-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable users that vanished from LDAP #71
Comments
This should be possible with the admin API. I think that if it were to be implemented, it would need to be defaulted off because otherwise people who also add users via other means would find their accounts disabled. I’d accept a PR for this if someone wants to implement it, but I’ve got a lot on my plate and won’t be writing it myself any time soon. |
I have thought about the same thing yesterday. Here are 2 things i came up with. B) Have "obsolete" or "overflow" users (those on vw but not on ldap), be listed in the admin portal as you mentioned. I think A) is implemented way easier and faster, i can try looking at it but since i am new to rust, it may take a while. But since it is what i need, i could try. Are you interested in such a feature? |
Maybe there should be a status indicating if an user has been manually created or using vaultwarden_ldap. Then, an user is removed/disabled only if it is missing from LDAP and has been automatically created. The A) feature seems to be interesting. |
I am not sure how this indicator work, since i think all we have in vw is email address and no information about ldap, correct? |
Yes. Something like A is what I was expecting that allows you to opt into disabling users. Any other implementation where a value gets stored with a user to indicate their source would not be possible without an upstream change to Vaultwarden. I'm not sure that that it would be accepted there either since they generally try to adhere to the Bitwarden APIs as much as possible. |
I think the only way to do it without messing up vaultwarden is to keep track of the users in a persistent storage (sqlite/postgres or something). That would add a whole new layer to this project and i am not sure if can be handles without too much hassle. Plus i don't have experience in Rust modules for that, but the storage/sql part is not that hard. |
Just for the sake of sanity, the LDAP created accounts should be marked "VaultwardenLDAP" via the already existing external identifier when created by vaultwarden_ldap. That way, when disabling an AD account, it would only disable the corresponding vaulwarden_ldap account if it has the "VaultwardenLDAP" identifier set. |
Vaultwarden_ldap should be able to detect users that have been removed or disabled in LDAP and then disable the account on vaultwarden.
There should be a settings to enable this or not.
The text was updated successfully, but these errors were encountered: