diff --git a/CHANGELOG.md b/CHANGELOG.md
index 28bf38edf..f10f1ced9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 ## Unreleased
 
+CHANGES:
+
+* `vault_ldap_auth_backend`: Set `deny_null_bind` to `true` by default if not provided in configuration ([#2622](https://github.com/hashicorp/terraform-provider-vault/pull/2622))
+
 ## 5.4.0 (Nov 3, 2025)
 
 BEHAVIOR CHANGES: Please refer to the [upgrade topics](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/guides/version_5_upgrade.html#upgrade-topics)
diff --git a/vault/resource_ldap_auth_backend.go b/vault/resource_ldap_auth_backend.go
index 45dd42ed2..bef106d2f 100644
--- a/vault/resource_ldap_auth_backend.go
+++ b/vault/resource_ldap_auth_backend.go
@@ -247,8 +247,21 @@ func ldapAuthBackendResource() *schema.Resource {
 		Importer: &schema.ResourceImporter{
 			StateContext: schema.ImportStatePassthroughContext,
 		},
-		CustomizeDiff: getMountCustomizeDiffFunc(consts.FieldPath),
-		Schema:        fields,
+		CustomizeDiff: schema.CustomizeDiffFunc(func(ctx context.Context, diff *schema.ResourceDiff, meta interface{}) error {
+			// Handle deny_null_bind default behavior
+			rawConfig := diff.GetRawConfig()
+			configValue := rawConfig.GetAttr(consts.FieldDenyNullBind)
+			if configValue.IsNull() {
+				// Field not set in config, ensure it defaults to true
+				if err := diff.SetNew(consts.FieldDenyNullBind, true); err != nil {
+					return err
+				}
+			}
+
+			// Apply mount customization
+			return getMountCustomizeDiffFunc(consts.FieldPath)(ctx, diff, meta)
+		}),
+		Schema: fields,
 	}, true)
 
 	// add automated rotation fields to the resource
diff --git a/vault/resource_ldap_auth_backend_test.go b/vault/resource_ldap_auth_backend_test.go
index 8ab2a87dd..7c2e2440a 100644
--- a/vault/resource_ldap_auth_backend_test.go
+++ b/vault/resource_ldap_auth_backend_test.go
@@ -344,6 +344,48 @@ func TestLDAPAuthBackend_tune_conflicts(t *testing.T) {
 	})
 }
 
+func TestLDAPAuthBackend_denyNullBindDefault(t *testing.T) {
+	t.Parallel()
+	path := acctest.RandomWithPrefix("tf-test-ldap-deny-null-bind")
+
+	resourceName := "vault_ldap_auth_backend.test"
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { testutil.TestAccPreCheck(t) },
+		ProtoV5ProviderFactories: testAccProtoV5ProviderFactories(context.Background(), t),
+		CheckDestroy:             testLDAPAuthBackendDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testLDAPAuthBackendConfig_denyNullBindNotSet(path),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "path", path),
+					// Verify deny_null_bind defaults to true when not explicitly set
+					resource.TestCheckResourceAttr(resourceName, "deny_null_bind", "true"),
+					testLDAPAuthBackendCheck_attrs(resourceName, path),
+				),
+			},
+			{
+				Config: testLDAPAuthBackendConfig_denyNullBindExplicitFalse(path),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "path", path),
+					// Verify deny_null_bind can be explicitly set to false
+					resource.TestCheckResourceAttr(resourceName, "deny_null_bind", "false"),
+					testLDAPAuthBackendCheck_attrs(resourceName, path),
+				),
+			},
+			{
+				Config: testLDAPAuthBackendConfig_denyNullBindNotSet(path),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "path", path),
+					// Verify deny_null_bind returns to default true when removed from config
+					resource.TestCheckResourceAttr(resourceName, "deny_null_bind", "true"),
+					testLDAPAuthBackendCheck_attrs(resourceName, path),
+				),
+			},
+			testutil.GetImportTestStep(resourceName, false, nil, "bindpass", "disable_remount"),
+		},
+	})
+}
+
 func testLDAPAuthBackendDestroy(s *terraform.State) error {
 	for _, rs := range s.RootModule().Resources {
 		if rs.Type != "vault_ldap_auth_backend" {
@@ -726,3 +768,29 @@ resource "vault_ldap_auth_backend" "test" {
 }
 `, path)
 }
+
+func testLDAPAuthBackendConfig_denyNullBindNotSet(path string) string {
+	return fmt.Sprintf(`
+resource "vault_ldap_auth_backend" "test" {
+    path        = "%s"
+    url         = "ldaps://example.org"
+    binddn      = "cn=example.com"
+    bindpass    = "supersecurepassword"
+    description = "Test LDAP auth backend for deny_null_bind behavior"
+    # deny_null_bind is intentionally not set to test default behavior
+}
+`, path)
+}
+
+func testLDAPAuthBackendConfig_denyNullBindExplicitFalse(path string) string {
+	return fmt.Sprintf(`
+resource "vault_ldap_auth_backend" "test" {
+    path            = "%s"
+    url             = "ldaps://example.org"
+    binddn          = "cn=example.com"
+    bindpass        = "supersecurepassword"
+    description     = "Test LDAP auth backend for deny_null_bind behavior"
+    deny_null_bind  = false
+}
+`, path)
+}