Users not allowed to create organizations[solved]

And the struggle to get vaultwarden up and running continues (this is the third day I’m trying to get it to run properly). Now I am not able to create organizations to share my credentials with others. On the webpage I get an error message as well as on the serverside logs:

[2024-03-07 17:20:53.022][vaultwarden::api::core::organizations][ERROR] User not allowed to create organizations
[2024-03-07 17:20:53.023][response][INFO] (create_organization) POST /api/organizations => 400 Bad Request

I do have the following line in my .env file:


which should allow every user to create organizations? No? What am I doing wrong again?

If you have used the /admin panel to save your configuration (ie. you have a data/config.json file) the environment variables might be overwritten. Cf.

Can you post the generated support string from the diagnostics page?

1 Like

Thanks a lot for your response. It is a bright shimmer in the darkness of vaultwarden iliteracy :slight_smile:
So I’ve checked for the config.json an indeed there is an org_create_user entry set. I deleted this line and restarted vaultwarden but the error still persists. Here is a grep through config.json as it is set now:

[manoca@vw data]$ cat config.json |grep org
  "invitation_org_name": "Vaultwarden",
[manoca@vw data]$

as you can see the only remaining “org” entry is the invitation_org_name (whatever that is). The error on serverside Logfile continues to be:

[2024-03-07 22:14:23.326][vaultwarden::api::core::organizations][ERROR] User not allowed to create organizations
[2024-03-07 22:14:23.326][response][INFO] (create_organization) POST /api/organizations => 400 Bad Request

as well as the error message at client(browser)side continues to state:

Here is the support string from diagnostics page as you asked for:

### Your environment (Generated via diagnostics page)
* Vaultwarden version: v1.30.5
* Web-vault version: v2024.1.2b
* OS/Arch: linux/x86_64
* Running within a container: false (Base: Not applicable)
* Environment settings overridden: true
* Uses a reverse proxy: true
* IP Header check: false (X-Forwarded-For)
* Internet access: true
* Internet access via a proxy: false
* DNS Check: true
* Browser/Server Time Check: false
* Server/NTP Time Check: true
* Domain Configuration Check: true
* HTTPS Check: true
* Database type: SQLite
* Database version: 3.44.0
* Clients used: 
* Reverse proxy and version: 
* Other relevant information: 

### Config (Generated via diagnostics page)
<details><summary>Show Running Config</summary>


  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://***************************",
  "domain_origin": "*****://***************************",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "****************************",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": false,
  "push_identity_uri": "",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": false,
  "smtp_from": "***************************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "**********************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": true,
  "smtp_timeout": 15,
  "smtp_username": "***************************",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "",
  "websocket_enabled": false,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
``` I hope it helps to solve this issue as I am really struggling here a bit ;)

edit: I just tried to set the config.json entry to a specific user and it worked! I was able to create an organization with the specific user in config.json as:

"org_creation_users": "userNameOfSpecificUser"

editedit: also leaving this line with an empty string works. Only when the line gets removed it stops working. So this is also valid:

"org_creation_users": ""

I guess this solved my issue. Thanks again to @stefan0xC for the hint with the config.json. I would not have thought of looking into that file after supplying the .env entry already!

Since the option was still set even though you have removed the line from your config.json, you might also be using the /var/lib/vaultwarden/.env from the tutorial page you have mentioned in the other thread (could also be the other way round if you have configured your vaultwarden via OpenRC - not familiar enough with this init system though so not sure if this is possible / if not, you might have configured the environment variables somewhere else on your system).

I do have an .env file at /var/lig/vaultwarden. This is the file where I initially put the ORG_CREATION_USER= string. But I think the error here was simply human misbehaviour. After watiing for three days for me to complete the setup one of my testers was very eager to start testing the application. I talked to him yesterday and he confirmed, that he saved the webform from /admin while I was struggling with the setup. So I guess it happended as followed:

  • vaultwarden started up with the correct Entry from my .env file. My testuser immediately saves the web form with a wrong entry there (as you can set the org creating user there as well). I try to create groups and run into this error as the wrong entry was made by ourself in the config.json via the weg interface.
    Long story short: it is working flawless now. Only question remaining: how should I punish my ultra eager tester :smiley: ?