Improvements to the LDAP Directory Connector support

Hi Vaultwarden Community

We are currently in the process of implementing Vaultwarden as Password Manager at our small company. In doing so we stumbled upon some issues and missing features in the LDAP Directory Connector (the official one from Bitwarden).

As we absolutely need this feature we are looking into ways to contribute this improvements to Vaultwarden. We currently have a Rust Developer at hand claiming being able to do the job. Now we have the following questions/requests to the community:

  • Would such improvements be accepted (quality code provided)?
  • Would a core developer be willing and able to support our developer “to get it right the first time”? Looking at @dani @BlackDex
  • Is there any other Vaultwarden users willing to share the cost and chip in some money? (You can send me a direct message)

Our requirements are:

Any inputs and suggestions are welcome!

1 Like

Would using an older version of the directory connector work?
v2.9.2 is a version which works with Vaultwarden.

The difficulty we had with the proposed version is that it does not have the possibility to create users. These would have to be created first in the Vaultwarden so that a sync can happen afterwards.

If I’m correct it should be able to invite users to an organization.
And an invite does mean creating an account for those users.

So, i think it should work, but not sure from the top of my head right now.

You could also checkout GitHub - ViViDboarder/vaultwarden_ldap: LDAP directory connector for vaultwarden
It has a docker container also Docker Hub

We would like to have a sustainable solution and would therefor prefer to use the latest version of the official Directory Connector. Is there something speaking against that? Would you support the proposed improvements?

There is nothing against that.
I was merely looking for a current workable solutions.

Since the newer versions of the Directory Connector need to use a Organizational API Token, that needs to be build and tested. I also do not know if there are any other changes done regarding the newer versions of the Directory Connector. And that would mean extensive testing.

As you asked in your FP, both me and @dani are glad to give pointers on a PR (which can be in WIP state for example). As I, and probably @dani also do not have that much spare time, it could take some time. I even didn’t had the time yet to properly check the SSO PR which is a WIP also for a while.

That’s great, thanks! We were not able to get a working solution with the currently available tools. As far as I understood the creation of new users from LDAP is not possible/supported.

I’m glad you would be ready to help. I understand that you time is limited. Let’s see if there are any other users willing to chip in some coins to share the burden.

If you can give us an approximation of expected time you would need to implement these features it would help us to better estimate the cost.

A question came up regarding SSO and directory connector… Would SSO create the users on the Vaultwarden Instance if they don’t exist and assign them to one (or more) organizations?

I actually have no clue. I didn’t checked how this process works.

hi guys, working with @Pascal to bring vaultwarden into prod. :slight_smile: just a few thought as I’m new to the vaultwarden ecosystem.

Using Directory Connector >= v2.9.3 needs Vaultwarden to support organization generated API-Keys

How complex do you think is it to make Vaultwarden Supporting these king of Keys?

LDAP as Backend

Quite some History here already: [WIP] Simple LDAP sync by ViViDboarder · Pull Request #396 · dani-garcia/vaultwarden · GitHub

What Would be the current best practise suggestion if somebody has a Microsoft ActiveDirectory with a few Users, which all shall be able to use a Vaultwarden Instance.
Just using vaultwarden_ldap as described in Syncing users from LDAP · dani-garcia/vaultwarden Wiki · GitHub to sync(aka. invite via Admin API) and then everybody has his own account (with own master-pw) on vaultwarden.

What benefit would the DirectoryConnector (existing or the latest) bring in this case exactly (removing / updating Users?)

I have no clue how complex that is going to be. I would need to see how the current implementation works and do some testing. It probably means changing the database etc…

Also, I’m not sure if there is already work done on this at the SSO PR’s currently open.

1 Like

It doesn’t matter if you use the Directory Connector or the ldap implementation from @ViViDBoarder or the not yet merged SSO PR’s.
All users still need to provide a master password not linked to there AD/LDAP accounts.

I think they are working on this, or maybe it now is somehow possible via SSO, but i honestly have not looked into this part at all my self (yet).

1 Like

I’m currently looking at the Organization API Token.
It shouldn’t be that hard i think.

But there are some bigger changes which need to be done to get this working.

1 Like

Small update, yesterday i was able to at least generate and rotate an API Key for an organization.
Also a check for login is working.

The only thing i still need to do and figure out is how to securely configure and verify the claim/jwt, and on which endpoints it needs to be active. Since currently only users were able to access the API’s and no other way of validation is done.

@severin if i have some time i will commit my code to my repo tomorrow. If you want feel free to help.

1 Like

@severin see GitHub - BlackDex/vaultwarden at org-api-key

1 Like

@severin Just a small update.
I have the login working, including the sending of the token.
It also looks like the new version of the directory connector is using the public API’s, which Vaultwarden doesn’t support at all currently.

For example, adding users works via an import endpoint, not available at all.
So those are the items which needs to be added. And probably some special Header checks to allow the token to access those endpoints.

Hi @BlackDex awesome, thanks for your response. I’ll have a look at it and give you some feedback.
As Rails Developer I’m not that familiar with the rocket framework.