Configuring LDAP Authentication (FreeIPA) in Vaultwarden (Bitwarden_RS)

vaultwarden-ldap – simple LDAP connector for Vaultwarden

The previous article covered the installation of the Vaultwarden password manager (Bitwarden_RS)

Switch to user Vaultwarden

$ sudo su - vaultwarden

Download the ldap authorization module for Vaultwarden from the repository and install it

$ wget https://github.com/ViViDboarder/vaultwarden_ldap/archive/refs/tags/v0.4.0.tar.gz
$ tar xzvf v0.4.0.tar.gz
$ cd vaultwarden_ldap-0.4.0/
$ cargo new --bin vaultwarden_ldap
$ cargo build --locked --release

Copying the config

$ cp /opt/vaultwarden/vaultwarden_ldap-0.4.0/example.config.toml /opt/vaultwarden/vaultwarden_ldap-0.4.0/target/release/config.toml

Switch to sudo-user

$ exit

Editing the config for vaultwarden_ldap

$ sudo nano /opt/vaultwarden/vaultwarden_ldap-0.4.0/target/release/config.toml
vaultwarden_url = "https://vault.itdraft.ru"
vaultwarden_admin_token = "Q8rKXS3l6jmUYrcJGlwueZhiiIZWteGMVZe7Db/qFe0nQ68C5P5H4Bdi/1AMv4xU"
ldap_host = "192.168.11.201"
ldap_bind_dn = "uid=myuser,cn=users,cn=accounts,dc=example,dc=local"
ldap_bind_password = "mupass"
ldap_search_base_dn = "cn=users,cn=accounts,dc=example,dc=local"
ldap_search_filter = "(&(objectClass=posixAccount)(memberOf=cn=vaultwarden,cn=groups,cn=accounts,dc=example,dc=local))"
ldap_sync_interval_seconds = 10

This config indicates that users from the vaultwarden group will have access to the Vaultwarden (an email will be sent to them when the service starts)

Create Systemd Unit

$ sudo nano /etc/systemd/system/vaultwarden-ldap.service

[Unit]
Description=Bitwarden LDAP (Rust Edition)
Documentation=https://github.com/ViViDboarder/vaultwarden_ldap

After=network.target mariadb.service
Requires=vaultwarden.service

[Service]
# The user/group bitwarden_rs is run under. the working directory (see below) should allow write and read access to this user/group
User=vaultwarden
Group=vaultwarden
# The location of the .env file for configuration
EnvironmentFile=/opt/vaultwarden/vaultwarden_ldap-0.4.0/target/release/config.toml
# The location of the compiled binary
ExecStart=/opt/vaultwarden/vaultwarden_ldap-0.4.0/target/release/vaultwarden_ldap
# Only allow writes to the following directory and set it to the working directory (user and password data are stored here)
WorkingDirectory=/opt/vaultwarden/vaultwarden_ldap-0.4.0/target/release/
ReadWriteDirectories=/opt/vaultwarden/vaultwarden_ldap-0.4.0/target/release/

[Install]
WantedBy=multi-user.target

We start the service, check the status

$ sudo systemctl daemon-reload
$ sudo systemctl enable vaultwarden-ldap --now
$ sudo systemctl status vaultwarden-ldap