0x25, 0xfe, 0x5a, 0x4b, 0xd7, 0x85, 0xc6, 0x2d, 0x34, 0x5c, 0x09, 0x8d, 0x11, 0x80,
 	0x13, 0x06, 0x01, 0x73, 0x10, 0x7e, 0x5b, 0x78, 0xc2, 0xae, 0x3c, 0xe1, 0x41, 0x26, 0xb5, 0x72,
 	0x16, 0x83, 0xcf, 0xa1, 0x9d, 0x87, 0x02, 0xd9, 0x84, 0xca, 0x25, 0x9b, 0x6b, 0xf8, 0xcb, 0x26,
 	0x19, 0x42, 0xf5, 0x8a, 0xfa, 0x09, 0x43, 0xc8, 0x6b, 0x20, 0xaa, 0x21, 0x96, 0x52, 0xfc, 0xac,
 	0xfc, 0xac, 0x64, 0xfe, 0xbb, 0x0a, 0x1b, 0x12, 0x7c, 0xe4, 0x43, 0xe8, 0xf8, 0x8c, 0xc6, 0xcc,
 	0x0e, 0x23, 0xb9, 0x40, 0x8c, 0x53, 0xb5, 0xf6, 0x36, 0xe5, 0xb0, 0x63, 0xa9, 0xf8, 0x5a, 0xc9,
 	0xad, 0xb6, 0x9f, 0xeb, 0xc9, 0x90, 0xf6, 0x02, 0xc1, 0x78, 0x40, 0x7d, 0x1b, 0x83, 0x41, 0x05,
 	0x58, 0x3b, 0x15, 0x3e, 0x97, 0x41, 0xb1, 0x8c, 0xa3, 0xca, 0x2a, 0x8e, 0x06, 0xd0, 0x40, 0xdf,
 	0x79, 0x2c, 0xd6, 0xc1, 0x9e, 0xf5, 0xc9, 0x1e, 0x34, 0x66, 0x4c, 0x50, 0x1d, 0x6b, 0x32, 0x24,
 	0xb6, 0xd3, 0x98, 0x19, 0x9d, 0x68, 0x85, 0x0a, 0x88, 0xcc, 0x6e, 0x25, 0x22, 0x6a, 0xab, 0x11,
 	0x31, 0x80, 0x46, 0x06, 0xba, 0xba, 0xba, 0xe1, 0xb4, 0x2f, 0x69, 0x36, 0x62, 0xdc, 0x0b, 0x5d,
 	0xa3, 0x81, 0x40, 0xd1, 0x3d, 0x49, 0x92, 0x41, 0x32, 0x53, 0x10, 0x6a, 0x2a, 0x92, 0x0c, 0x92,
 	0xd9, 0x2a, 0x62, 0x60, 0x09, 0x31, 0x3f, 0x82, 0x2a, 0xf5, 0x3d, 0x1a, 0x63, 0x08, 0xc9, 0x9b,
 	0xd5, 0x7c, 0x3f, 0xda, 0x97, 0x52, 0x4b, 0x29, 0xc9, 0x07, 0xd0, 0x99, 0xf2, 0x30, 0x89, 0x6c,
 	0xec, 0xb2, 0xd8, 0x68, 0xe3, 0x69, 0x97, 0xad, 0xdb, 0x68, 0xb4, 0xaf, 0x6c, 0x64, 0x04, 0x4e,
 	0xc2, 0x24, 0x70, 0x6d, 0xc7, 0x73, 0x79, 0x6c, 0x74, 0xd0, 0x79, 0x80, 0xa2, 0x03, 0x29, 0x91,
 	0x21, 0xa6, 0x42, 0x20, 0x73, 0x70, 0x17, 0x6d, 0x3a, 0x28, 0x3d, 0x4d, 0xbd, 0xfc, 0x63, 0xe8,
 	0xa7, 0x49, 0x69, 0x61, 0xd9, 0x43, 0xcb, 0xcd, 0x54, 0x91, 0x19, 0xef, 0xc0, 0x26, 0xbb, 0x96,
 	0x14, 0xea, 0x09, 0x7b, 0x46, 0xaf, 0x6d, 0x21, 0x7c, 0x1d, 0x52, 0xdd, 0x54, 0x7e, 0x42, 0xaf,
 	0xc7, 0xc2, 0x97, 0xf1, 0xaf, 0x56, 0xc7, 0xf8, 0xef, 0x63, 0x32, 0x6a, 0xa2, 0x04, 0xe3, 0xff,
 	0x21, 0xf4, 0x83, 0xd0, 0x76, 0xd9, 0x39, 0x4d, 0x7c, 0xa1, 0xd6, 0x9d, 0xeb, 0x60, 0xea, 0x05,
 	0xe1, 0x73, 0x25, 0xc7, 0x65, 0xe7, 0x83, 0x9f, 0x43, 0xa7, 0x70, 0xdd, 0x6b, 0x40, 0xbf, 0x95,
 	0x07, 0x7d, 0x33, 0x0f, 0xf4, 0x7f, 0x6c, 0x00, 0xe0, 0xbd, 0xab, 0xa1, 0xcb, 0xd9, 0x22, 0x0f,
 	0x86, 0xf2, 0x1a, 0x30, 0x50, 0xce, 0x02, 0xa1, 0x81, 0xab, 0x7b, 0xdf, 0x89, 0xd9, 0x34, 0x5f,
 	0x54, 0x73, 0xf9, 0xe2, 0x11, 0x6c, 0x48, 0x7c, 0x1a, 0xb5, 0x05, 0xad, 0x2f, 0x76, 0x84, 0x48,
 	0x56, 0x28, 0x46, 0xab, 0x95, 0xa0, 0xa9, 0xaf, 0x06, 0x4d, 0x1e, 0x8d, 0x8d, 0x22, 0x1a, 0xdf,
 	0x83, 0x8e, 0xc3, 0x19, 0xe6, 0x2e, 0x5b, 0x16, 0x21, 0x1a, 0xad, 0xed, 0x54, 0x38, 0xf6, 0x66,
 	0x4c, 0xfa, 0x4f, 0x5e, 0x1c, 0xa0, 0x4a, 0x36, 0xd7, 0xde, 0x6b, 0x6b, 0xed, 0xbd, 0x62, 0x25,
 	0xe0, 0x33, 0xcd, 0xf8, 0xd8, 0xce, 0x45, 0x4d, 0xa7, 0x10, 0x35, 0x85, 0xd0, 0xe8, 0x2e, 0x85,
 	0xc6, 0x12, 0x7e, 0x7b, 0x2b, 0xf8, 0x7d, 0x17, 0xda, 0xd2, 0x01, 0x71, 0x44, 0x1d, 0x26, 0x27,
 	0xd8, 0x54, 0x8e, 0xc8, 0x64, 0x47, 0x2e, 0x46, 0x7b, 0x32, 0x99, 0xcc, 0x2f, 0x42, 0x9f, 0x2d,
 	0x08, 0xbb, 0x95, 0xc9, 0x8e, 0x5c, 0xb9, 0x5f, 0x44, 0x20, 0x41, 0x04, 0x62, 0x7b, 0xf0, 0x11,
 	0x34, 0x33, 0xaf, 0x7f, 0x2f, 0x30, 0xfd, 0xb9, 0x04, 0xed, 0x3c, 0x29, 0xca, 0xc1, 0xe3, 0xf1,
 	0x31, 0x0e, 0xae, 0x58, 0xb2, 0x29, 0xcb, 0x09, 0xce, 0x02, 0xf6, 0x8a, 0x4e, 0x7c, 0x35, 0x41,
 	0xc3, 0x5a, 0x08, 0xa4, 0xd6, 0x0b, 0x1c, 0xce, 0x66, 0x29, 0xaa, 0x2a, 0xd6, 0x42, 0x40, 0x3e,
 	0x06, 0xf0, 0xe2, 0x38, 0x61, 0xea, 0xe6, 0x36, 0x90, 0x32, 0x06, 0x23, 0x55, 0x5b, 0x8e, 0xd2,
 	0xda, 0x72, 0x34, 0x4e, 0x6b, 0x4b, 0xab, 0x89, 0xd6, 0x78, 0xa5, 0xdb, 0x50, 0x93, 0x17, 0x34,
 	0x3e, 0x46, 0xe4, 0x55, 0x2c, 0xdd, 0x33, 0xff, 0x08, 0x35, 0x55, 0x85, 0xfc, 0x5f, 0x89, 0xfe,
 	0x36, 0x34, 0xd4, 0xdc, 0x9e, 0xab, 0x63, 0xa5, 0x8e, 0xfd, 0x23, 0xd7, 0xfc, 0x67, 0x09, 0x1a,
 	0x16, 0x8b, 0xa3, 0x30, 0x88, 0x59, 0xae, 0x4a, 0x2a, 0xbd, 0xb6, 0x4a, 0x2a, 0xaf, 0xad, 0x92,
 	0xd2, 0xda, 0xab, 0x92, 0xab, 0xbd, 0x06, 0xd0, 0xe0, 0xcc, 0xf5, 0x38, 0x73, 0x84, 0xae, 0xd3,
 	0xb2, 0xbe, 0xd4, 0xbd, 0xa2, 0x5c, 0xa6, 0xf7, 0x18, 0x73, 0x48, 0xd3, 0xca, 0xfa, 0xe4, 0x69,
 	0xbe, 0xb8, 0x50, 0x65, 0xdb, 0x96, 0x2a, 0x2e, 0xd4, 0x76, 0x57, 0xab, 0x0b, 0xf3, 0xef, 0x65,
 	0xd8, 0x5c, 0x56, 0xaf, 0x01, 0xc1, 0x16, 0x54, 0x55, 0xfa, 0xd1, 0x08, 0x12, 0x2b, 0x89, 0xa7,
 	0xb2, 0xc4, 0x35, 0xbf, 0x58, 0x8e, 0xdb, 0xd7, 0xdf, 0x7e, 0x31, 0xa6, 0xdf, 0x87, 0x4d, 0xb9,
 	0xcb, 0x88, 0xb9, 0x8b, 0x92, 0x4a, 0x91, 0x50, 0x4f, 0xcb, 0xb3, 0xa2, 0xea, 0x21, 0xf4, 0x53,
 	0xd3, 0x45, 0x78, 0xd6, 0x0a, 0xb6, 0x87, 0x69, 0x94, 0x6e, 0x43, 0xed, 0x3c, 0xe4, 0x33, 0x2a,
 	0x34, 0x0f, 0xe9, 0x5e, 0x81, 0x67, 0x90, 0xf0, 0x1a, 0x0a, 0x16, 0xa9, 0x50, 0x3e, 0x1b, 0x64,
 	0xfc, 0x67, 0x25, 0x3d, 0x12, 0x51, 0xc3, 0x6a, 0xa4, 0xa5, 0xbc, 0xf9, 0x6b, 0xe8, 0x2d, 0x55,
 	0x71, 0x6b, 0x1c, 0xb9, 0x58, 0xbe, 0x5c, 0x58, 0xbe, 0x30, 0x73, 0x65, 0x69, 0xe6, 0xdf, 0x40,
 	0xff, 0x0b, 0x1a, 0xb8, 0x3e, 0xd3, 0xf3, 0xef, 0xf3, 0x69, 0x2c, 0xf3, 0x91, 0x7e, 0x54, 0xd8,
 	0x3a, 0x01, 0x74, 0xac, 0xa6, 0x96, 0x1c, 0xb9, 0xe4, 0x1e, 0xd4, 0xb9, 0xb2, 0xd6, 0xc0, 0x6b,
 	0xe5, 0xca, 0x4c, 0x2b, 0xd5, 0x99, 0xdf, 0x02, 0x29, 0x4c, 0x2d, 0xdf, 0x13, 0x73, 0xb2, 0x23,
 	0x01, 0xa8, 0x40, 0xa1, 0x81, 0xdd, 0xce, 0xe3, 0xc8, 0xca, 0xb4, 0x64, 0x08, 0x15, 0xc6, 0xb9,
 	0x5e, 0x02, 0xeb, 0xbc, 0xc5, 0xeb, 0xcd, 0x92, 0x2a, 0xf3, 0x27, 0xd0, 0x3f, 0x8b, 0x98, 0xe3,
 	0x51, 0x1f, 0x5f, 0x5e, 0x6a, 0x81, 0xbb, 0x50, 0x95, 0x4e, 0x4e, 0x63, 0xb6, 0x89, 0x03, 0x51,
 	0xad, 0xe4, 0xe6, 0xb7, 0x60, 0xa8, 0x7d, 0x1d, 0x5e, 0x7b, 0xb1, 0x60, 0x81, 0xc3, 0x0e, 0x2e,
 	0x98, 0x73, 0xf9, 0x3f, 0x3c, 0xf9, 0x15, 0xdc, 0x5e, 0xb7, 0x42, 0xba, 0xbf, 0x96, 0x23, 0x7b,
 	0xf6, 0xb9, 0xa4, 0x6f, 0x5c, 0xa3, 0x61, 0x01, 0x8a, 0x3e, 0x97, 0x12, 0x79, 0x8f, 0x4c, 0x8e,
 	0x8b, 0x35, 0x25, 0xea, 0x5e, 0xea, 0x8f, 0xca, 0xcd, 0xfe, 0xf8, 0x4b, 0x09, 0x9a, 0x67, 0x4c,
 	0x24, 0x11, 0x9e, 0xe5, 0x6d, 0x68, 0x4e, 0x78, 0x78, 0xc9, 0xf8, 0xe2, 0x28, 0x0d, 0x25, 0x38,
 	0x72, 0xc9, 0x53, 0xa8, 0x1d, 0x84, 0xc1, 0xb9, 0x37, 0xc5, 0x77, 0x68, 0x6b, 0xef, 0xb6, 0x62,
 	0x17, 0x3d, 0x76, 0xa4, 0x74, 0x2a, 0xd5, 0x6a, 0x43, 0x32, 0x84, 0x96, 0x7e, 0xcd, 0xbf, 0x7c,
 	0x79, 0xf4, 0x3c, 0x2d, 0x50, 0x73, 0xa2, 0xc1, 0xc7, 0xd0, 0xca, 0x0d, 0xfc, 0x5e, 0xd9, 0xe2,
 	0x87, 0x00, 0xb8, 0xba, 0xf2, 0xd1, 0xa6, 0x3a, 0xaa, 0x1e, 0x29, 0x8f, 0x76, 0x17, 0x9a, 0xb2,
 	0x16, 0x52, 0xea, 0x34, 0x4f, 0x95, 0x16, 0x79, 0xca, 0xbc, 0x07, 0xfd, 0xa3, 0xe0, 0x8a, 0xfa,
 	0x9e, 0x4b, 0x05, 0xfb, 0x92, 0xcd, 0xd1, 0x05, 0x2b, 0x3b, 0x30, 0xcf, 0xa0, 0xad, 0x1f, 0xc6,
 	0x6f, 0xb4, 0xc7, 0xb6, 0xde, 0xe3, 0x77, 0x07, 0xd1, 0xfb, 0xd0, 0xd3, 0x93, 0x1e, 0x7b, 0x3a,
 	0x84, 0x64, 0x9a, 0xe7, 0xec, 0xdc, 0xbb, 0xd6, 0x53, 0xeb, 0x9e, 0xf9, 0x0c, 0x36, 0x73, 0xa6,
 	0xd9, 0x71, 0x2e, 0xd9, 0x3c, 0x4e, 0x3f, 0x18, 0xc8, 0x76, 0xea, 0x81, 0xf2, 0xc2, 0x03, 0x26,
 	0x74, 0xf5, 0xc8, 0x17, 0x4c, 0xdc, 0x70, 0xba, 0x2f, 0xb3, 0x8d, 0xbc, 0x60, 0x7a, 0xf2, 0xfb,
 	0x50, 0x65, 0xf2, 0xa4, 0xf9, 0x14, 0x96, 0xf7, 0x80, 0xa5, 0xd4, 0x6b, 0x16, 0x7c, 0x96, 0x2d,
 	0x78, 0x9a, 0xa8, 0x05, 0xdf, 0x70, 0x2e, 0xf3, 0xbd, 0x6c, 0x1b, 0xa7, 0x89, 0xb8, 0xe9, 0x46,
 	0xef, 0x41, 0x5f, 0x1b, 0x3d, 0x67, 0x3e, 0x13, 0xec, 0x86, 0x23, 0xdd, 0x07, 0x52, 0x30, 0xbb,
 	0x69, 0xba, 0x3b, 0xd0, 0x18, 0x8f, 0x8f, 0x33, 0x6d, 0x91, 0x1b, 0xcd, 0x4f, 0xa0, 0x7f, 0x96,
 	0xb8, 0xe1, 0x29, 0xf7, 0xae, 0x3c, 0x9f, 0x4d, 0xd5, 0x62, 0x69, 0xfd, 0x59, 0xca, 0xd5, 0x9f,
 	0x6b, 0xb3, 0x91, 0xb9, 0x03, 0xa4, 0x30, 0x3c, 0xbb, 0xb7, 0x38, 0x71, 0x43, 0x1d, 0xc2, 0xd8,
 	0x36, 0x77, 0xa0, 0x3d, 0xa6, 0x32, 0xdf, 0xbb, 0xca, 0xc6, 0x80, 0xba, 0x50, 0x7d, 0x6d, 0x96,
 	0x76, 0xcd, 0x3d, 0xd8, 0x3a, 0xa0, 0xce, 0x85, 0x17, 0x4c, 0x9f, 0x7b, 0xb1, 0x2c, 0x78, 0xf4,
 	0x88, 0x01, 0x34, 0x5c, 0x2d, 0xd0, 0x43, 0xb2, 0xbe, 0xf9, 0x18, 0xde, 0xca, 0x7d, 0x95, 0x39,
 	0x13, 0x34, 0xf5, 0xc7, 0x16, 0x54, 0x63, 0xd9, 0xc3, 0x11, 0x55, 0x4b, 0x75, 0xcc, 0xaf, 0x60,
 	0x2b, 0x9f, 0x80, 0x65, 0xf9, 0x91, 0x1e, 0x1c, 0x0b, 0x83, 0x52, 0xae, 0x30, 0xd0, 0x3e, 0x2b,
 	0x2f, 0xf2, 0xc9, 0x26, 0x54, 0x7e, 0xf9, 0xcd, 0x58, 0x83, 0x5d, 0x36, 0xcd, 0xdf, 0xcb, 0xe5,
 	0x8b, 0xf3, 0xa9, 0xe5, 0x0b, 0xd5, 0x41, 0xe9, 0x4d, 0xaa, 0x83, 0x35, 0x78, 0x7b, 0x0c, 0xfd,
 	0x13, 0x3f, 0x74, 0x2e, 0x0f, 0x83, 0x9c, 0x37, 0x0c, 0xa8, 0xb3, 0x20, 0xef, 0x8c, 0xb4, 0x6b,
 	0x3e, 0x80, 0xde, 0x71, 0xe8, 0x50, 0xff, 0x24, 0x4c, 0x02, 0x91, 0x79, 0x01, 0x3f, 0x93, 0x69,
 	0x53, 0xd5, 0x31, 0x1f, 0x43, 0x57, 0xa7, 0xe8, 0xe0, 0x3c, 0x4c, 0x99, 0x71, 0x91, 0xcc, 0x4b,
 	0xc5, 0x5a, 0xdb, 0x3c, 0x86, 0xde, 0xc2, 0x5c, 0xcd, 0xfb, 0x00, 0x6a, 0x4a, 0xad, 0xcf, 0xd6,
 	0xcb, 0x1e, 0x9b, 0xca, 0xd2, 0xd2, 0xea, 0x35, 0x87, 0x9a, 0x41, 0xf7, 0x14, 0x3f, 0x57, 0x1e,
 	0x06, 0x57, 0x6a, 0xb2, 0x23, 0x20, 0xea, 0x03, 0xa6, 0xcd, 0x82, 0x2b, 0x8f, 0x87, 0x01, 0xd6,
 	0xb7, 0x25, 0x5d, 0xc2, 0xa4, 0x13, 0x67, 0x83, 0x52, 0x0b, 0xab, 0x1f, 0x2d, 0x8b, 0xd6, 0xfa,
 	0x10, 0x16, 0x1f, 0x43, 0x64, 0xaa, 0xe1, 0x6c, 0x16, 0x0a, 0x66, 0x53, 0xd7, 0x4d, 0xa3, 0x05,
 	0x94, 0x68, 0xdf, 0x75, 0xf9, 0xde, 0x7f, 0xca, 0x50, 0xff, 0x4c, 0x11, 0x38, 0xf9, 0x14, 0x3a,
 	0x85, 0x74, 0x4d, 0xde, 0xc2, 0xaf, 0x21, 0xcb, 0xc5, 0xc1, 0x60, 0x7b, 0x45, 0xac, 0xce, 0xf5,
 	0x04, 0xda, 0xf9, 0x64, 0x4c, 0x30, 0xf1, 0xe2, 0xa7, 0xd9, 0x01, 0xce, 0xb4, 0x9a, 0xa9, 0xcf,
 	0x60, 0x6b, 0x5d, 0x9a, 0x24, 0x77, 0x16, 0x2b, 0xac, 0xa6, 0xe8, 0xc1, 0x3b, 0x37, 0x69, 0xd3,
 	0xf4, 0x5a, 0x3f, 0xf0, 0x19, 0x0d, 0x92, 0x28, 0xbf, 0x83, 0x45, 0x93, 0x3c, 0x85, 0x4e, 0x21,
 	0x51, 0xa8, 0x73, 0xae, 0xe4, 0x8e, 0xfc, 0x90, 0xfb, 0x50, 0xc5, 0xe4, 0x44, 0x3a, 0x85, 0x2c,
 	0x39, 0xe8, 0x66, 0x5d, 0xb5, 0xf6, 0x10, 0x36, 0xf0, 0xc1, 0x9e, 0x5b, 0x18, 0x47, 0x64, 0x99,
 	0x6b, 0xef, 0x5f, 0x25, 0xa8, 0xa7, 0x1f, 0x71, 0x9f, 0xc2, 0x86, 0xcc, 0x01, 0xe4, 0x56, 0x8e,
 	0x46, 0xd3, 0xfc, 0x31, 0xd8, 0x5a, 0x12, 0xaa, 0x05, 0x46, 0x50, 0x79, 0xc1, 0x04, 0x21, 0x39,
 	0xa5, 0x4e, 0x06, 0x83, 0x5b, 0x45, 0x59, 0x66, 0x7f, 0x9a, 0x14, 0xed, 0x35, 0x97, 0x17, 0xec,
 	0x33, 0x96, 0xfe, 0x08, 0x6a, 0x8a, 0x65, 0x95, 0x53, 0x56, 0xf8, 0x59, 0x5d, 0xfe, 0x2a, 0x1f,
 	0xef, 0xfd, 0x6d, 0x03, 0xe0, 0x6c, 0x1e, 0x0b, 0x36, 0xfb, 0x95, 0xc7, 0x5e, 0x91, 0x87, 0xd0,
 	0xd3, 0x9f, 0x25, 0xf0, 0xb5, 0x24, 0xd9, 0x24, 0xe7, 0x13, 0x2c, 0xf8, 0x32, 0xb2, 0xbe, 0x0f,
 	0xad, 0x13, 0x7a, 0xfd, 0x7a, 0xbb, 0x4f, 0xa1, 0x53, 0xe0, 0x60, 0xbd, 0xc5, 0x65, 0x56, 0xd7,
 	0x5b, 0x5c, 0x65, 0xeb, 0xfb, 0x50, 0xd7, 0xcc, 0x9c, 0x5f, 0x03, 0x73, 0x58, 0x81, 0xb1, 0x7f,
 	0x0a, 0xbd, 0x25, 0x5e, 0xce, 0xdb, 0xe3, 0x17, 0x89, 0xb5, 0xbc, 0xfd, 0x4c, 0xbe, 0x76, 0x8a,
 	0xdc, 0x9c, 0x1f, 0x78, 0x5b, 0xf1, 0xe1, 0x3a, 0xf2, 0x7e, 0x51, 0x7c, 0x27, 0xe1, 0x2b, 0xd1,
 	0x58, 0xa6, 0xcf, 0x94, 0xbc, 0xd3, 0x89, 0xd6, 0xd1, 0xf0, 0x13, 0x68, 0xe7, 0x19, 0x74, 0x25,
 	0x04, 0x57, 0xe9, 0xf5, 0x11, 0xc0, 0x82, 0x44, 0xf3, 0xf6, 0x08, 0x8f, 0x65, 0x7e, 0xfd, 0x10,
 	0x60, 0x41, 0x8d, 0x0a, 0x55, 0x45, 0x66, 0x55, 0xc3, 0x96, 0xe9, 0xf3, 0x21, 0x34, 0x33, 0x3a,
 	0xcb, 0xaf, 0x81, 0x13, 0x14, 0xd9, 0xf1, 0xb3, 0xd1, 0x6f, 0x1f, 0x4d, 0x3d, 0x71, 0x91, 0x4c,
 	0x46, 0x4e, 0x38, 0xdb, 0xbd, 0xa0, 0xf1, 0x85, 0xe7, 0x84, 0x3c, 0xda, 0xbd, 0x92, 0x60, 0xda,
 	0x5d, 0xf9, 0xbf, 0x34, 0xa9, 0xe1, 0x63, 0xef, 0x83, 0xff, 0x06, 0x00, 0x00, 0xff, 0xff, 0x87,
 	0x96, 0xca, 0x22, 0x7b, 0x1a, 0x00, 0x00,
 }
 // Reference imports to suppress errors if they are not otherwise used.
 var _ context.Context
 var _ grpc.ClientConn
@ -3628,165 +3796,3 @@ var _SystemView_serviceDesc = grpc.ServiceDesc{
 	Streams:  []grpc.StreamDesc{},
 	Metadata: "logical/plugin/pb/backend.proto",
 }
 func init() { proto.RegisterFile("logical/plugin/pb/backend.proto", fileDescriptor_25821d34acc7c5ef) }
 var fileDescriptor_25821d34acc7c5ef = []byte{
 	// 2483 bytes of a gzipped FileDescriptorProto
 	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x59, 0xcd, 0x72, 0x1b, 0xc7,
 	0x11, 0x2e, 0x00, 0xc4, 0x5f, 0xe3, 0x8f, 0x18, 0xd1, 0xcc, 0x0a, 0x96, 0x23, 0x78, 0x1d, 0x49,
 	0xb4, 0x22, 0x81, 0x12, 0x1d, 0xc7, 0x72, 0x52, 0x76, 0x8a, 0xa6, 0x68, 0x99, 0x31, 0x69, 0xb3,
 	0x96, 0x50, 0x9c, 0xbf, 0x2a, 0x78, 0xb0, 0x3b, 0x04, 0xb7, 0xb8, 0xd8, 0xdd, 0xcc, 0xce, 0x52,
 	0xc4, 0x29, 0x6f, 0x91, 0xd7, 0xc8, 0x35, 0x95, 0x4b, 0x6e, 0xa9, 0x54, 0x72, 0xce, 0x6b, 0xe4,
 	0x19, 0x52, 0xd3, 0x33, 0xfb, 0x07, 0x80, 0x96, 0x5c, 0x95, 0xdc, 0x66, 0xba, 0x7b, 0x7a, 0x66,
 	0x7a, 0xbe, 0xfe, 0xba, 0x17, 0x80, 0xbb, 0x5e, 0x30, 0x73, 0x6d, 0xea, 0xed, 0x86, 0x5e, 0x3c,
 	0x73, 0xfd, 0xdd, 0x70, 0xba, 0x3b, 0xa5, 0xf6, 0x25, 0xf3, 0x9d, 0x51, 0xc8, 0x03, 0x11, 0x90,
 	0x72, 0x38, 0x1d, 0xdc, 0x9d, 0x05, 0xc1, 0xcc, 0x63, 0xbb, 0x28, 0x99, 0xc6, 0xe7, 0xbb, 0xc2,
 	0x9d, 0xb3, 0x48, 0xd0, 0x79, 0xa8, 0x8c, 0x06, 0xdb, 0x89, 0x17, 0xd7, 0x61, 0xbe, 0x70, 0xc5,
 	0x42, 0xcb, 0xb7, 0x8a, 0xde, 0x95, 0xd4, 0xac, 0x43, 0xf5, 0x70, 0x1e, 0x8a, 0x85, 0x39, 0x84,
 	0xda, 0x17, 0x8c, 0x3a, 0x8c, 0x93, 0x6d, 0xa8, 0x5d, 0xe0, 0xc8, 0x28, 0x0d, 0x2b, 0x3b, 0x4d,
 	0x4b, 0xcf, 0xcc, 0xdf, 0x01, 0x9c, 0xca, 0x35, 0x87, 0x9c, 0x07, 0x9c, 0xdc, 0x86, 0x06, 0xe3,
 	0x7c, 0x22, 0x16, 0x21, 0x33, 0x4a, 0xc3, 0xd2, 0x4e, 0xc7, 0xaa, 0x33, 0xce, 0xc7, 0x8b, 0x90,
 	0x91, 0x1f, 0x80, 0x1c, 0x4e, 0xe6, 0xd1, 0xcc, 0x28, 0x0f, 0x4b, 0xd2, 0x03, 0xe3, 0xfc, 0x24,
 	0x9a, 0x25, 0x6b, 0xec, 0xc0, 0x61, 0x46, 0x65, 0x58, 0xda, 0xa9, 0xe0, 0x9a, 0x83, 0xc0, 0x61,
 	0xe6, 0x9f, 0x4a, 0x50, 0x3d, 0xa5, 0xe2, 0x22, 0x22, 0x04, 0x36, 0x78, 0x10, 0x08, 0xbd, 0x39,
 	0x8e, 0xc9, 0x0e, 0xf4, 0x62, 0x9f, 0xc6, 0xe2, 0x42, 0xde, 0xc8, 0xa6, 0x82, 0x39, 0x46, 0x19,
 	0xd5, 0xcb, 0x62, 0xf2, 0x1e, 0x74, 0xbc, 0xc0, 0xa6, 0xde, 0x24, 0x12, 0x01, 0xa7, 0x33, 0xb9,
 	0x8f, 0xb4, 0x6b, 0xa3, 0xf0, 0x4c, 0xc9, 0xc8, 0x43, 0xe8, 0x47, 0x8c, 0x7a, 0x93, 0x57, 0x9c,
 	0x86, 0xa9, 0xe1, 0x86, 0x72, 0x28, 0x15, 0xdf, 0x70, 0x1a, 0x6a, 0x5b, 0xf3, 0x6f, 0x35, 0xa8,
 	0x5b, 0xec, 0x0f, 0x31, 0x8b, 0x04, 0xe9, 0x42, 0xd9, 0x75, 0xf0, 0xb6, 0x4d, 0xab, 0xec, 0x3a,
 	0x64, 0x04, 0xc4, 0x62, 0xa1, 0x27, 0xb7, 0x76, 0x03, 0xff, 0xc0, 0x8b, 0x23, 0xc1, 0xb8, 0xbe,
 	0xf3, 0x1a, 0x0d, 0xb9, 0x03, 0xcd, 0x20, 0x64, 0x1c, 0x65, 0x18, 0x80, 0xa6, 0x95, 0x09, 0xe4,
 	0xc5, 0x43, 0x2a, 0x2e, 0x8c, 0x0d, 0x54, 0xe0, 0x58, 0xca, 0x1c, 0x2a, 0xa8, 0x51, 0x55, 0x32,
 	0x39, 0x26, 0x26, 0xd4, 0x22, 0x66, 0x73, 0x26, 0x8c, 0xda, 0xb0, 0xb4, 0xd3, 0xda, 0x83, 0x51,
 	0x38, 0x1d, 0x9d, 0xa1, 0xc4, 0xd2, 0x1a, 0x72, 0x07, 0x36, 0x64, 0x5c, 0x8c, 0x3a, 0x5a, 0x34,
 	0xa4, 0xc5, 0x7e, 0x2c, 0x2e, 0x2c, 0x94, 0x92, 0x3d, 0xa8, 0xab, 0x37, 0x8d, 0x8c, 0xc6, 0xb0,
 	0xb2, 0xd3, 0xda, 0x33, 0xa4, 0x81, 0xbe, 0xe5, 0x48, 0xc1, 0x20, 0x3a, 0xf4, 0x05, 0x5f, 0x58,
 	0x89, 0x21, 0x79, 0x17, 0xda, 0xb6, 0xe7, 0x32, 0x5f, 0x4c, 0x44, 0x70, 0xc9, 0x7c, 0xa3, 0x89,
 	0x27, 0x6a, 0x29, 0xd9, 0x58, 0x8a, 0xc8, 0x1e, 0xbc, 0x95, 0x37, 0x99, 0x50, 0xdb, 0x66, 0x51,
 	0x14, 0x70, 0x03, 0xd0, 0xf6, 0x56, 0xce, 0x76, 0x5f, 0xab, 0xa4, 0x5b, 0xc7, 0x8d, 0x42, 0x8f,
 	0x2e, 0x26, 0x3e, 0x9d, 0x33, 0xa3, 0xa5, 0xdc, 0x6a, 0xd9, 0x57, 0x74, 0xce, 0xc8, 0x5d, 0x68,
 	0xcd, 0x83, 0xd8, 0x17, 0x93, 0x30, 0x70, 0x7d, 0x61, 0xb4, 0xd1, 0x02, 0x50, 0x74, 0x2a, 0x25,
 	0xe4, 0x1d, 0x50, 0x33, 0x05, 0xc6, 0x8e, 0x8a, 0x2b, 0x4a, 0x10, 0x8e, 0xf7, 0xa0, 0xab, 0xd4,
 	0xe9, 0x79, 0xba, 0x68, 0xd2, 0x41, 0x69, 0x7a, 0x92, 0x27, 0xd0, 0x44, 0x3c, 0xb8, 0xfe, 0x79,
 	0x60, 0xf4, 0x30, 0x6e, 0xb7, 0x72, 0x61, 0x91, 0x98, 0x38, 0xf2, 0xcf, 0x03, 0xab, 0xf1, 0x4a,
 	0x8f, 0xc8, 0x27, 0xf0, 0x76, 0xe1, 0xbe, 0x9c, 0xcd, 0xa9, 0xeb, 0xbb, 0xfe, 0x6c, 0x12, 0x47,
 	0x2c, 0x32, 0x36, 0x11, 0xe1, 0x46, 0xee, 0xd6, 0x56, 0x62, 0xf0, 0x32, 0x62, 0x11, 0x79, 0x1b,
 	0x9a, 0x2a, 0x41, 0x27, 0xae, 0x63, 0xf4, 0xf1, 0x48, 0x0d, 0x25, 0x38, 0x72, 0xc8, 0x03, 0xe8,
 	0x85, 0x81, 0xe7, 0xda, 0x8b, 0x49, 0x70, 0xc5, 0x38, 0x77, 0x1d, 0x66, 0x90, 0x61, 0x69, 0xa7,
 	0x61, 0x75, 0x95, 0xf8, 0x6b, 0x2d, 0x5d, 0x97, 0x1a, 0xb7, 0xd0, 0x70, 0x25, 0x35, 0x46, 0x00,
 	0x76, 0xe0, 0xfb, 0xcc, 0x46, 0xf8, 0x6d, 0xe1, 0x0d, 0xbb, 0xf2, 0x86, 0x07, 0xa9, 0xd4, 0xca,
 	0x59, 0x0c, 0x3e, 0x87, 0x76, 0x1e, 0x0a, 0x64, 0x13, 0x2a, 0x97, 0x6c, 0xa1, 0xe1, 0x2f, 0x87,
 	0x64, 0x08, 0xd5, 0x2b, 0xea, 0xc5, 0x0c, 0x21, 0xaf, 0x81, 0xa8, 0x96, 0x58, 0x4a, 0xf1, 0xb3,
 	0xf2, 0xb3, 0x92, 0xf9, 0xd7, 0x2a, 0x6c, 0x48, 0xf0, 0x91, 0x0f, 0xa1, 0xe3, 0x31, 0x1a, 0xb1,
 	0x49, 0x10, 0xca, 0x0d, 0x22, 0x74, 0xd5, 0xda, 0xdb, 0x94, 0xcb, 0x8e, 0xa5, 0xe2, 0x6b, 0x25,
 	0xb7, 0xda, 0x5e, 0x6e, 0x26, 0x53, 0xda, 0xf5, 0x05, 0xe3, 0x3e, 0xf5, 0x26, 0x98, 0x0c, 0x2a,
 	0xc1, 0xda, 0x89, 0xf0, 0xb9, 0x4c, 0x8a, 0x65, 0x1c, 0x55, 0x56, 0x71, 0x34, 0x80, 0x06, 0xc6,
 	0xce, 0x65, 0x91, 0x4e, 0xf6, 0x74, 0x4e, 0xf6, 0xa0, 0x31, 0x67, 0x82, 0xea, 0x5c, 0x93, 0x29,
 	0xb1, 0x9d, 0xe4, 0xcc, 0xe8, 0x44, 0x2b, 0x54, 0x42, 0xa4, 0x76, 0x2b, 0x19, 0x51, 0x5b, 0xcd,
 	0x88, 0x01, 0x34, 0x52, 0xd0, 0xd5, 0xd5, 0x0b, 0x27, 0x73, 0x49, 0xb3, 0x21, 0xe3, 0x6e, 0xe0,
 	0x18, 0x0d, 0x04, 0x8a, 0x9e, 0x49, 0x92, 0xf4, 0xe3, 0xb9, 0x82, 0x50, 0x53, 0x91, 0xa4, 0x1f,
 	0xcf, 0x57, 0x11, 0x03, 0x4b, 0x88, 0xf9, 0x11, 0x54, 0xa9, 0xe7, 0xd2, 0x08, 0x53, 0x48, 0xbe,
 	0xac, 0xe6, 0xfb, 0xd1, 0xbe, 0x94, 0x5a, 0x4a, 0x49, 0x3e, 0x80, 0xce, 0x8c, 0x07, 0x71, 0x38,
 	0xc1, 0x29, 0x8b, 0x8c, 0x36, 0xde, 0x76, 0xd9, 0xba, 0x8d, 0x46, 0xfb, 0xca, 0x46, 0x66, 0xe0,
 	0x34, 0x88, 0x7d, 0x67, 0x62, 0xbb, 0x0e, 0x8f, 0x8c, 0x0e, 0x06, 0x0f, 0x50, 0x74, 0x20, 0x25,
 	0x32, 0xc5, 0x54, 0x0a, 0xa4, 0x01, 0xee, 0xa2, 0x4d, 0x07, 0xa5, 0xa7, 0x49, 0x94, 0x7f, 0x0c,
 	0xfd, 0xa4, 0x28, 0x65, 0x96, 0x3d, 0xb4, 0xdc, 0x4c, 0x14, 0xa9, 0xf1, 0x0e, 0x6c, 0xb2, 0x6b,
 	0x49, 0xa1, 0xae, 0x98, 0xcc, 0xe9, 0xf5, 0x44, 0x08, 0x4f, 0xa7, 0x54, 0x37, 0x91, 0x9f, 0xd0,
 	0xeb, 0xb1, 0xf0, 0x64, 0xfe, 0xab, 0xdd, 0x31, 0xff, 0xfb, 0x58, 0x8c, 0x9a, 0x28, 0x91, 0xf9,
 	0x3f, 0xf8, 0x39, 0x74, 0x0a, 0x4f, 0xb8, 0x06, 0xc8, 0x5b, 0x79, 0x20, 0x37, 0xf3, 0xe0, 0xfd,
 	0xe7, 0x06, 0x00, 0xbe, 0xa5, 0x5a, 0xba, 0x5c, 0x01, 0xf2, 0x0f, 0x5c, 0x5e, 0xf3, 0xc0, 0x94,
 	0x33, 0x5f, 0x68, 0x30, 0xea, 0xd9, 0x77, 0xe2, 0x30, 0xa9, 0x01, 0xd5, 0x5c, 0x0d, 0x78, 0x04,
 	0x1b, 0x12, 0x73, 0x46, 0x2d, 0xa3, 0xea, 0xec, 0x44, 0x88, 0x4e, 0x85, 0x4c, 0xb4, 0x5a, 0x49,
 	0x84, 0xfa, 0x6a, 0x22, 0xe4, 0x11, 0xd6, 0x28, 0x22, 0xec, 0x3d, 0xe8, 0xd8, 0x9c, 0x61, 0x3d,
 	0x9a, 0xc8, 0xc6, 0x42, 0x23, 0xb0, 0x9d, 0x08, 0xc7, 0xee, 0x9c, 0xc9, 0xf8, 0xc9, 0xc7, 0x00,
 	0x54, 0xc9, 0xe1, 0xda, 0xb7, 0x6a, 0xad, 0x7d, 0x2b, 0xac, 0xee, 0x1e, 0xd3, 0x2c, 0x8e, 0xe3,
 	0x5c, 0x26, 0x74, 0x0a, 0x99, 0x50, 0x80, 0x7b, 0x77, 0x09, 0xee, 0x4b, 0x98, 0xec, 0xad, 0x60,
 	0xf2, 0x5d, 0x68, 0xcb, 0x00, 0x44, 0x21, 0xb5, 0x99, 0x74, 0xb0, 0xa9, 0x02, 0x91, 0xca, 0x8e,
 	0x1c, 0xcc, 0xe0, 0x78, 0x3a, 0x5d, 0x5c, 0x04, 0x1e, 0xcb, 0x48, 0xb8, 0x95, 0xca, 0x8e, 0x1c,
 	0x79, 0x5e, 0x44, 0x15, 0x41, 0x54, 0xe1, 0x78, 0xf0, 0x11, 0x34, 0xd3, 0xa8, 0x7f, 0x2f, 0x30,
 	0xfd, 0xb9, 0x04, 0xed, 0x3c, 0xd1, 0xc9, 0xc5, 0xe3, 0xf1, 0x31, 0x2e, 0xae, 0x58, 0x72, 0x28,
 	0x5b, 0x04, 0xce, 0x7c, 0xf6, 0x8a, 0x4e, 0x3d, 0xe5, 0xa0, 0x61, 0x65, 0x02, 0xa9, 0x75, 0x7d,
 	0x9b, 0xb3, 0x79, 0x82, 0xaa, 0x8a, 0x95, 0x09, 0xc8, 0xc7, 0x00, 0x6e, 0x14, 0xc5, 0x4c, 0xbd,
 	0xdc, 0x06, 0xd2, 0xc0, 0x60, 0xa4, 0xfa, 0xc5, 0x51, 0xd2, 0x2f, 0x8e, 0xc6, 0x49, 0xbf, 0x68,
 	0x35, 0xd1, 0x1a, 0x9f, 0x74, 0x1b, 0x6a, 0xf2, 0x81, 0xc6, 0xc7, 0x88, 0xbc, 0x8a, 0xa5, 0x67,
 	0xe6, 0x1f, 0xa1, 0xa6, 0x3a, 0x8b, 0xff, 0x2b, 0x79, 0xdf, 0x86, 0x86, 0xf2, 0xed, 0x3a, 0x3a,
 	0x57, 0xea, 0x38, 0x3f, 0x72, 0xcc, 0x7f, 0x95, 0xa0, 0x61, 0xb1, 0x28, 0x0c, 0xfc, 0x88, 0xe5,
 	0x3a, 0x9f, 0xd2, 0x6b, 0x3b, 0x9f, 0xf2, 0xda, 0xce, 0x27, 0xe9, 0xa7, 0x2a, 0xb9, 0x7e, 0x6a,
 	0x00, 0x0d, 0xce, 0x1c, 0x97, 0x33, 0x5b, 0xe8, 0xde, 0x2b, 0x9d, 0x4b, 0xdd, 0x2b, 0xca, 0x65,
 	0xc9, 0x8e, 0xb0, 0x2e, 0x34, 0xad, 0x74, 0x4e, 0x9e, 0xe6, 0x1b, 0x06, 0xd5, 0x8a, 0x6d, 0xa9,
 	0x86, 0x41, 0x1d, 0x77, 0xb5, 0x63, 0x30, 0xff, 0x51, 0x86, 0xcd, 0x65, 0xf5, 0x1a, 0x10, 0x6c,
 	0x41, 0x55, 0x95, 0x14, 0x8d, 0x20, 0xb1, 0x52, 0x4c, 0x2a, 0x4b, 0x5c, 0xf3, 0x8b, 0xe5, 0xbc,
 	0x7d, 0xfd, 0xeb, 0x17, 0x73, 0xfa, 0x7d, 0xd8, 0x94, 0xa7, 0x0c, 0x99, 0x93, 0xb5, 0x49, 0x8a,
 	0x84, 0x7a, 0x5a, 0x9e, 0x36, 0x4a, 0x0f, 0xa1, 0x9f, 0x98, 0x66, 0xe9, 0x59, 0x2b, 0xd8, 0x1e,
 	0x26, 0x59, 0xba, 0x0d, 0xb5, 0xf3, 0x80, 0xcf, 0xa9, 0xd0, 0x3c, 0xa4, 0x67, 0x05, 0x9e, 0x41,
 	0xc2, 0x6b, 0x28, 0x58, 0x24, 0x42, 0xf9, 0x29, 0x20, 0xf3, 0x3f, 0x6d, 0xd3, 0x91, 0x88, 0x1a,
 	0x56, 0x23, 0x69, 0xcf, 0xcd, 0x5f, 0x43, 0x6f, 0xa9, 0x33, 0x5b, 0x13, 0xc8, 0x6c, 0xfb, 0x72,
 	0x61, 0xfb, 0x82, 0xe7, 0xca, 0x92, 0xe7, 0xdf, 0x40, 0xff, 0x0b, 0xea, 0x3b, 0x1e, 0xd3, 0xfe,
 	0xf7, 0xf9, 0x2c, 0x92, 0x35, 0x46, 0x7f, 0x28, 0x4c, 0x74, 0x01, 0xe8, 0x58, 0x4d, 0x2d, 0x39,
 	0x72, 0xc8, 0x3d, 0xa8, 0x73, 0x65, 0xad, 0x81, 0xd7, 0xca, 0xb5, 0x8e, 0x56, 0xa2, 0x33, 0xbf,
 	0x05, 0x52, 0x70, 0x2d, 0xbf, 0x11, 0x16, 0x64, 0x47, 0x02, 0x50, 0x81, 0x42, 0x03, 0xbb, 0x9d,
 	0xc7, 0x91, 0x95, 0x6a, 0xc9, 0x10, 0x2a, 0x8c, 0x73, 0xbd, 0x05, 0xf6, 0x6e, 0xd9, 0x17, 0x99,
 	0x25, 0x55, 0xe6, 0x4f, 0xa0, 0x7f, 0x16, 0x32, 0xdb, 0xa5, 0x1e, 0x7e, 0x4d, 0xa9, 0x0d, 0xee,
 	0x42, 0x55, 0x06, 0x39, 0xc9, 0xd9, 0x26, 0x2e, 0x44, 0xb5, 0x92, 0x9b, 0xdf, 0x82, 0xa1, 0xce,
 	0x75, 0x78, 0xed, 0x46, 0x82, 0xf9, 0x36, 0x3b, 0xb8, 0x60, 0xf6, 0xe5, 0xff, 0xf0, 0xe6, 0x57,
 	0x70, 0x7b, 0xdd, 0x0e, 0xc9, 0xf9, 0x5a, 0xb6, 0x9c, 0x4d, 0xce, 0x25, 0x7d, 0xe3, 0x1e, 0x0d,
 	0x0b, 0x50, 0xf4, 0xb9, 0x94, 0xc8, 0x77, 0x64, 0x72, 0x5d, 0xa4, 0x29, 0x51, 0xcf, 0x92, 0x78,
 	0x54, 0x6e, 0x8e, 0xc7, 0x5f, 0x4a, 0xd0, 0x3c, 0x63, 0x22, 0x0e, 0xf1, 0x2e, 0x6f, 0x43, 0x73,
 	0xca, 0x83, 0x4b, 0xc6, 0xb3, 0xab, 0x34, 0x94, 0xe0, 0xc8, 0x21, 0x4f, 0xa1, 0x76, 0x10, 0xf8,
 	0xe7, 0xee, 0x0c, 0xbf, 0x2d, 0x5b, 0x7b, 0xb7, 0x15, 0xbb, 0xe8, 0xb5, 0x23, 0xa5, 0x53, 0xa5,
 	0x56, 0x1b, 0x92, 0x21, 0xb4, 0xf4, 0x17, 0xfa, 0xcb, 0x97, 0x47, 0xcf, 0x93, 0xa6, 0x33, 0x27,
 	0x1a, 0x7c, 0x0c, 0xad, 0xdc, 0xc2, 0xef, 0x55, 0x2d, 0x7e, 0x08, 0x80, 0xbb, 0xab, 0x18, 0x6d,
 	0xaa, 0xab, 0xea, 0x95, 0xf2, 0x6a, 0x77, 0xa1, 0x29, 0xfb, 0x1b, 0xa5, 0x4e, 0xea, 0x54, 0x29,
 	0xab, 0x53, 0xe6, 0x3d, 0xe8, 0x1f, 0xf9, 0x57, 0xd4, 0x73, 0x1d, 0x2a, 0xd8, 0x97, 0x6c, 0x81,
 	0x21, 0x58, 0x39, 0x81, 0x79, 0x06, 0x6d, 0xfd, 0xb1, 0xfb, 0x46, 0x67, 0x6c, 0xeb, 0x33, 0x7e,
 	0x77, 0x12, 0xbd, 0x0f, 0x3d, 0xed, 0xf4, 0xd8, 0xd5, 0x29, 0x24, 0xcb, 0x3c, 0x67, 0xe7, 0xee,
 	0xb5, 0x76, 0xad, 0x67, 0xe6, 0x33, 0xd8, 0xcc, 0x99, 0xa6, 0xd7, 0xb9, 0x64, 0x8b, 0x28, 0xf9,
 	0x11, 0x40, 0x8e, 0x93, 0x08, 0x94, 0xb3, 0x08, 0x98, 0xd0, 0xd5, 0x2b, 0x5f, 0x30, 0x71, 0xc3,
 	0xed, 0xbe, 0x4c, 0x0f, 0xf2, 0x82, 0x69, 0xe7, 0xf7, 0xa1, 0xca, 0xe4, 0x4d, 0xf3, 0x25, 0x2c,
 	0x1f, 0x01, 0x4b, 0xa9, 0xd7, 0x6c, 0xf8, 0x2c, 0xdd, 0xf0, 0x34, 0x56, 0x1b, 0xbe, 0xa1, 0x2f,
 	0xf3, 0xbd, 0xf4, 0x18, 0xa7, 0xb1, 0xb8, 0xe9, 0x45, 0xef, 0x41, 0x5f, 0x1b, 0x3d, 0x67, 0x1e,
 	0x13, 0xec, 0x86, 0x2b, 0xdd, 0x07, 0x52, 0x30, 0xbb, 0xc9, 0xdd, 0x1d, 0x68, 0x8c, 0xc7, 0xc7,
 	0xa9, 0xb6, 0xc8, 0x8d, 0xe6, 0x27, 0xd0, 0x3f, 0x8b, 0x9d, 0xe0, 0x94, 0xbb, 0x57, 0xae, 0xc7,
 	0x66, 0x6a, 0xb3, 0xa4, 0xff, 0x2c, 0xe5, 0xfa, 0xcf, 0xb5, 0xd5, 0xc8, 0xdc, 0x01, 0x52, 0x58,
 	0x9e, 0xbe, 0x5b, 0x14, 0x3b, 0x81, 0x4e, 0x61, 0x1c, 0x9b, 0x3b, 0xd0, 0x1e, 0x53, 0x59, 0xef,
 	0x1d, 0x65, 0x63, 0x40, 0x5d, 0xa8, 0xb9, 0x36, 0x4b, 0xa6, 0xe6, 0x1e, 0x6c, 0x1d, 0x50, 0xfb,
 	0xc2, 0xf5, 0x67, 0xcf, 0xdd, 0x48, 0x36, 0x3c, 0x7a, 0xc5, 0x00, 0x1a, 0x8e, 0x16, 0xe8, 0x25,
 	0xe9, 0xdc, 0x7c, 0x0c, 0x6f, 0xe5, 0x7e, 0x69, 0x39, 0x13, 0x34, 0x89, 0xc7, 0x16, 0x54, 0x23,
 	0x39, 0xc3, 0x15, 0x55, 0x4b, 0x4d, 0xcc, 0xaf, 0x60, 0x2b, 0x5f, 0x80, 0x65, 0xfb, 0x91, 0x5c,
 	0x1c, 0x1b, 0x83, 0x52, 0xae, 0x31, 0xd0, 0x31, 0x2b, 0x67, 0xf5, 0x64, 0x13, 0x2a, 0xbf, 0xfc,
 	0x66, 0xac, 0xc1, 0x2e, 0x87, 0xe6, 0xef, 0xe5, 0xf6, 0x45, 0x7f, 0x6a, 0xfb, 0x42, 0x77, 0x50,
 	0x7a, 0x93, 0xee, 0x60, 0x0d, 0xde, 0x1e, 0x43, 0xff, 0xc4, 0x0b, 0xec, 0xcb, 0x43, 0x3f, 0x17,
 	0x0d, 0x03, 0xea, 0xcc, 0xcf, 0x07, 0x23, 0x99, 0x9a, 0x0f, 0xa0, 0x77, 0x1c, 0xd8, 0xd4, 0x3b,
 	0x09, 0x62, 0x5f, 0xa4, 0x51, 0xc0, 0x9f, 0xbe, 0xb4, 0xa9, 0x9a, 0x98, 0x8f, 0xa1, 0xab, 0x4b,
 	0xb4, 0x7f, 0x1e, 0x24, 0xcc, 0x98, 0x15, 0xf3, 0x52, 0xb1, 0xd7, 0x36, 0x8f, 0xa1, 0x97, 0x99,
 	0x2b, 0xbf, 0x0f, 0xa0, 0xa6, 0xd4, 0xfa, 0x6e, 0xbd, 0xf4, 0x03, 0x52, 0x59, 0x5a, 0x5a, 0xbd,
 	0xe6, 0x52, 0x73, 0xe8, 0x9e, 0xe2, 0x4f, 0x90, 0x87, 0xfe, 0x95, 0x72, 0x76, 0x04, 0x44, 0xfd,
 	0x28, 0x39, 0x61, 0xfe, 0x95, 0xcb, 0x03, 0x1f, 0xfb, 0xdb, 0x92, 0x6e, 0x61, 0x12, 0xc7, 0xe9,
 	0xa2, 0xc4, 0xc2, 0xea, 0x87, 0xcb, 0xa2, 0xb5, 0x31, 0x84, 0xec, 0x07, 0x0e, 0x59, 0x6a, 0x38,
 	0x9b, 0x07, 0x82, 0x4d, 0xa8, 0xe3, 0x24, 0xd9, 0x02, 0x4a, 0xb4, 0xef, 0x38, 0x7c, 0xef, 0x3f,
 	0x65, 0xa8, 0x7f, 0xa6, 0x08, 0x9c, 0x7c, 0x0a, 0x9d, 0x42, 0xb9, 0x26, 0x6f, 0xe1, 0x2f, 0x1c,
 	0xcb, 0xcd, 0xc1, 0x60, 0x7b, 0x45, 0xac, 0xee, 0xf5, 0x04, 0xda, 0xf9, 0x62, 0x4c, 0xb0, 0xf0,
 	0xe2, 0xcf, 0xad, 0x03, 0xf4, 0xb4, 0x5a, 0xa9, 0xcf, 0x60, 0x6b, 0x5d, 0x99, 0x24, 0x77, 0xb2,
 	0x1d, 0x56, 0x4b, 0xf4, 0xe0, 0x9d, 0x9b, 0xb4, 0x49, 0x79, 0xad, 0x1f, 0x78, 0x8c, 0xfa, 0x71,
 	0x98, 0x3f, 0x41, 0x36, 0x24, 0x4f, 0xa1, 0x53, 0x28, 0x14, 0xea, 0x9e, 0x2b, 0xb5, 0x23, 0xbf,
 	0xe4, 0x3e, 0x54, 0xb1, 0x38, 0x91, 0x4e, 0xa1, 0x4a, 0x0e, 0xba, 0xe9, 0x54, 0xed, 0x3d, 0x84,
 	0x0d, 0xfc, 0x11, 0x2e, 0xb7, 0x31, 0xae, 0x48, 0x2b, 0xd7, 0xde, 0xbf, 0x4b, 0x50, 0x4f, 0x7e,
 	0x98, 0x7d, 0x0a, 0x1b, 0xb2, 0x06, 0x90, 0x5b, 0x39, 0x1a, 0x4d, 0xea, 0xc7, 0x60, 0x6b, 0x49,
 	0xa8, 0x36, 0x18, 0x41, 0xe5, 0x05, 0x13, 0x84, 0xe4, 0x94, 0xba, 0x18, 0x0c, 0x6e, 0x15, 0x65,
 	0xa9, 0xfd, 0x69, 0x5c, 0xb4, 0xd7, 0x5c, 0x5e, 0xb0, 0x4f, 0x59, 0xfa, 0x23, 0xa8, 0x29, 0x96,
 	0x55, 0x41, 0x59, 0xe1, 0x67, 0xf5, 0xf8, 0xab, 0x7c, 0xbc, 0xf7, 0xf7, 0x0d, 0x80, 0xb3, 0x45,
 	0x24, 0xd8, 0xfc, 0x57, 0x2e, 0x7b, 0x45, 0x1e, 0x42, 0xef, 0x39, 0x3b, 0xa7, 0xb1, 0x27, 0xf0,
 	0x6b, 0x49, 0xb2, 0x49, 0x2e, 0x26, 0xd8, 0xf0, 0xa5, 0x64, 0x7d, 0x1f, 0x5a, 0x27, 0xf4, 0xfa,
 	0xf5, 0x76, 0x9f, 0x42, 0xa7, 0xc0, 0xc1, 0xfa, 0x88, 0xcb, 0xac, 0xae, 0x8f, 0xb8, 0xca, 0xd6,
 	0xf7, 0xa1, 0xae, 0x99, 0x39, 0xbf, 0x07, 0xd6, 0xb0, 0x02, 0x63, 0xff, 0x14, 0x7a, 0x4b, 0xbc,
 	0x9c, 0xb7, 0xc7, 0x5f, 0x24, 0xd6, 0xf2, 0xf6, 0x33, 0xf9, 0xb5, 0x53, 0xe4, 0xe6, 0xfc, 0xc2,
 	0xdb, 0x8a, 0x0f, 0xd7, 0x91, 0xf7, 0x8b, 0xe2, 0x77, 0x12, 0x7e, 0x25, 0x1a, 0xcb, 0xf4, 0x99,
 	0x90, 0x77, 0xe2, 0x68, 0x1d, 0x0d, 0x3f, 0x81, 0x76, 0x9e, 0x41, 0x57, 0x52, 0x70, 0x95, 0x5e,
 	0x1f, 0x01, 0x64, 0x24, 0x9a, 0xb7, 0x47, 0x78, 0x2c, 0xf3, 0xeb, 0x87, 0x00, 0x19, 0x35, 0x2a,
 	0x54, 0x15, 0x99, 0x55, 0x2d, 0x5b, 0xa6, 0xcf, 0x87, 0xd0, 0x4c, 0xe9, 0x2c, 0xbf, 0x07, 0x3a,
 	0x28, 0xb2, 0xe3, 0x67, 0xa3, 0xdf, 0x3e, 0x9a, 0xb9, 0xe2, 0x22, 0x9e, 0x8e, 0xec, 0x60, 0xbe,
 	0x7b, 0x41, 0xa3, 0x0b, 0xd7, 0x0e, 0x78, 0xb8, 0x7b, 0x25, 0xc1, 0xb4, 0xbb, 0xf2, 0x9f, 0xd1,
 	0xb4, 0x86, 0x1f, 0x7b, 0x1f, 0xfc, 0x37, 0x00, 0x00, 0xff, 0xff, 0x93, 0x15, 0xb9, 0x42, 0x4f,
 	0x1a, 0x00, 0x00,
 }
--- a/logical/plugin/pb/backend.proto
+++ b/logical/plugin/pb/backend.proto
@ -210,6 +210,9 @@ message Auth {
 	// TokenType is the type of token being requested
 	uint32 token_type = 17;
 	// Whether the default policy should be added automatically by core
 	bool no_default_policy = 18;
 }
 message TokenEntry {
--- a/logical/plugin/pb/translation.go
+++ b/logical/plugin/pb/translation.go
@ -492,6 +492,7 @@ func LogicalAuthToProtoAuth(a *logical.Auth) (*Auth, error) {
 		Policies:         a.Policies,
 		TokenPolicies:    a.TokenPolicies,
 		IdentityPolicies: a.IdentityPolicies,
 		NoDefaultPolicy:  a.NoDefaultPolicy,
 		Metadata:         a.Metadata,
 		ClientToken:      a.ClientToken,
 		Accessor:         a.Accessor,
@ -539,6 +540,7 @@ func ProtoAuthToLogicalAuth(a *Auth) (*logical.Auth, error) {
 		Policies:         a.Policies,
 		TokenPolicies:    a.TokenPolicies,
 		IdentityPolicies: a.IdentityPolicies,
 		NoDefaultPolicy:  a.NoDefaultPolicy,
 		Metadata:         a.Metadata,
 		ClientToken:      a.ClientToken,
 		Accessor:         a.Accessor,
--- a/physical/types.pb.go
+++ b/physical/types.pb.go
@ -5,9 +5,8 @@ package physical
 import (
 	fmt "fmt"
 	math "math"
 	proto "github.com/golang/protobuf/proto"
 	math "math"
 )
 // Reference imports to suppress errors if they are not otherwise used.
--- a/vault/external_tests/policy/no_default_test.go
+++ b/vault/external_tests/policy/no_default_test.go
@ -0,0 +1,85 @@
 package policy
 import (
 	"testing"
 	"github.com/go-test/deep"
 	log "github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/vault/api"
 	"github.com/hashicorp/vault/builtin/credential/ldap"
 	vaulthttp "github.com/hashicorp/vault/http"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/vault"
 )
 func TestNoDefaultPolicy(t *testing.T) {
 	var err error
 	coreConfig := &vault.CoreConfig{
 		DisableMlock: true,
 		DisableCache: true,
 		Logger:       log.NewNullLogger(),
 		CredentialBackends: map[string]logical.Factory{
 			"ldap": ldap.Factory,
 		},
 	}
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
 	cluster.Start()
 	defer cluster.Cleanup()
 	cores := cluster.Cores
 	vault.TestWaitActive(t, cores[0].Core)
 	client := cores[0].Client
 	err = client.Sys().EnableAuthWithOptions("ldap", &api.EnableAuthOptions{
 		Type: "ldap",
 	})
 	if err != nil {
 		t.Fatal(err)
 	}
 	// Configure LDAP auth backend
 	secret, err := client.Logical().Write("auth/ldap/config", map[string]interface{}{
 		"url":               "ldap://ldap.forumsys.com",
 		"userattr":          "uid",
 		"userdn":            "dc=example,dc=com",
 		"groupdn":           "dc=example,dc=com",
 		"binddn":            "cn=read-only-admin,dc=example,dc=com",
 		"no_default_policy": true,
 	})
 	if err != nil {
 		t.Fatal(err)
 	}
 	// Create a local user in LDAP
 	secret, err = client.Logical().Write("auth/ldap/users/tesla", map[string]interface{}{
 		"policies": "foo",
 	})
 	if err != nil {
 		t.Fatal(err)
 	}
 	// Login with LDAP and create a token
 	secret, err = client.Logical().Write("auth/ldap/login/tesla", map[string]interface{}{
 		"password": "password",
 	})
 	if err != nil {
 		t.Fatal(err)
 	}
 	token := secret.Auth.ClientToken
 	// Lookup the token to get the entity ID
 	secret, err = client.Auth().Token().Lookup(token)
 	if err != nil {
 		t.Fatal(err)
 	}
 	if diff := deep.Equal(secret.Data["policies"], []interface{}{"foo"}); diff != nil {
 		t.Fatal(diff)
 	}
 }
--- a/vault/request_forwarding_service.pb.go
+++ b/vault/request_forwarding_service.pb.go
@ -5,15 +5,11 @@ package vault
 import (
 	fmt "fmt"
 	math "math"
 	proto "github.com/golang/protobuf/proto"
 	forwarding "github.com/hashicorp/vault/helper/forwarding"
 )
 import (
 	context "golang.org/x/net/context"
 	grpc "google.golang.org/grpc"
 	math "math"
 )
 // Reference imports to suppress errors if they are not otherwise used.
@ -322,6 +318,45 @@ func init() {
 	proto.RegisterType((*PerfStandbyElectionResponse)(nil), "vault.PerfStandbyElectionResponse")
 }
 func init() {
 	proto.RegisterFile("vault/request_forwarding_service.proto", fileDescriptor_f5f7512e4ab7b58a)
 }
 var fileDescriptor_f5f7512e4ab7b58a = []byte{
 	// 493 bytes of a gzipped FileDescriptorProto
 	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0x53, 0x41, 0x6f, 0x1a, 0x3d,
 	0x10, 0x8d, 0x81, 0x10, 0x31, 0x90, 0x88, 0xf8, 0x8b, 0xf4, 0xad, 0xa8, 0xa2, 0x90, 0xad, 0x54,
 	0x21, 0x55, 0xda, 0x8d, 0xd2, 0x73, 0x0f, 0x2d, 0x4a, 0x25, 0xd4, 0x4b, 0xb5, 0xb9, 0xf5, 0xb2,
 	0x32, 0xf6, 0x04, 0xac, 0x2e, 0x6b, 0xd7, 0x36, 0x49, 0xf6, 0x27, 0xf7, 0xd6, 0x9f, 0x50, 0xad,
 	0xd7, 0x04, 0x10, 0x4d, 0x2f, 0x68, 0xe7, 0xcd, 0x63, 0xde, 0xf8, 0xf9, 0x19, 0xde, 0x3d, 0xb2,
 	0x75, 0xe1, 0x52, 0x83, 0x3f, 0xd7, 0x68, 0x5d, 0xfe, 0xa0, 0xcc, 0x13, 0x33, 0x42, 0x96, 0x8b,
 	0xdc, 0xa2, 0x79, 0x94, 0x1c, 0x13, 0x6d, 0x94, 0x53, 0xf4, 0xd8, 0xf3, 0x46, 0x97, 0x4b, 0x2c,
 	0x34, 0x9a, 0x74, 0xcb, 0x4b, 0x5d, 0xa5, 0xd1, 0x36, 0xac, 0x58, 0x41, 0xff, 0x8e, 0x2f, 0x55,
 	0xd6, 0x4c, 0xa3, 0x11, 0x9c, 0xac, 0xd0, 0x5a, 0xb6, 0xc0, 0x88, 0x8c, 0xc9, 0xa4, 0x97, 0x6d,
 	0x4a, 0x7a, 0x0d, 0x03, 0x5e, 0xac, 0xad, 0x43, 0x93, 0x33, 0x21, 0x4c, 0xd4, 0xf2, 0xed, 0x7e,
 	0xc0, 0x3e, 0x09, 0x61, 0xe8, 0x5b, 0x38, 0xdd, 0xa5, 0xd8, 0xa8, 0x3d, 0x6e, 0x4f, 0x7a, 0xd9,
 	0x60, 0x87, 0x63, 0xe3, 0x27, 0xe8, 0x35, 0x82, 0xba, 0xa8, 0xfe, 0x21, 0x77, 0x30, 0xab, 0x75,
 	0x38, 0x8b, 0xbe, 0x87, 0x73, 0x83, 0xba, 0x90, 0x9c, 0x39, 0xa9, 0xca, 0xdc, 0x3a, 0xe6, 0x30,
 	0x6a, 0x8f, 0xc9, 0xe4, 0x34, 0x1b, 0xee, 0x34, 0xee, 0x6b, 0x3c, 0x9e, 0x41, 0x6f, 0x5a, 0x48,
 	0x2c, 0xdd, 0x57, 0xac, 0x28, 0x85, 0x4e, 0xed, 0x42, 0x50, 0xf5, 0xdf, 0x74, 0x00, 0xe4, 0xd9,
 	0x1f, 0x6b, 0x90, 0x91, 0xe7, 0xba, 0xaa, 0xfc, 0xac, 0x41, 0x46, 0xaa, 0xba, 0x12, 0x51, 0xa7,
 	0xa9, 0x44, 0x3c, 0x82, 0xe8, 0x1b, 0x9a, 0x87, 0x7b, 0xc7, 0x4a, 0x31, 0xaf, 0xee, 0x0a, 0xe4,
 	0xb5, 0xcc, 0xac, 0xd4, 0x6b, 0x17, 0xff, 0x22, 0xf0, 0xe6, 0x2f, 0xcd, 0x0c, 0xad, 0x56, 0xa5,
 	0x45, 0x7a, 0x06, 0x2d, 0x29, 0x82, 0x6e, 0x4b, 0x0a, 0x7a, 0x09, 0xb0, 0x39, 0xa8, 0x14, 0xc1,
 	0xd5, 0x5e, 0x40, 0x66, 0x82, 0xde, 0xc0, 0x85, 0x36, 0x72, 0xc5, 0x4c, 0x95, 0xef, 0xd9, 0xdf,
 	0xf6, 0x44, 0x1a, 0x7a, 0xd3, 0x9d, 0x5b, 0xf8, 0x1f, 0x4e, 0x38, 0xcb, 0x39, 0x1a, 0x17, 0x16,
 	0xee, 0x72, 0x36, 0x45, 0xe3, 0xe8, 0x15, 0xf4, 0xb9, 0x37, 0xa0, 0x69, 0x1e, 0xfb, 0x26, 0x34,
 	0x90, 0x27, 0xa4, 0x10, 0xaa, 0xfc, 0x07, 0x56, 0x51, 0x77, 0x4c, 0x26, 0xfd, 0xdb, 0x61, 0xe2,
 	0x63, 0x94, 0xbc, 0x58, 0x57, 0x2f, 0x17, 0x3e, 0x6f, 0x7f, 0x13, 0x38, 0x0f, 0xc9, 0xf9, 0xf2,
 	0x12, 0x2f, 0xfa, 0x11, 0xce, 0x42, 0xb5, 0x49, 0xd5, 0x7f, 0xc9, 0x36, 0x7d, 0x49, 0x00, 0x47,
 	0x17, 0xfb, 0x60, 0x63, 0x4f, 0x7c, 0x44, 0x13, 0xe8, 0xd4, 0x01, 0xa1, 0x34, 0x28, 0xef, 0xc4,
 	0x73, 0x34, 0xdc, 0xc3, 0x74, 0x51, 0xc5, 0x47, 0xb4, 0x80, 0xeb, 0xda, 0x6f, 0x65, 0x56, 0xac,
 	0xe4, 0x78, 0x60, 0x7b, 0xb3, 0xc1, 0x55, 0xf8, 0xe3, 0x6b, 0xd7, 0x36, 0x8a, 0x5f, 0x27, 0x6c,
 	0x77, 0xbb, 0x21, 0x9f, 0xe3, 0xef, 0xe3, 0x85, 0x74, 0xcb, 0xf5, 0x3c, 0xe1, 0x6a, 0x95, 0x2e,
 	0x99, 0x5d, 0x4a, 0xae, 0x8c, 0x4e, 0x9b, 0x47, 0xe9, 0x7f, 0xe7, 0x5d, 0xff, 0xb4, 0x3e, 0xfc,
 	0x09, 0x00, 0x00, 0xff, 0xff, 0x03, 0x94, 0x0a, 0x17, 0xaa, 0x03, 0x00, 0x00,
 }
 // Reference imports to suppress errors if they are not otherwise used.
 var _ context.Context
 var _ grpc.ClientConn
@ -487,42 +522,3 @@ var _RequestForwarding_serviceDesc = grpc.ServiceDesc{
 	},
 	Metadata: "vault/request_forwarding_service.proto",
 }
 func init() {
 	proto.RegisterFile("vault/request_forwarding_service.proto", fileDescriptor_f5f7512e4ab7b58a)
 }
 var fileDescriptor_f5f7512e4ab7b58a = []byte{
 	// 493 bytes of a gzipped FileDescriptorProto
 	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0x53, 0x41, 0x6f, 0x1a, 0x3d,
 	0x10, 0x8d, 0x81, 0x10, 0x31, 0x90, 0x88, 0xf8, 0x8b, 0xf4, 0xad, 0xa8, 0xa2, 0x90, 0xad, 0x54,
 	0x21, 0x55, 0xda, 0x8d, 0xd2, 0x73, 0x0f, 0x2d, 0x4a, 0x25, 0xd4, 0x4b, 0xb5, 0xb9, 0xf5, 0xb2,
 	0x32, 0xf6, 0x04, 0xac, 0x2e, 0x6b, 0xd7, 0x36, 0x49, 0xf6, 0x27, 0xf7, 0xd6, 0x9f, 0x50, 0xad,
 	0xd7, 0x04, 0x10, 0x4d, 0x2f, 0x68, 0xe7, 0xcd, 0x63, 0xde, 0xf8, 0xf9, 0x19, 0xde, 0x3d, 0xb2,
 	0x75, 0xe1, 0x52, 0x83, 0x3f, 0xd7, 0x68, 0x5d, 0xfe, 0xa0, 0xcc, 0x13, 0x33, 0x42, 0x96, 0x8b,
 	0xdc, 0xa2, 0x79, 0x94, 0x1c, 0x13, 0x6d, 0x94, 0x53, 0xf4, 0xd8, 0xf3, 0x46, 0x97, 0x4b, 0x2c,
 	0x34, 0x9a, 0x74, 0xcb, 0x4b, 0x5d, 0xa5, 0xd1, 0x36, 0xac, 0x58, 0x41, 0xff, 0x8e, 0x2f, 0x55,
 	0xd6, 0x4c, 0xa3, 0x11, 0x9c, 0xac, 0xd0, 0x5a, 0xb6, 0xc0, 0x88, 0x8c, 0xc9, 0xa4, 0x97, 0x6d,
 	0x4a, 0x7a, 0x0d, 0x03, 0x5e, 0xac, 0xad, 0x43, 0x93, 0x33, 0x21, 0x4c, 0xd4, 0xf2, 0xed, 0x7e,
 	0xc0, 0x3e, 0x09, 0x61, 0xe8, 0x5b, 0x38, 0xdd, 0xa5, 0xd8, 0xa8, 0x3d, 0x6e, 0x4f, 0x7a, 0xd9,
 	0x60, 0x87, 0x63, 0xe3, 0x27, 0xe8, 0x35, 0x82, 0xba, 0xa8, 0xfe, 0x21, 0x77, 0x30, 0xab, 0x75,
 	0x38, 0x8b, 0xbe, 0x87, 0x73, 0x83, 0xba, 0x90, 0x9c, 0x39, 0xa9, 0xca, 0xdc, 0x3a, 0xe6, 0x30,
 	0x6a, 0x8f, 0xc9, 0xe4, 0x34, 0x1b, 0xee, 0x34, 0xee, 0x6b, 0x3c, 0x9e, 0x41, 0x6f, 0x5a, 0x48,
 	0x2c, 0xdd, 0x57, 0xac, 0x28, 0x85, 0x4e, 0xed, 0x42, 0x50, 0xf5, 0xdf, 0x74, 0x00, 0xe4, 0xd9,
 	0x1f, 0x6b, 0x90, 0x91, 0xe7, 0xba, 0xaa, 0xfc, 0xac, 0x41, 0x46, 0xaa, 0xba, 0x12, 0x51, 0xa7,
 	0xa9, 0x44, 0x3c, 0x82, 0xe8, 0x1b, 0x9a, 0x87, 0x7b, 0xc7, 0x4a, 0x31, 0xaf, 0xee, 0x0a, 0xe4,
 	0xb5, 0xcc, 0xac, 0xd4, 0x6b, 0x17, 0xff, 0x22, 0xf0, 0xe6, 0x2f, 0xcd, 0x0c, 0xad, 0x56, 0xa5,
 	0x45, 0x7a, 0x06, 0x2d, 0x29, 0x82, 0x6e, 0x4b, 0x0a, 0x7a, 0x09, 0xb0, 0x39, 0xa8, 0x14, 0xc1,
 	0xd5, 0x5e, 0x40, 0x66, 0x82, 0xde, 0xc0, 0x85, 0x36, 0x72, 0xc5, 0x4c, 0x95, 0xef, 0xd9, 0xdf,
 	0xf6, 0x44, 0x1a, 0x7a, 0xd3, 0x9d, 0x5b, 0xf8, 0x1f, 0x4e, 0x38, 0xcb, 0x39, 0x1a, 0x17, 0x16,
 	0xee, 0x72, 0x36, 0x45, 0xe3, 0xe8, 0x15, 0xf4, 0xb9, 0x37, 0xa0, 0x69, 0x1e, 0xfb, 0x26, 0x34,
 	0x90, 0x27, 0xa4, 0x10, 0xaa, 0xfc, 0x07, 0x56, 0x51, 0x77, 0x4c, 0x26, 0xfd, 0xdb, 0x61, 0xe2,
 	0x63, 0x94, 0xbc, 0x58, 0x57, 0x2f, 0x17, 0x3e, 0x6f, 0x7f, 0x13, 0x38, 0x0f, 0xc9, 0xf9, 0xf2,
 	0x12, 0x2f, 0xfa, 0x11, 0xce, 0x42, 0xb5, 0x49, 0xd5, 0x7f, 0xc9, 0x36, 0x7d, 0x49, 0x00, 0x47,
 	0x17, 0xfb, 0x60, 0x63, 0x4f, 0x7c, 0x44, 0x13, 0xe8, 0xd4, 0x01, 0xa1, 0x34, 0x28, 0xef, 0xc4,
 	0x73, 0x34, 0xdc, 0xc3, 0x74, 0x51, 0xc5, 0x47, 0xb4, 0x80, 0xeb, 0xda, 0x6f, 0x65, 0x56, 0xac,
 	0xe4, 0x78, 0x60, 0x7b, 0xb3, 0xc1, 0x55, 0xf8, 0xe3, 0x6b, 0xd7, 0x36, 0x8a, 0x5f, 0x27, 0x6c,
 	0x77, 0xbb, 0x21, 0x9f, 0xe3, 0xef, 0xe3, 0x85, 0x74, 0xcb, 0xf5, 0x3c, 0xe1, 0x6a, 0x95, 0x2e,
 	0x99, 0x5d, 0x4a, 0xae, 0x8c, 0x4e, 0x9b, 0x47, 0xe9, 0x7f, 0xe7, 0x5d, 0xff, 0xb4, 0x3e, 0xfc,
 	0x09, 0x00, 0x00, 0xff, 0xff, 0x03, 0x94, 0x0a, 0x17, 0xaa, 0x03, 0x00, 0x00,
 }
--- a/vault/request_handling.go
+++ b/vault/request_handling.go
@ -982,6 +982,10 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
 		var entity *identity.Entity
 		auth = resp.Auth
 		// Only the token store can toggle this off, and that's via a
 		// different path since it's not a login request; it's explicitly
 		// disallowed above
 		auth.Renewable = true
 		mEntry := c.router.MatchingMountEntry(ctx, req.Path)
@ -1058,7 +1062,7 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
 			return nil, nil, ErrInternalError
 		}
-		auth.TokenPolicies = policyutil.SanitizePolicies(auth.Policies, policyutil.AddDefaultPolicy)
+		auth.TokenPolicies = policyutil.SanitizePolicies(auth.Policies, !auth.NoDefaultPolicy)
 		allPolicies := policyutil.SanitizePolicies(append(auth.TokenPolicies, identityPolicies[ns.ID]...), policyutil.DoNotAddDefaultPolicy)
 		// Prevent internal policies from being assigned to tokens. We check
--- a/vault/token_store.go
+++ b/vault/token_store.go
@ -14,13 +14,13 @@ import (
 	"strings"
 	"time"
 	metrics "github.com/armon/go-metrics"
 	proto "github.com/golang/protobuf/proto"
 	"github.com/hashicorp/errwrap"
 	log "github.com/hashicorp/go-hclog"
 	multierror "github.com/hashicorp/go-multierror"
 	sockaddr "github.com/hashicorp/go-sockaddr"
 	metrics "github.com/armon/go-metrics"
 	multierror "github.com/hashicorp/go-multierror"
 	"github.com/hashicorp/vault/helper/base62"
 	"github.com/hashicorp/vault/helper/consts"
 	"github.com/hashicorp/vault/helper/identity"
@ -31,6 +31,7 @@ import (
 	"github.com/hashicorp/vault/helper/policyutil"
 	"github.com/hashicorp/vault/helper/salt"
 	"github.com/hashicorp/vault/helper/strutil"
 	"github.com/hashicorp/vault/helper/tokenhelper"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
 	"github.com/hashicorp/vault/logical/plugin/pb"
@ -103,7 +104,7 @@ var (
 )
 func (ts *TokenStore) paths() []*framework.Path {
-	return []*framework.Path{
+	p := []*framework.Path{
 		{
 			Pattern: "roles/?$",
@ -126,76 +127,6 @@ func (ts *TokenStore) paths() []*framework.Path {
 			HelpDescription: tokenListAccessorsHelp,
 		},
 		{
 			Pattern: "roles/" + framework.GenericNameRegex("role_name"),
 			Fields: map[string]*framework.FieldSchema{
 				"role_name": &framework.FieldSchema{
 					Type:        framework.TypeString,
 					Description: "Name of the role",
 				},
 				"allowed_policies": &framework.FieldSchema{
 					Type:        framework.TypeCommaStringSlice,
 					Description: tokenAllowedPoliciesHelp,
 				},
 				"disallowed_policies": &framework.FieldSchema{
 					Type:        framework.TypeCommaStringSlice,
 					Description: tokenDisallowedPoliciesHelp,
 				},
 				"orphan": &framework.FieldSchema{
 					Type:        framework.TypeBool,
 					Default:     false,
 					Description: tokenOrphanHelp,
 				},
 				"period": &framework.FieldSchema{
 					Type:        framework.TypeDurationSecond,
 					Default:     0,
 					Description: tokenPeriodHelp,
 				},
 				"path_suffix": &framework.FieldSchema{
 					Type:        framework.TypeString,
 					Default:     "",
 					Description: tokenPathSuffixHelp + pathSuffixSanitize.String(),
 				},
 				"explicit_max_ttl": &framework.FieldSchema{
 					Type:        framework.TypeDurationSecond,
 					Default:     0,
 					Description: tokenExplicitMaxTTLHelp,
 				},
 				"renewable": &framework.FieldSchema{
 					Type:        framework.TypeBool,
 					Default:     true,
 					Description: tokenRenewableHelp,
 				},
 				"bound_cidrs": &framework.FieldSchema{
 					Type:        framework.TypeCommaStringSlice,
 					Description: `Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.`,
 				},
 				"token_type": &framework.FieldSchema{
 					Type:        framework.TypeString,
 					Default:     "service",
 					Description: "The type of token to generate, service or batch",
 				},
 			},
 			Callbacks: map[logical.Operation]framework.OperationFunc{
 				logical.ReadOperation:   ts.tokenStoreRoleRead,
 				logical.CreateOperation: ts.tokenStoreRoleCreateUpdate,
 				logical.UpdateOperation: ts.tokenStoreRoleCreateUpdate,
 				logical.DeleteOperation: ts.tokenStoreRoleDelete,
 			},
 			ExistenceCheck: ts.tokenStoreRoleExistenceCheck,
 		},
 		{
 			Pattern: "create-orphan$",
@ -414,6 +345,61 @@ func (ts *TokenStore) paths() []*framework.Path {
 			HelpDescription: strings.TrimSpace(tokenTidyDesc),
 		},
 	}
 	rolesPath := &framework.Path{
 		Pattern: "roles/" + framework.GenericNameRegex("role_name"),
 		Fields: map[string]*framework.FieldSchema{
 			"role_name": &framework.FieldSchema{
 				Type:        framework.TypeString,
 				Description: "Name of the role",
 			},
 			"allowed_policies": &framework.FieldSchema{
 				Type:        framework.TypeCommaStringSlice,
 				Description: tokenAllowedPoliciesHelp,
 			},
 			"disallowed_policies": &framework.FieldSchema{
 				Type:        framework.TypeCommaStringSlice,
 				Description: tokenDisallowedPoliciesHelp,
 			},
 			"orphan": &framework.FieldSchema{
 				Type:        framework.TypeBool,
 				Default:     false,
 				Description: tokenOrphanHelp,
 			},
 			"path_suffix": &framework.FieldSchema{
 				Type:        framework.TypeString,
 				Default:     "",
 				Description: tokenPathSuffixHelp + pathSuffixSanitize.String(),
 			},
 			"renewable": &framework.FieldSchema{
 				Type:        framework.TypeBool,
 				Default:     true,
 				Description: tokenRenewableHelp,
 			},
 		},
 		Callbacks: map[logical.Operation]framework.OperationFunc{
 			logical.ReadOperation:   ts.tokenStoreRoleRead,
 			logical.CreateOperation: ts.tokenStoreRoleCreateUpdate,
 			logical.UpdateOperation: ts.tokenStoreRoleCreateUpdate,
 			logical.DeleteOperation: ts.tokenStoreRoleDelete,
 		},
 		ExistenceCheck: ts.tokenStoreRoleExistenceCheck,
 	}
 	// Roles in token store handle policies and TTLs differently
 	tokenhelper.AddTokenFieldsWithAllowList(rolesPath.Fields,
 		[]string{"bound_cidrs", "explicit_max_ttl", "period", "token_type"})
 	// For this backend default to service
 	rolesPath.Fields["token_type"].Default = "service"
 	p = append(p, rolesPath)
 	return p
 }
 // LookupToken returns the properties of the token from the token store. This
@ -581,6 +567,8 @@ func (ts *TokenStore) Salt(ctx context.Context) (*salt.Salt, error) {
 // tsRoleEntry contains token store role information
 type tsRoleEntry struct {
 	tokenhelper.TokenParams
 	// The name of the role. Embedded so it can be used for pathing
 	Name string `json:"name" mapstructure:"name" structs:"name"`
@ -594,26 +582,12 @@ type tsRoleEntry struct {
 	// If true, tokens created using this role will be orphans
 	Orphan bool `json:"orphan" mapstructure:"orphan" structs:"orphan"`
 	// If non-zero, tokens created using this role will be able to be renewed
 	// forever, but will have a fixed renewal period of this value
 	Period time.Duration `json:"period" mapstructure:"period" structs:"period"`
 	// If set, a suffix will be set on the token path, making it easier to
 	// revoke using 'revoke-prefix'
 	PathSuffix string `json:"path_suffix" mapstructure:"path_suffix" structs:"path_suffix"`
 	// If set, controls whether created tokens are marked as being renewable
 	Renewable bool `json:"renewable" mapstructure:"renewable" structs:"renewable"`
 	// If set, the token entry will have an explicit maximum TTL set, rather
 	// than deferring to role/mount values
 	ExplicitMaxTTL time.Duration `json:"explicit_max_ttl" mapstructure:"explicit_max_ttl" structs:"explicit_max_ttl"`
 	// The set of CIDRs that tokens generated using this role will be bound to
 	BoundCIDRs []*sockaddr.SockAddrMarshaler `json:"bound_cidrs"`
 	// The type of token this role should issue
 	TokenType logical.TokenType `json:"token_type" mapstructure:"token_type"`
 }
 type accessorEntry struct {
--- a/vendor/github.com/hashicorp/vault-plugin-secrets-ad/plugin/path_config.go
+++ b/vendor/github.com/hashicorp/vault-plugin-secrets-ad/plugin/path_config.go
@ -54,7 +54,7 @@ func (b *backend) pathConfig() *framework.Path {
 }
 func (b *backend) configFields() map[string]*framework.FieldSchema {
-	fields := ldaputil.ConfigFields()
+	fields := ldaputil.ConfigFields(false)
 	fields["ttl"] = &framework.FieldSchema{
 		Type:        framework.TypeDurationSecond,
 		Description: "In seconds, the default password time-to-live.",