--- layout: docs page_title: Migration Guide - Active Directory - Secrets Engines description: >- The guide for migrating from the Active Directory secrets engine to the LDAP secrets engine. --- # Migration Guide - Active Directory Secrets Engine The Vault [Active Directory secrets engine](/vault/docs/secrets/ad) has been deprecated as of the Vault 1.13 release. This document provides guidance for migrating from the Active Directory secrets engine to the [LDAP secrets engine](/vault/docs/secrets/ldap) that was introduced in Vault 1.12. ## Deprecation Timeline Beginning from the Vault 1.13 release, we will continue to support the Active Directory (AD) secrets engine in maintenance mode for six major Vault releases. Maintenance mode means that we will fix bugs and security issues, but no new features will be added. All new feature development efforts will go towards the unified LDAP secrets engine. At Vault 1.18, we will mark the AD secrets engine as [pending removal](/vault/docs/deprecation/faq#pending-removal). At this time, Vault will begin to strongly signal operators that they need to migrate off of the AD secrets engine. At Vault 1.19, we will mark the AD secrets engine as [removed](/vault/docs/deprecation/faq#removed). At this time, the AD secrets engine will be removed from Vault. Vault will not start up with the AD secrets engine mounts enabled. ## Migration Steps The following sections detail how to migrate the AD secrets engine configuration and applications consuming secrets to the new LDAP secrets engine. ### 1. Enable LDAP Secrets Engine The LDAP secrets engine needs to be enabled in order to have a target for migration of existing AD secrets engine mounts. AD secrets engine mounts should be mapped 1-to-1 with new LDAP secrets engine mounts. To enable the LDAP secrets engine: ```shell-session $ vault secrets enable ldap ``` To enable at a custom path: ```shell-session $ vault secrets enable -path= ldap ``` If enabled at a custom path, the `/ldap/` path segment in API paths must be replaced with the custom path value. ### 2. Migrate Configuration The AD secrets engine [configuration](/vault/api-docs/secret/ad#configuration) will need to be migrated to an LDAP secrets engine [configuration](/vault/api-docs/secret/ldap#configuration-management). The API paths and parameters will need to be considered during the migration. #### API Path | AD Secrets Engine | LDAP Secrets Engine | | ----------------- |-------------------- | | [/ad/config](/vault/api-docs/secret/ad#configuration) | [/ldap/config](/vault/api-docs/secret/ad#configuration) | #### Parameters The parameters from existing AD secrets engine configurations can generally be mapped 1-to-1 to LDAP secrets engine configuration. The following LDAP secrets engine parameters are the exception and must be considered during the migration. | AD Secrets Engine | LDAP Secrets Engine | Details | | ----------------- | ------------------- | ------- | | N/A | [schema](/vault/api-docs/secret/ldap#schema) | Must be set to the `ad` option on the LDAP secrets engine configuration. | | [userdn](/vault/api-docs/secret/ad#userdn) | [userdn](/vault/api-docs/secret/ad#userdn) | Required to be set if using the [library sets](#4-migrate-library-sets) check-out feature. It can be optionally set if using the [static roles](#3-migrate-roles) feature without providing a distinguished name ([dn](/vault/api-docs/secret/ldap#dn)). | | [ttl](/vault/api-docs/secret/ad#ttl) | N/A | Replaced by static role [rotation_period](/vault/api-docs/secret/ldap#rotation_period). | | [max_ttl](/vault/api-docs/secret/ad#max_ttl) | N/A | Not supported for [static roles](#3-migrate-roles). Can be set using [max_ttl](/vault/api-docs/secret/ldap#max_ttl-1) for library sets. | | [last_rotation_tolerance](/vault/api-docs/secret/ad#last_rotation_tolerance) | N/A | Not supported by the LDAP secrets engine. Passwords will be rotated based on the static role [rotation_period](/vault/api-docs/secret/ldap#rotation_period). | ### 3. Migrate Roles AD secrets engine [roles](/vault/api-docs/secret/ad#role-management) will need to be migrated to LDAP secrets engine [static roles](/vault/api-docs/secret/ldap#static-roles). The API paths, parameters, and rotation periods will need to be considered during the migration. #### API Path | AD Secrets Engine | LDAP Secrets Engine | | ----------------- | ------------------- | | [/ad/roles/:role_name](/vault/api-docs/secret/ad#role-management) | [/ldap/static-role/:role_name](/vault/api-docs/secret/ldap#static-roles) | #### Parameters The following parameters must be migrated. | AD Secrets Engine | LDAP Secrets Engine | Details | | ----------------- | ------------------- | ------- | | [ttl](/vault/api-docs/secret/ad#ttl-1) | [rotation_period](/vault/api-docs/secret/ldap#rotation_period) | N/A | | [service_account_name](/vault/api-docs/secret/ad#service_account_name) | [username](/vault/api-docs/secret/ldap#username) | If `username` is set without setting the [dn](/vault/api-docs/secret/ldap#dn) value, then the configuration [userdn](/vault/api-docs/secret/ldap#userdn) must also be set. | #### Rotation Periods Rotations that occur from AD secrets engine [roles](/vault/api-docs/secret/ad#role-management) may conflict with rotations performed by LDAP secrets engine [static roles](/vault/api-docs/secret/ldap#static-roles) during the migration process. This could cause applications consuming passwords to read a password that gets invalidated by a rotation shortly after. To mitigate this, it's recommended to set an initial [rotation_period](/vault/api-docs/secret/ldap#rotation_period) that provides a large enough window to complete [application migrations](#5-migrate-applications) to minimize the chance of this happening. Additionally, tuning the AD secrets engine [last_rotation_tolerance](/vault/api-docs/secret/ad#last_rotation_tolerance) parameter could help mitigate applications reading stale passwords, since the parameter allows rotation of the password if it's been rotated out-of-band within a given duration. ### 4. Migrate Library Sets AD secrets engine [library sets](/vault/api-docs/secret/ad#library-management) will need to be migrated to LDAP secrets engine [library sets](/vault/api-docs/secret/ldap#library-set-management). The API paths and parameters will need to be considered during the migration. #### API Path | AD Secrets Engine | LDAP Secrets Engine | | ----------------- | ------------------- | | [/ad/library/:set_name](/vault/api-docs/secret/ad#library-management) | [/ldap/library/:set_name](/vault/api-docs/secret/ldap#library-set-management) | #### Parameters The parameters from existing AD secrets engine library sets can be exactly mapped 1-to-1 to LDAP secrets engine library sets. There are no exceptions to consider. ### 5. Migrate Applications The AD secrets engine provides APIs to obtain credentials for AD users and service accounts. Applications, or Vault clients, are typically the consumer of these credentials. For applications to successfully migrate, they must begin using new API paths and response formats provided by the LDAP secrets engine. Additionally, they must obtain a Vault [token](/vault/docs/concepts/tokens) with an ACL [policy](/vault/docs/concepts/policies) that authorizes access to the new APIs. The following section details credential-providing APIs and how their response formats differ between the AD secrets engine and LDAP secrets engine. #### API Paths | AD Secrets Engine | LDAP Secrets Engine | Details | | ----------------- | ------------------- | ------- | | [/ad/creds/:role_name](/vault/api-docs/secret/ad#retrieving-passwords) | [/ldap/static-cred/:role_name](/vault/api-docs/secret/ldap#static-role-passwords) | Response formats differ. Namely, `current_password` is now `password`. See [AD response](/vault/api-docs/secret/ad#sample-get-response) and [LDAP response](/vault/api-docs/secret/ldap#sample-get-response-1) for the difference. | | [/ad/library/:set_name/check-out](/vault/api-docs/secret/ad#check-a-credential-out) | [/ldap/library/:set_name/check-out](/vault/api-docs/secret/ldap#check-out-management) | Response formats do not differ. | | [/ad/library/:set_name/check-in](/vault/api-docs/secret/ad#check-a-credential-in) | [/ldap/library/:set_name/check-in](/vault/api-docs/secret/ldap#check-in-management) | Response formats do not differ. | ### 6. Disable AD Secrets Engines AD secrets engine mounts can be disabled after successful migration of configuration and applications to the LDAP secrets engine. Note that disabling the secrets engine will erase its configuration from storage. This cannot be reversed. To disable the AD secrets engine: ```shell-session $ vault secrets disable ad ``` To disable at a custom path: ```shell-session $ vault secrets disable ```