Configuring LDAP Authentication (FreeIPA) in Vaultwarden (Bitwarden_RS)

vaultwarden-ldap – simple LDAP connector for Vaultwarden

The previous article covered the installation of the Vaultwarden password manager (Bitwarden_RS)

Switch to user Vaultwarden

                      
                        $ sudo su - vaultwarden
                      
                    

Download the ldap authorization module for Vaultwarden from the repository and install it

                      
                        $ wget https://github.com/ViViDboarder/vaultwarden_ldap/archive/refs/tags/v0.4.0.tar.gz
$ tar xzvf v0.4.0.tar.gz
$ cd vaultwarden_ldap-0.4.0/
$ cargo new --bin vaultwarden_ldap
$ cargo build --locked --release
                      
                    

Copying the config

                      
                        $ cp /opt/vaultwarden/vaultwarden_ldap-0.4.0/example.config.toml /opt/vaultwarden/vaultwarden_ldap-0.4.0/target/release/config.toml
                      
                    

Switch to sudo-user

                      
                        $ exit
                      
                    

Editing the config for vaultwarden_ldap

                      
                        $ sudo nano /opt/vaultwarden/vaultwarden_ldap-0.4.0/target/release/config.toml
vaultwarden_url = "https://vault.itdraft.ru"
vaultwarden_admin_token = "Q8rKXS3l6jmUYrcJGlwueZhiiIZWteGMVZe7Db/qFe0nQ68C5P5H4Bdi/1AMv4xU"
ldap_host = "192.168.11.201"
ldap_bind_dn = "uid=myuser,cn=users,cn=accounts,dc=example,dc=local"
ldap_bind_password = "mupass"
ldap_search_base_dn = "cn=users,cn=accounts,dc=example,dc=local"
ldap_search_filter = "(&(objectClass=posixAccount)(memberOf=cn=vaultwarden,cn=groups,cn=accounts,dc=example,dc=local))"
ldap_sync_interval_seconds = 10
                      
                    

This config indicates that users from the vaultwarden group will have access to the Vaultwarden (an email will be sent to them when the service starts)

Create Systemd Unit

                      
                        $ sudo nano /etc/systemd/system/vaultwarden-ldap.service

[Unit]
Description=Bitwarden LDAP (Rust Edition)
Documentation=https://github.com/ViViDboarder/vaultwarden_ldap

After=network.target mariadb.service
Requires=vaultwarden.service

[Service]
# The user/group bitwarden_rs is run under. the working directory (see below) should allow write and read access to this user/group
User=vaultwarden
Group=vaultwarden
# The location of the .env file for configuration
EnvironmentFile=/opt/vaultwarden/vaultwarden_ldap-0.4.0/target/release/config.toml
# The location of the compiled binary
ExecStart=/opt/vaultwarden/vaultwarden_ldap-0.4.0/target/release/vaultwarden_ldap
# Only allow writes to the following directory and set it to the working directory (user and password data are stored here)
WorkingDirectory=/opt/vaultwarden/vaultwarden_ldap-0.4.0/target/release/
ReadWriteDirectories=/opt/vaultwarden/vaultwarden_ldap-0.4.0/target/release/

[Install]
WantedBy=multi-user.target
                      
                    

We start the service, check the status

                      
                        $ sudo systemctl daemon-reload
$ sudo systemctl enable vaultwarden-ldap --now
$ sudo systemctl status vaultwarden-ldap