* chore: use ubuntu image to reduce image size * fix(lint): hadolint issues
LDAP user invites for vaultwarden
After configuring, run
vaultwarden_ldap and it will invite any users it finds in LDAP to your
vaultwarden instance. This is NOT a sync tool like the Bitwarden Directory Connector.
This is easiest done using Docker. See the
docker-compose.yml file in this repo for an example. If you would like to use Docker Hub rather than building, change
build: . to
Make sure to populate and mount your
Configuration is read from a TOML file. The default location is
config.toml, but this can be configured by setting the
CONFIG_PATH env variable to whatever path you would like.
Configuration values are as follows:
|The root URL for accessing
|The value passed as
|Path to an additional der-encoded root certificate to trust. Eg.
root.cert. If using Docker see
docker-compose.yml for how to expose it. Defaults to
|The hostname or IP address for your ldap server
|The that should be used to connect.
ldaps. This is set by default based on SSL settings
|Indicates if SSL should be used and if we should connect with
ldaps. Defaults to
|Indicates if the connection should be done using StartTLS
|Indicates if certificate should be verified when using SSL. Defaults to
|Port used to connect to the LDAP server. This will default to 389 or 636, depending on your SSL settings
|The dn for the bind user that will connect to LDAP. Eg.
|The password for the provided bind user.
|Base dn that will be used when searching LDAP for users. Eg.
|Filter used when searching LDAP for users. Eg.
|Field for each user record that contains the email address to use. Defaults to
|Number of seconds to wait between each LDAP request. Defaults to
|Indicates whether or not syncing should be polled in a loop or done once. Defaults to
Alternatively, instead of using
config.toml, all values can be provided using enviroment variables prefixed with
APP_. For example:
This repo has a predefined set of pre-commit rules. You can install pre-commit via any means you'd like. Once your system has
pre-commit installed, you can run
make install-hooks to ensure the hooks will run with every commit. You can also force running all hooks with
For those less familiar with
cargo, you can use the
make targets that have been included for common tasks like running a debug version.
make run-debug or building a release version
There are no unit tests, but there are integration tests that require manual verification.
make itest will spin up an ldap server with a test user, a Vaultwarden server, and then run the sync. If successful the log should show an invitation sent to the test user. If you run
make itest again, it should show no invites sent because the user already has been invited. If you'd like to reset the testing,
make clean-itest will clear out the Vaultwarden database and start fresh.
It's also possible to test passing configs via enviornment variables by running
make itest-env. The validation steps are the same.
Steps for manual testing
The first step is to set up Bitwarden and the LDAP server.
docker-compose up -d vaultwarden ldap ldap_admin
After that, open the admin portal on http://localhost:8001 and log in using the default account info:
Username: cn=admin,dc=example,dc=org Password: admin
From there you can set up your test group and users.
dc=example,dc=orgnav tree and select "Create new entry here"
Select "Generic: Posix Group"
Give it a name, eg. "Users" and then save and commit
Select "Create child object"
Select "Generic: User Account"
Give the user a name and select a group ID number and save and commit
Select "Add new attribute" and select "Email" and then add a test email address
Run the ldap sync
docker-compose up ldap_sync
Alternately, you can bootstrap some of this by running:
docker-compose -f docker-compose.yml -f itest/docker-compose.itest.yml up --build