Description

Enable root password rotation for Active Directory and RACF rotation schemas.
Adds support for AD and RACF rotation schemas so the backend can rotate the root credential for those directory types (same behavior as in hashicorp/vault-plugin-secrets-openldap ).
Includes unit tests that exercise the generated LDAP Modify requests for OpenLDAP, AD, and RACF, and validates rotate-root config options.

Notes:
Rather than importing the openldap plugin, a minimal, self-contained implementation was added in this repository to avoid pulling plugin code into the main Vault tree.
It would be cleaner to consolidate this logic under github.com/hashicorp/vault/sdk/helper/ldaputil so both repositories share the same implementation. Kept the smaller in-repo version here to preserve backward compatibility and limit scope of change — happy to refactor to ldaputil if preferred.
Testing:
Test coverage includes config validation, modify-request generation.

TODO only if you're a HashiCorp employee

• Backport Labels: If this fix needs to be backported, use the appropriate backport/ label that matches the desired release branch.
  • LTS: If this fixes a critical security vulnerability or severity 1 bug, it will also need to be backported to the current LTS versions of Vault. To ensure this, use all available enterprise labels.
• Jira: If this change has an associated Jira, it's referenced either in the PR description, commit message, or branch name.
• RFC: If this change has an associated RFC, please link it in the description.

PCI review checklist

• I have documented a clear reason for, and description of, the change I am making.
• If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.
• If applicable, I've documented the impact of any changes to security controls.

Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.