vault: update ldap secrets racf usage docs

Author: fairclothjm

content/vault/v1.18.x/content/docs/secrets/ldap.mdx

@@ -51,15 +51,15 @@ The secrets engine has three primary features:
    Note: it's not possible to retrieve the generated password once rotated by Vault.
    It's recommended a dedicated entry management account be created specifically for Vault.
 
-### Schemas
+## Schemas
 
 The LDAP Secret Engine supports three different schemas:
 
 - `openldap` (default)
 - `racf`
 - `ad`
 
-#### OpenLDAP
+### OpenLDAP
 
 By default, the LDAP Secret Engine assumes the entry password is stored in `userPassword`.
 There are many object classes that provide `userPassword` including for example:
@@ -71,24 +71,46 @@ There are many object classes that provide `userPassword` including for example:
 - `person`
 - `posixAccount`
 
-#### Resource access control facility (RACF)
+### Resource access control facility (RACF)
 
-For managing IBM's Resource Access Control Facility (RACF) security system, the secret
-engine must be configured to use the schema `racf`.
+To manage credentials for IBM's Resource Access Control Facility (RACF), you
+must configure the LDAP secrets engine with the `racf` schema. This enables
+specific behaviors required for RACF compatibility.
 
-Generated passwords must be 8 characters or less to support RACF. The length of the
-password can be configured using a [password policy](/vault/docs/concepts/password-policies):
+#### Credential Type: Password vs. Password Phrase
 
-```bash
-$ vault write ldap/config \
-	binddn=$USERNAME \
-	bindpass=$PASSWORD \
-	url=ldaps://138.91.247.105 \
-	schema=racf \
-	password_policy=racf_password_policy
+The engine can manage both traditional 8-character passwords and modern, longer
+password phrases. This is controlled by the [`credential_type`](/vault/api-docs/secret/ldap#credential_type)
+parameter:
+
+- `password` (Default): The engine will generate and manage standard RACF passwords.
+
+- `phrase`: The engine will generate and manage case-sensitive password phrases (14-100 characters).
+
+#### Configuring Password Rules
+
+The complexity rules for generated credentials, such as length, are not
+controlled by the RACF schema itself. Instead, you must define and link a
+standard Vault [password policy](/vault/docs/concepts/password-policies).
+This allows you to enforce site-specific complexity requirements.
+
+#### Example Configuration
+
+The following example configures the LDAP engine for RACF, sets it to manage
+password phrases, and links a password policy to enforce length and
+complexity.
+
+```shell-session
+vault write ldap/config \
+    binddn="$USERNAME" \
+    bindpass="$PASSWORD" \
+    url="ldaps://138.91.247.105" \
+    schema="racf" \
+    credential_type="phrase" \
+    password_policy="racf_password_policy"
 ```
 
-#### Active directory (AD)
+### Active directory (AD)
 
 For managing Active Directory instances, the secret engine must be configured to use the
 schema `ad`.

content/vault/v1.19.x/content/docs/secrets/ldap.mdx

@@ -51,15 +51,15 @@ The secrets engine has three primary features:
    Note: it's not possible to retrieve the generated password once rotated by Vault.
    It's recommended a dedicated entry management account be created specifically for Vault.
 
-### Schemas
+## Schemas
 
 The LDAP Secret Engine supports three different schemas:
 
 - `openldap` (default)
 - `racf`
 - `ad`
 
-#### OpenLDAP
+### OpenLDAP
 
 By default, the LDAP Secret Engine assumes the entry password is stored in `userPassword`.
 There are many object classes that provide `userPassword` including for example:
@@ -71,24 +71,46 @@ There are many object classes that provide `userPassword` including for example:
 - `person`
 - `posixAccount`
 
-#### Resource access control facility (RACF)
+### Resource access control facility (RACF)
 
-For managing IBM's Resource Access Control Facility (RACF) security system, the secret
-engine must be configured to use the schema `racf`.
+To manage credentials for IBM's Resource Access Control Facility (RACF), you
+must configure the LDAP secrets engine with the `racf` schema. This enables
+specific behaviors required for RACF compatibility.
 
-Generated passwords must be 8 characters or less to support RACF. The length of the
-password can be configured using a [password policy](/vault/docs/concepts/password-policies):
+#### Credential Type: Password vs. Password Phrase
 
-```bash
-$ vault write ldap/config \
-	binddn=$USERNAME \
-	bindpass=$PASSWORD \
-	url=ldaps://138.91.247.105 \
-	schema=racf \
-	password_policy=racf_password_policy
+The engine can manage both traditional 8-character passwords and modern, longer
+password phrases. This is controlled by the [`credential_type`](/vault/api-docs/secret/ldap#credential_type)
+parameter:
+
+- `password` (Default): The engine will generate and manage standard RACF passwords.
+
+- `phrase`: The engine will generate and manage case-sensitive password phrases (14-100 characters).
+
+#### Configuring Password Rules
+
+The complexity rules for generated credentials, such as length, are not
+controlled by the RACF schema itself. Instead, you must define and link a
+standard Vault [password policy](/vault/docs/concepts/password-policies).
+This allows you to enforce site-specific complexity requirements.
+
+#### Example Configuration
+
+The following example configures the LDAP engine for RACF, sets it to manage
+password phrases, and links a password policy to enforce length and
+complexity.
+
+```shell-session
+vault write ldap/config \
+    binddn="$USERNAME" \
+    bindpass="$PASSWORD" \
+    url="ldaps://138.91.247.105" \
+    schema="racf" \
+    credential_type="phrase" \
+    password_policy="racf_password_policy"
 ```
 
-#### Active directory (AD)
+### Active directory (AD)
 
 For managing Active Directory instances, the secret engine must be configured to use the
 schema `ad`.

content/vault/v1.20.x/content/docs/secrets/ldap.mdx

@@ -51,15 +51,15 @@ The secrets engine has three primary features:
    Note: it's not possible to retrieve the generated password once rotated by Vault.
    It's recommended a dedicated entry management account be created specifically for Vault.
 
-### Schemas
+## Schemas
 
 The LDAP Secret Engine supports three different schemas:
 
 - `openldap` (default)
 - `racf`
 - `ad`
 
-#### OpenLDAP
+### OpenLDAP
 
 By default, the LDAP Secret Engine assumes the entry password is stored in `userPassword`.
 There are many object classes that provide `userPassword` including for example:
@@ -71,24 +71,46 @@ There are many object classes that provide `userPassword` including for example:
 - `person`
 - `posixAccount`
 
-#### Resource access control facility (RACF)
+### Resource access control facility (RACF)
 
-For managing IBM's Resource Access Control Facility (RACF) security system, the secret
-engine must be configured to use the schema `racf`.
+To manage credentials for IBM's Resource Access Control Facility (RACF), you
+must configure the LDAP secrets engine with the `racf` schema. This enables
+specific behaviors required for RACF compatibility.
 
-Generated passwords must be 8 characters or less to support RACF. The length of the
-password can be configured using a [password policy](/vault/docs/concepts/password-policies):
+#### Credential Type: Password vs. Password Phrase
 
-```bash
-$ vault write ldap/config \
-	binddn=$USERNAME \
-	bindpass=$PASSWORD \
-	url=ldaps://138.91.247.105 \
-	schema=racf \
-	password_policy=racf_password_policy
+The engine can manage both traditional 8-character passwords and modern, longer
+password phrases. This is controlled by the [`credential_type`](/vault/api-docs/secret/ldap#credential_type)
+parameter:
+
+- `password` (Default): The engine will generate and manage standard RACF passwords.
+
+- `phrase`: The engine will generate and manage case-sensitive password phrases (14-100 characters).
+
+#### Configuring Password Rules
+
+The complexity rules for generated credentials, such as length, are not
+controlled by the RACF schema itself. Instead, you must define and link a
+standard Vault [password policy](/vault/docs/concepts/password-policies).
+This allows you to enforce site-specific complexity requirements.
+
+#### Example Configuration
+
+The following example configures the LDAP engine for RACF, sets it to manage
+password phrases, and links a password policy to enforce length and
+complexity.
+
+```shell-session
+vault write ldap/config \
+    binddn="$USERNAME" \
+    bindpass="$PASSWORD" \
+    url="ldaps://138.91.247.105" \
+    schema="racf" \
+    credential_type="phrase" \
+    password_policy="racf_password_policy"
 ```
 
-#### Active directory (AD)
+### Active directory (AD)
 
 For managing Active Directory instances, the secret engine must be configured to use the
 schema `ad`.

content/vault/v1.21.x (rc)/content/docs/secrets/ldap.mdx

@@ -51,15 +51,15 @@ The secrets engine has three primary features:
    Note: it's not possible to retrieve the generated password once rotated by Vault.
    It's recommended a dedicated entry management account be created specifically for Vault.
 
-### Schemas
+## Schemas
 
 The LDAP Secret Engine supports three different schemas:
 
 - `openldap` (default)
 - `racf`
 - `ad`
 
-#### OpenLDAP
+### OpenLDAP
 
 By default, the LDAP Secret Engine assumes the entry password is stored in `userPassword`.
 There are many object classes that provide `userPassword` including for example:
@@ -71,24 +71,46 @@ There are many object classes that provide `userPassword` including for example:
 - `person`
 - `posixAccount`
 
-#### Resource access control facility (RACF)
+### Resource access control facility (RACF)
 
-For managing IBM's Resource Access Control Facility (RACF) security system, the secret
-engine must be configured to use the schema `racf`.
+To manage credentials for IBM's Resource Access Control Facility (RACF), you
+must configure the LDAP secrets engine with the `racf` schema. This enables
+specific behaviors required for RACF compatibility.
 
-Generated passwords must be 8 characters or less to support RACF. The length of the
-password can be configured using a [password policy](/vault/docs/concepts/password-policies):
+#### Credential Type: Password vs. Password Phrase
 
-```bash
-$ vault write ldap/config \
-	binddn=$USERNAME \
-	bindpass=$PASSWORD \
-	url=ldaps://138.91.247.105 \
-	schema=racf \
-	password_policy=racf_password_policy
+The engine can manage both traditional 8-character passwords and modern, longer
+password phrases. This is controlled by the [`credential_type`](/vault/api-docs/secret/ldap#credential_type)
+parameter:
+
+- `password` (Default): The engine will generate and manage standard RACF passwords.
+
+- `phrase`: The engine will generate and manage case-sensitive password phrases (14-100 characters).
+
+#### Configuring Password Rules
+
+The complexity rules for generated credentials, such as length, are not
+controlled by the RACF schema itself. Instead, you must define and link a
+standard Vault [password policy](/vault/docs/concepts/password-policies).
+This allows you to enforce site-specific complexity requirements.
+
+#### Example Configuration
+
+The following example configures the LDAP engine for RACF, sets it to manage
+password phrases, and links a password policy to enforce length and
+complexity.
+
+```shell-session
+vault write ldap/config \
+    binddn="$USERNAME" \
+    bindpass="$PASSWORD" \
+    url="ldaps://138.91.247.105" \
+    schema="racf" \
+    credential_type="phrase" \
+    password_policy="racf_password_policy"
 ```
 
-#### Active directory (AD)
+### Active directory (AD)
 
 For managing Active Directory instances, the secret engine must be configured to use the
 schema `ad`.