diff --git a/website/pages/docs/secrets/openldap/index.mdx b/website/pages/docs/secrets/openldap/index.mdx
index d7958a421..19fbc67c9 100644
--- a/website/pages/docs/secrets/openldap/index.mdx
+++ b/website/pages/docs/secrets/openldap/index.mdx
@@ -61,6 +61,35 @@ This plugin currently supports LDAP v3.
     $ vault read openldap/static-role/hashicorp
     ```
 
+## LDAP Password Policy
+
+The OpenLDAP secret engine does not hash or encrypt passwords prior to modifying 
+values in LDAP. This behavior can cause plaintext passwords to be stored in LDAP.
+
+To avoid having plaintext passwords stored, the LDAP server should be configured 
+with an LDAP password policy (ppolicy, not to be confused with a Vault password 
+policy).  A ppolicy can enforce rules such as hashing plaintext passwords by default.
+
+The following is an example of an LDAP password policy to enforce hashing on the 
+data information tree (DIT) `dc=hashicorp,dc=com`:
+
+```
+dn: cn=module{0},cn=config
+changetype: modify
+add: olcModuleLoad
+olcModuleLoad: ppolicy
+
+dn: olcOverlay={2}ppolicy,olcDatabase={1}mdb,cn=config
+changetype: add
+objectClass: olcPPolicyConfig
+objectClass: olcOverlayConfig
+olcOverlay: {2}ppolicy
+olcPPolicyDefault: cn=default,ou=pwpolicies,dc=hashicorp,dc=com
+olcPPolicyForwardUpdates: FALSE
+olcPPolicyHashCleartext: TRUE
+olcPPolicyUseLockout: TRUE
+```  
+
 ## Schema
 
 The OpenLDAP Secret Engine supports three different schemas: `openldap` (default),