vaultwarden_ldap icon indicating copy to clipboard operation
vaultwarden_ldap copied to clipboard

Published 20 hours ago verified publisher icon ViViDboarder

Support for reg-exp or prefix/suffix for LDAP "mail" field data

Open systemofapwne opened this issue 2 years ago • 2 comments

It would be very handy to manipulate the data in the mail-field which is requested from the LDAP backend.

In order to mainstream my setup, I do not want to use the actual "mail" field (which can be anything - even empty) but a "mail-address" which is derived from the users common name (CN): "CN=klaus" becomes a mail like "[email protected]".

Switching "ldap_mail_field" to CN already does half the job. But since this is now only the CN and not a valid mail address, an invited user cannot register at the vault. A solution would be, to simply append some string like "@domain.tld" to the value of the CN field after querying it from LDAP and before pushing this to the vaultwarden backend. E.g. with a simple prefix/suffix solution or a full-blown reg-exp magic. Hence the request.

systemofapwne avatar Jan 10 '22 21:01 systemofapwne

Thanks. I can't help but think that a preferred solution would be to fix the upstream data and put an actual email address in the/an email field. This could be done with a similar batch that reads your ldap records, constructs email addresses, and then writes them.

Building a regexp feature into the ldap sync is not something that I'm opposed to, but something that adds additional complexity.

ViViDboarder avatar Jan 20 '22 20:01 ViViDboarder

Using the E-Mail field of the LDAP upstream is unfortunately not a solution for me, since I want users on my services to have a unique user-naming convention like [email protected] while the mail in the LDAP field can contain even foreign mails for guests. Yet, their bitwarden login name should be @mytld.com - Preferrably even without the @mytld.com, but that is unfortunately not supported by Bitwarden/Vaultwarden by design.

Another way would have been to extend the scheme on my ActiveDirectory to support custom fields and sync that to the username, as you suggested. But that is a bit of overkill TBH.

I found an intermediate solution, which does the job: As of right now, I am running OpenResty as an intermediate proxy between vaultwarden_ldap and vaultwarden which modifies the HTTP header requestbody between the REST Api calls to rewrite the username in both directions (adds the TLD towards vaultwarden and strips it towards vaultwarden_ldap).

As I agree on the complexity argument for regexp, the most simpliest solution would be to allow prefix/suffix extension.

systemofapwne avatar Jan 21 '22 07:01 systemofapwne