vaultwarden-ldap – simple LDAP connector for Vaultwarden
The previous article covered the installation of the Vaultwarden password manager (Bitwarden_RS)
Switch to user Vaultwarden
$ sudo su - vaultwarden
Download the ldap authorization module for Vaultwarden from the repository and install it
$ wget https://github.com/ViViDboarder/vaultwarden_ldap/archive/refs/tags/v0.4.0.tar.gz
$ tar xzvf v0.4.0.tar.gz
$ cd vaultwarden_ldap-0.4.0/
$ cargo new --bin vaultwarden_ldap
$ cargo build --locked --release
Copying the config
$ cp /opt/vaultwarden/vaultwarden_ldap-0.4.0/example.config.toml /opt/vaultwarden/vaultwarden_ldap-0.4.0/target/release/config.toml
Switch to sudo-user
$ exit
Editing the config for vaultwarden_ldap
$ sudo nano /opt/vaultwarden/vaultwarden_ldap-0.4.0/target/release/config.toml
vaultwarden_url = "https://vault.itdraft.ru"
vaultwarden_admin_token = "Q8rKXS3l6jmUYrcJGlwueZhiiIZWteGMVZe7Db/qFe0nQ68C5P5H4Bdi/1AMv4xU"
ldap_host = "192.168.11.201"
ldap_bind_dn = "uid=myuser,cn=users,cn=accounts,dc=example,dc=local"
ldap_bind_password = "mupass"
ldap_search_base_dn = "cn=users,cn=accounts,dc=example,dc=local"
ldap_search_filter = "(&(objectClass=posixAccount)(memberOf=cn=vaultwarden,cn=groups,cn=accounts,dc=example,dc=local))"
ldap_sync_interval_seconds = 10
This config indicates that users from the vaultwarden group will have access to the Vaultwarden (an email will be sent to them when the service starts)
Create Systemd Unit
$ sudo nano /etc/systemd/system/vaultwarden-ldap.service
[Unit]
Description=Bitwarden LDAP (Rust Edition)
Documentation=https://github.com/ViViDboarder/vaultwarden_ldap
After=network.target mariadb.service
Requires=vaultwarden.service
[Service]
# The user/group bitwarden_rs is run under. the working directory (see below) should allow write and read access to this user/group
User=vaultwarden
Group=vaultwarden
# The location of the .env file for configuration
EnvironmentFile=/opt/vaultwarden/vaultwarden_ldap-0.4.0/target/release/config.toml
# The location of the compiled binary
ExecStart=/opt/vaultwarden/vaultwarden_ldap-0.4.0/target/release/vaultwarden_ldap
# Only allow writes to the following directory and set it to the working directory (user and password data are stored here)
WorkingDirectory=/opt/vaultwarden/vaultwarden_ldap-0.4.0/target/release/
ReadWriteDirectories=/opt/vaultwarden/vaultwarden_ldap-0.4.0/target/release/
[Install]
WantedBy=multi-user.target
We start the service, check the status
$ sudo systemctl daemon-reload
$ sudo systemctl enable vaultwarden-ldap --now
$ sudo systemctl status vaultwarden-ldap