diff --git a/vault/resource_aws_auth_backend_role_test.go b/vault/resource_aws_auth_backend_role_test.go
index 60f5f1c2cb..3cdc07a8dd 100644
--- a/vault/resource_aws_auth_backend_role_test.go
+++ b/vault/resource_aws_auth_backend_role_test.go
@@ -219,12 +219,12 @@ func testAccAWSAuthBackendRoleCheck_attrs(backend, role string) resource.TestChe
 			"inferred_entity_type":           "inferred_entity_type",
 			"inferred_aws_region":            "inferred_aws_region",
 			"resolve_aws_unique_ids":         "resolve_aws_unique_ids",
-			"ttl":                            "ttl",
-			"max_ttl":                        "max_ttl",
-			"period":                         "period",
-			"policies":                       "policies",
-			"allow_instance_migration":       "allow_instance_migration",
-			"disallow_reauthentication":      "disallow_reauthentication",
+			"ttl":                       "ttl",
+			"max_ttl":                   "max_ttl",
+			"period":                    "period",
+			"policies":                  "policies",
+			"allow_instance_migration":  "allow_instance_migration",
+			"disallow_reauthentication": "disallow_reauthentication",
 		}
 		for stateAttr, apiAttr := range attrs {
 			if resp.Data[apiAttr] == nil && instanceState.Attributes[stateAttr] == "" {
diff --git a/vault/resource_ldap_auth_backend_test.go b/vault/resource_ldap_auth_backend_test.go
index 06375265e8..556a1a19d1 100644
--- a/vault/resource_ldap_auth_backend_test.go
+++ b/vault/resource_ldap_auth_backend_test.go
@@ -86,6 +86,11 @@ func testLDAPAuthBackendCheck_attrs(path string) resource.TestCheckFunc {
 			return err
 		}
 
+		// Check that `bindpass`, if present in the state, is not returned by the API
+		if instanceState.Attributes["bindpass"] != "" && resp.Data["bindpass"] != nil {
+			return fmt.Errorf("expected api field bindpass to not be returned, but was %q", resp.Data["bindpass"])
+		}
+
 		attrs := map[string]string{
 			"url":             "url",
 			"starttls":        "starttls",
@@ -94,7 +99,6 @@ func testLDAPAuthBackendCheck_attrs(path string) resource.TestCheckFunc {
 			"insecure_tls":    "insecure_tls",
 			"certificate":     "certificate",
 			"binddn":          "binddn",
-			"bindpass":        "bindpass",
 			"userdn":          "userdn",
 			"userattr":        "userattr",
 			"discoverdn":      "discoverdn",
@@ -180,6 +184,10 @@ resource "vault_ldap_auth_backend" "test" {
     tls_min_version        = "tls11"
     tls_max_version        = "tls12"
     insecure_tls           = false
+    binddn                 = "cn=example.com"
+    bindpass               = "supersecurepassword"
+    discoverdn             = false
+    deny_null_bind         = true
 }
 `, path)