It works if you know how to specify. Seems in the case of the LdapExtLoginModule the bindCredential value is not given as a variable like it is for the https connector password. So, for example, instead of value="${VAULT::ldap::password::MGI0Y2NlYzQtMjVhZi00MTk4LTljMTgtZjI5OGE6ZWNmZDcxTElORV0CUkVBS4Nkc4ZhdWx1}" it is just value="VAULT::ldap::password::MGI0Y2NlYzQtMjVhZi00MTk4LTljMTgtZjI5OGE6ZWNmZDcxTElORV0CUkVBS4Nkc4ZhdWx1".