diff --git a/README.md b/README.md
index d5c51035..c7046a20 100644
--- a/README.md
+++ b/README.md
@@ -153,7 +153,8 @@ The following table lists the configurable parameters of the nifi chart and the
 | `auth.oidc.enabled`                                                         | Enable User auth via oidc                                                                                          | `false`                         |
 | `auth.oidc.discoveryUrl`                                                    | oidc discover url                                                                                                  | `https://<provider>/.well-known/openid-configuration`      |
 | `auth.oidc.clientId`                                                        | oidc clientId                                                                                                      | `nil`                           |
-| `auth.oidc.clientSecret`                                                    | oidc clientSecret                                                                                                  | `nil`                           |
+| `auth.oidc.clientSecret`                                                    | oidc clientSecret (plaintext secret that could get stored in git, logs, etc.)                                      | `nil`                           |
+| `auth.oidc.existingSecret`                                                  | Name of an existing secret with the oidc clientSecret                                                              | `nil`                           |
 | `auth.oidc.claimIdentifyingUser`                                            | oidc claimIdentifyingUser                                                                                          | `email`                         |
 | `auth.oidc.admin`                                                           | Default OIDC admin identity                                                                                        | `nifi@example.com`              |
 | Note that OIDC authentication to a multi-NiFi-node cluster requires Ingress sticky sessions | See [background](https://community.cloudera.com/t5/Support-Questions/OIDC-With-Azure-AD/m-p/232324#M194163)      | Also [how](https://kubernetes.github.io/ingress-nginx/examples/affinity/cookie/) |
diff --git a/configs/login-identity-providers-ldap.xml b/configs/login-identity-providers-ldap.xml
index 204d08a5..d34e5f7a 100644
--- a/configs/login-identity-providers-ldap.xml
+++ b/configs/login-identity-providers-ldap.xml
@@ -65,7 +65,7 @@
     <provider>
         <identifier>ldap-provider</identifier>
         <class>org.apache.nifi.ldap.LdapProvider</class>
-        <property name="Authentication Strategy">SIMPLE</property>
+        <property name="Authentication Strategy">{{.Values.auth.ldap.authStrategy}}</property>
         <property name="Manager DN">{{.Values.auth.ldap.admin}}</property>
         <property name="Manager Password">{{.Values.auth.ldap.pass}}</property>
         <property name="TLS - Keystore">/opt/nifi/nifi-current/conf/{{.Release.Name}}-nifi-0.{{.Release.Name}}-nifi-headless.{{.Release.Namespace}}.svc.cluster.local/keystore.jks</property>
@@ -83,8 +83,8 @@
         <property name="Read Timeout">10 secs</property>
         <property name="Url">{{.Values.auth.ldap.host}}</property>
         <property name="User Search Base">{{.Values.auth.ldap.searchBase}}</property>
-        <property name="User Search Filter">(cn={0})</property>
+        <property name="User Search Filter">({{.Values.auth.ldap.userIdentityAttribute}}={0})</property>
         <property name="Identity Strategy">{{.Values.auth.ldap.IdentityStrategy}}</property>
-        <property name="Authentication Expiration">12 hours</property>
+        <property name="Authentication Expiration">{{.Values.auth.ldap.authExpiration}}</property>
     </provider>
-</loginIdentityProviders>
\ No newline at end of file
+</loginIdentityProviders>
diff --git a/templates/secret.yaml b/templates/secret.yaml
new file mode 100644
index 00000000..88cf6846
--- /dev/null
+++ b/templates/secret.yaml
@@ -0,0 +1,14 @@
+{{- if and .Values.auth.oidc.enabled (not (.Values.auth.oidc.existingSecret)) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "apache-nifi.fullname" . }}-oidc
+  labels:
+    app: {{ include "apache-nifi.name" . | quote }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
+    release: {{ .Release.Name | quote }}
+    heritage: {{ .Release.Service | quote }}
+data:
+  clientSecret: {{ .Values.auth.oidc.clientSecret | b64enc }}
+
+{{- end }}
diff --git a/templates/statefulset.yaml b/templates/statefulset.yaml
index 7a732024..4ea82576 100644
--- a/templates/statefulset.yaml
+++ b/templates/statefulset.yaml
@@ -146,7 +146,7 @@ spec:
           prop_replace nifi.security.user.authorizer managed-authorizer
           prop_replace nifi.security.user.oidc.discovery.url {{ .Values.auth.oidc.discoveryUrl }}
           prop_replace nifi.security.user.oidc.client.id {{ .Values.auth.oidc.clientId }}
-          prop_replace nifi.security.user.oidc.client.secret {{ .Values.auth.oidc.clientSecret }}
+          prop_replace nifi.security.user.oidc.client.secret $(cat /mnt/secrets/oidc/clientSecret)
           prop_replace nifi.security.user.oidc.claim.identifying.user {{ .Values.auth.oidc.claimIdentifyingUser }}
           xmlstarlet ed --inplace --delete "//authorizers/authorizer[identifier='single-user-authorizer']" "${NIFI_HOME}/conf/authorizers.xml"
           xmlstarlet ed --inplace --update "//authorizers/userGroupProvider/property[@name='Users File']" -v './auth-conf/users.xml' "${NIFI_HOME}/conf/authorizers.xml"
@@ -523,6 +523,11 @@ spec:
               {{- end }}
             {{- end }}
           {{- end }}
+          {{- if .Values.auth.oidc.enabled }}
+          - name: oidc-secret
+            mountPath: /mnt/secrets/oidc
+            readOnly: true
+          {{- end }}
 {{- if .Values.certManager.enabled }}
           - name: "tls"
             mountPath: /opt/nifi/nifi-current/tls
@@ -783,6 +788,15 @@ spec:
       - name: logs
         emptyDir: {}
 {{- end }}
+{{- if .Values.auth.oidc.enabled }}
+      - name: oidc-secret
+        secret:
+          {{- if not .Values.auth.oidc.existingSecret }}
+          secretName: {{ template "apache-nifi.fullname" . }}-oidc
+          {{- else }}
+          secretName: {{ .Values.auth.oidc.existingSecret  }}
+          {{- end }}
+{{- end }}
 {{- if .Values.extraVolumes }}
 {{ toYaml .Values.extraVolumes | indent 6 }}
 {{- end }}
diff --git a/values.yaml b/values.yaml
index 158bdfed..0e290129 100644
--- a/values.yaml
+++ b/values.yaml
@@ -147,6 +147,9 @@ auth:
     discoveryUrl: #http://<oidc_provider_address>:<oidc_provider_port>/auth/realms/<client_realm>/.well-known/openid-configuration
     clientId: #<client_name_in_oidc_provider>
     clientSecret: #<client_secret_in_oidc_provider>
+    # try to use an existing secret that has been sourced from a key vault so the clientSecret isn't stored in plaintext
+    #  if this is set then the clientSecret above is ignored.
+    existingSecret:
     claimIdentifyingUser: email
     admin: nifi@example.com
     ## Request additional scopes, for example profile