This is the recommended option. You can use it with any LDAP directory. To use this option, extend the schema to add an attribute to your user object on the LDAP directory that will encrypt and store the secrets.
When you use an LDAP directory to store the secrets, you need to enable the user store for the secrets. You select the LDAP directory, then specify an attribute. The attribute you specify is used to store an XML document that contains encrypted secret values. This attribute must be a single-valued case ignore string that you have defined and assigned to the user object in the schema.
To use an LDAP directory to store secrets, your network environment must conform to the following requirements:
The user class object must contain an attribute that can be used to store the secrets. This attribute must be a string attribute that is single valued and case ignore.
The user store must be configured to use secure connections. On the Home page, click Identity Servers > [cluster name] > User Stores > [User Store Name]. Under Server Replicas, ensure that Port is 636 and that Use Secure LDAP Connections is enabled.
To configure the LDAP directory use the Web Service Provider API (https://<admin-console-host>:<admin-console-port>/nps/swagger-ui.html):
On the Home page, click Identity Servers > Update.
To create policies that use the stored secrets, see Creating and Managing Shared Secrets.