diff --git a/docs/sts/ldap.go b/docs/sts/ldap.go
index dd8cb2b92..a39a75aee 100644
--- a/docs/sts/ldap.go
+++ b/docs/sts/ldap.go
@@ -27,6 +27,7 @@ import (
 	"log"
 	"net/url"
 	"os"
+	"time"
 
 	"github.com/minio/minio-go/v7"
 	cr "github.com/minio/minio-go/v7/pkg/credentials"
@@ -43,6 +44,9 @@ var (
 	// Display credentials flag
 	displayCreds bool
 
+	// Credential expiry duration
+	expiryDuration time.Duration
+
 	// Bucket to list
 	bucketToList string
 
@@ -55,6 +59,7 @@ func init() {
 	flag.StringVar(&ldapUsername, "u", "", "AD/LDAP Username")
 	flag.StringVar(&ldapPassword, "p", "", "AD/LDAP Password")
 	flag.BoolVar(&displayCreds, "d", false, "Only show generated credentials")
+	flag.DurationVar(&expiryDuration, "e", 0, "Request a duration of validity for the generated credential")
 	flag.StringVar(&bucketToList, "b", "", "Bucket to list (defaults to ldap username)")
 	flag.StringVar(&sessionPolicyFile, "s", "", "File containing session policy to apply to the STS request")
 }
@@ -70,11 +75,8 @@ func main() {
 	// LDAP STS API.
 
 	// Initialize LDAP credentials
-	var li *cr.Credentials
-	var err error
-	if sessionPolicyFile == "" {
-		li, err = cr.NewLDAPIdentity(stsEndpoint, ldapUsername, ldapPassword)
-	} else {
+	var ldapOpts []cr.LDAPIdentityOpt
+	if sessionPolicyFile != "" {
 		var policy string
 		if f, err := os.Open(sessionPolicyFile); err != nil {
 			log.Fatalf("Unable to open session policy file: %v", sessionPolicyFile, err)
@@ -85,8 +87,12 @@ func main() {
 			}
 			policy = string(bs)
 		}
-		li, err = cr.NewLDAPIdentityWithSessionPolicy(stsEndpoint, ldapUsername, ldapPassword, policy)
+		ldapOpts = append(ldapOpts, cr.LDAPIdentityPolicyOpt(policy))
 	}
+	if expiryDuration != 0 {
+		ldapOpts = append(ldapOpts, cr.LDAPIdentityExpiryOpt(expiryDuration))
+	}
+	li, err := cr.NewLDAPIdentity(stsEndpoint, ldapUsername, ldapPassword, ldapOpts...)
 	if err != nil {
 		log.Fatalf("Error initializing LDAP Identity: %v", err)
 	}
diff --git a/docs/sts/ldap.md b/docs/sts/ldap.md
index 632d4381a..871e43da2 100644
--- a/docs/sts/ldap.md
+++ b/docs/sts/ldap.md
@@ -54,7 +54,6 @@ identity_ldap  enable LDAP SSO support
 
 ARGS:
 MINIO_IDENTITY_LDAP_SERVER_ADDR*            (address)   AD/LDAP server address e.g. "myldapserver.com:636"
-MINIO_IDENTITY_LDAP_STS_EXPIRY              (duration)  temporary credentials validity duration in s,m,h,d. Default is "1h"
 MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN          (string)    DN for LDAP read-only service account used to perform DN and group lookups
 MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD    (string)    Password for LDAP read-only service account used to perform DN and group lookups
 MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN  (string)    Base LDAP DN to search for user DN
@@ -123,12 +122,9 @@ export MINIO_IDENTITY_LDAP_SERVER_ADDR=myldapserver.com:636
 export MINIO_IDENTITY_LDAP_USERNAME_FORMAT="uid=%s,cn=accounts,dc=myldapserver,dc=com"
 export MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN="dc=myldapserver,dc=com"
 export MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER="(&(objectclass=groupOfNames)(memberUid=%s)$)"
-export MINIO_IDENTITY_LDAP_STS_EXPIRY=720h
 export MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY=on
 ```
 
-> NOTE: In this example STS_EXPIRY is set to 1month, maximum expiry that can be set is 365 days.
-
 ### Variable substitution in AD/LDAP configuration strings ###
 
 In the configuration variables, `%s` is substituted with the *username* from the STS request and `%d` is substituted with the *distinguished username (user DN)* of the LDAP user. Please see the following table for which configuration variables support these substitution variables:
diff --git a/internal/config/identity/ldap/config.go b/internal/config/identity/ldap/config.go
index c437d39d2..1ae8a47a9 100644
--- a/internal/config/identity/ldap/config.go
+++ b/internal/config/identity/ldap/config.go
@@ -31,6 +31,7 @@ import (
 	ldap "github.com/go-ldap/ldap/v3"
 	"github.com/minio/minio/internal/auth"
 	"github.com/minio/minio/internal/config"
+	"github.com/minio/minio/internal/logger"
 	"github.com/minio/pkg/env"
 )
 
@@ -553,6 +554,7 @@ func Lookup(kvs config.KVS, rootCAs *x509.CertPool) (l Config, err error) {
 	l.ServerAddr = ldapServer
 	l.stsExpiryDuration = defaultLDAPExpiry
 	if v := env.Get(EnvSTSExpiry, kvs.Get(STSExpiry)); v != "" {
+		logger.Info("DEPRECATION WARNING: Support for configuring the default LDAP credentials expiry duration will be removed in a future release. Please use the `DurationSeconds` parameter in the LDAP STS API instead.")
 		expDur, err := time.ParseDuration(v)
 		if err != nil {
 			return l, errors.New("LDAP expiry time err:" + err.Error())
diff --git a/internal/config/identity/ldap/help.go b/internal/config/identity/ldap/help.go
index ecf55e34b..040943e78 100644
--- a/internal/config/identity/ldap/help.go
+++ b/internal/config/identity/ldap/help.go
@@ -30,7 +30,7 @@ var (
 		},
 		config.HelpKV{
 			Key:         STSExpiry,
-			Description: `temporary credentials validity duration in s,m,h,d. Default is "1h"`,
+			Description: `[DEPRECATED] temporary credentials validity duration in s,m,h,d. Default is "1h"`,
 			Optional:    true,
 			Type:        "duration",
 		},