Clarify binding options and remove mention of deny_null_bind

Author: cbiguet

content/vault/v1.16.x/content/docs/auth/ldap.mdx

@@ -110,11 +110,11 @@ management tool.
 
 ### Binding parameters
 
-There are two alternate methods of resolving the user object used to authenticate the end user: _Search_ or _User Principal Name_. When using _Search_, the bind can be either anonymous or authenticated. User Principal Name is a method of specifying users supported by Active Directory. More information on UPN can be found [here](<https://msdn.microsoft.com/en-us/library/ms677605(v=vs.85).aspx#userPrincipalName>).
-
-`userfilter` works with both authenticated and anonymous _Search_.
-In order for `userfilter` to apply for authenticated searches, `binddn` and `bindpass` must be set.
-For anonymous search, `discoverdn` must be set to `true`, and `deny_null_bind` must be set to false.
+The LDAP auth method supports the following methods for resolving the user object used to authenticate the end user:
+- **Search** - Searches the LDAP server directory for the user object based on the provided username. This search can performed in one of two ways:
+    - Authenticated search - The bind user must be set using `binddn` and `bindpass`
+    - Anonymous search - `discoverdn` must be set to `true`
+- **User Principal Name (UPN)** - UPN is a method of specifying users supported by Active Directory. More information on UPN can be found [here](<https://msdn.microsoft.com/en-us/library/ms677605(v=vs.85).aspx#userPrincipalName>).
 
 #### Binding - authenticated search
 
@@ -132,7 +132,6 @@ For anonymous search, `discoverdn` must be set to `true`, and `deny_null_bind` m
 - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com`
 - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid`
 - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`.
-- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`.
 - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`.
 
 @include 'ldap-auth-userfilter-warning.mdx'

content/vault/v1.19.x/content/docs/auth/ldap.mdx

@@ -110,11 +110,11 @@ management tool.
 
 ### Binding parameters
 
-There are two alternate methods of resolving the user object used to authenticate the end user: _Search_ or _User Principal Name_. When using _Search_, the bind can be either anonymous or authenticated. User Principal Name is a method of specifying users supported by Active Directory. More information on UPN can be found [here](<https://msdn.microsoft.com/en-us/library/ms677605(v=vs.85).aspx#userPrincipalName>).
-
-`userfilter` works with both authenticated and anonymous _Search_.
-In order for `userfilter` to apply for authenticated searches, `binddn` and `bindpass` must be set.
-For anonymous search, `discoverdn` must be set to `true`, and `deny_null_bind` must be set to false.
+The LDAP auth method supports the following methods for resolving the user object used to authenticate the end user:
+- **Search** - Searches the LDAP server directory for the user object based on the provided username. This search can performed in one of two ways:
+    - Authenticated search - The bind user must be set using `binddn` and `bindpass`
+    - Anonymous search - `discoverdn` must be set to `true`
+- **User Principal Name (UPN)** - UPN is a method of specifying users supported by Active Directory. More information on UPN can be found [here](<https://msdn.microsoft.com/en-us/library/ms677605(v=vs.85).aspx#userPrincipalName>).
 
 #### Binding - authenticated search
 
@@ -132,7 +132,6 @@ For anonymous search, `discoverdn` must be set to `true`, and `deny_null_bind` m
 - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com`
 - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid`
 - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`.
-- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`.
 - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`.
 
 @include 'ldap-auth-userfilter-warning.mdx'

content/vault/v1.20.x/content/docs/auth/ldap.mdx

@@ -112,11 +112,11 @@ management tool.
 
 ### Binding parameters
 
-There are two alternate methods of resolving the user object used to authenticate the end user: _Search_ or _User Principal Name_. When using _Search_, the bind can be either anonymous or authenticated. User Principal Name is a method of specifying users supported by Active Directory. More information on UPN can be found [here](<https://msdn.microsoft.com/en-us/library/ms677605(v=vs.85).aspx#userPrincipalName>).
-
-`userfilter` works with both authenticated and anonymous _Search_.
-In order for `userfilter` to apply for authenticated searches, `binddn` and `bindpass` must be set.
-For anonymous search, `discoverdn` must be set to `true`, and `deny_null_bind` must be set to false.
+The LDAP auth method supports the following methods for resolving the user object used to authenticate the end user:
+- **Search** - Searches the LDAP server directory for the user object based on the provided username. This search can performed in one of two ways:
+    - Authenticated search - The bind user must be set using `binddn` and `bindpass`
+    - Anonymous search - `discoverdn` must be set to `true`
+- **User Principal Name (UPN)** - UPN is a method of specifying users supported by Active Directory. More information on UPN can be found [here](<https://msdn.microsoft.com/en-us/library/ms677605(v=vs.85).aspx#userPrincipalName>).
 
 #### Binding - authenticated search
 
@@ -134,7 +134,6 @@ For anonymous search, `discoverdn` must be set to `true`, and `deny_null_bind` m
 - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com`
 - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid`
 - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`.
-- `deny_null_bind` (bool, optional) - By default, Vault prevents LDAP authentication attempts when the user provides an empty password (null binds). Setting `deny_null_bind` to `false` tells Vault to defer the handling of empty-password authentication attempts to the LDAP server. You may want to allow LDAP anonymous bind operations for directory configurations using anonymous search or discovery. The default is `true`.
 - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`.
 
 @include 'ldap-auth-userfilter-warning.mdx'

content/vault/v1.21.x/content/docs/auth/ldap.mdx

@@ -112,11 +112,11 @@ management tool.
 
 ### Binding parameters
 
-There are two alternate methods of resolving the user object used to authenticate the end user: _Search_ or _User Principal Name_. When using _Search_, the bind can be either anonymous or authenticated. User Principal Name is a method of specifying users supported by Active Directory. More information on UPN can be found [here](<https://msdn.microsoft.com/en-us/library/ms677605(v=vs.85).aspx#userPrincipalName>).
-
-`userfilter` works with both authenticated and anonymous _Search_.
-In order for `userfilter` to apply for authenticated searches, `binddn` and `bindpass` must be set.
-For anonymous search, `discoverdn` must be set to `true`, and `deny_null_bind` must be set to false.
+The LDAP auth method supports the following methods for resolving the user object used to authenticate the end user:
+- **Search** - Searches the LDAP server directory for the user object based on the provided username. This search can performed in one of two ways:
+    - Authenticated search - The bind user must be set using `binddn` and `bindpass`
+    - Anonymous search - `discoverdn` must be set to `true`
+- **User Principal Name (UPN)** - UPN is a method of specifying users supported by Active Directory. More information on UPN can be found [here](<https://msdn.microsoft.com/en-us/library/ms677605(v=vs.85).aspx#userPrincipalName>).
 
 #### Binding - authenticated search
 
@@ -134,7 +134,6 @@ For anonymous search, `discoverdn` must be set to `true`, and `deny_null_bind` m
 - `userdn` (string, optional) - Base DN under which to perform user search. Example: `ou=Users,dc=example,dc=com`
 - `userattr` (string, optional) - Attribute on user attribute object matching the username passed when authenticating. Examples: `sAMAccountName`, `cn`, `uid`
 - `userfilter` (string, optional) - Go template used to construct a ldap user search filter. The template can access the following context variables: \[`UserAttr`, `Username`\]. The default userfilter is `({{.UserAttr}}={{.Username}})` or `(userPrincipalName={{.Username}}@UPNDomain)` if the `upndomain` parameter is set. The user search filter can be used to restrict what user can attempt to log in. For example, to limit login to users that are not contractors, you could write `(&(objectClass=user)({{.UserAttr}}={{.Username}})(!(employeeType=Contractor)))`.
-- `deny_null_bind` (bool, optional) - This option prevents users from bypassing authentication when providing an empty password. The default is `true`.
 - `anonymous_group_search` (bool, optional) - Use anonymous binds when performing LDAP group searches. Defaults to `false`.
 
 @include 'ldap-auth-userfilter-warning.mdx'