LDAP Dynamic Secret

You can define an LDAP dynamic secret to dynamically generate LDAP access credentials.

With dynamic secrets, the Akeyless Vault Platform is responsible for creating and managing the lifecycle of the secret. When a client requests the dynamic secret value, the Akeyless Gateway connects to the LDAP server and generates a temporary set of restricted access credentials.

Create a Dynamic LDAP Secret from the CLI

Let’s create a dynamic ldap secret using the Akeyless CLI. If you’d prefer, see how to do this from the Akeyless Gateway instead.

The CLI command to create a dynamic LDAP secret is:

akeyless gateway-create-producer-ldap --gateway-url 'https:\\<Your Akeyless GW URL >'\
--name <path to your secret> \
--ldap-url <LDAP server URL> \
--bind-dn <LDAP Bind DN> \
--bind-dn-password <Password>\
--user-dn <User Base DN>


-n, --name                                 *Producer name
      --target-name                           Name of existing target to use in producer creation
  -u, --gateway-url[=http://localhost:8000]   API Gateway URL (Configuration Management port)
      --ldap-url                              LDAP Server URL
      --user-dn                               User Base DN
      --user-attribute                        LDAP User Attribute
  -t, --ldap-ca-cert                          LDAP base-64 encoded CA Certificate
      --bind-dn                               LDAP Bind DN
      --bind-dn-password                      Password for LDAP Bind DN
      --external-username[=false]             Externally provided username
      --token-expiration                      LDAP token expiration in seconds
      --producer-encryption-key-name          Encrypt producer with following key
      --user-ttl[=60m]                        User TTL
      --profile                               Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
      --username                              Optional username for various authentication flows
      --password                              Optional password for various authentication flows
      --uid-token                             The universal identity token, Required only for universal_identity authentication
  -h, --help                                  display help information
      --json[=false]                          Set output format to JSON
      --no-creds-cleanup[=false]              Do not clean local temporary expired creds

Create a Dynamic LDAP Secret from the Akeyless Gateway

  1. Log in to the Akeyless Gateway, and go to Dynamic Secrets > New > LDAP Producer.

Complete the values in the producer dialog box as described in the following table:




A unique name that describes the purpose or permissions scope of this dynamic secret.


The path in which to store this dynamic secret.

Choose Target

Use an existing LDAP target.

User Base DN

User base DN settings.

LDAP User Attribute

Default value CN.

Externally Provided Username

To use your own username, based on the authentication method you used e.g. SAML username will be used.

Built In Target

Setup the target settings inside the Dynamic secret


Required when using "Built In Target" LDAP Server URL.

CA Certificate File Content

Optional when using "Built In Target" to enable secure connection. Based on LDAP server settings.


Required when using "Built In Target" Bind DN for privilege user authentication.

Password for LDAP Bind DN

Required when using "Built In Target" Password of the privilege user for authentication.

Did this page help you?