ViViDboarder / vaultwarden_ldap

Automate LDAP invites to Vaultwarden
GNU General Public License v3.0
161 stars 29 forks source link

Problems with case matching and user organizations #8

Closed j-mikhail closed 4 years ago

j-mikhail commented 4 years ago

Hi @ViViDboarder, thanks for the taking the time to develop this tool. I managed to get it up and running, but I'm having some odd errors I'm hoping you can help me with. I have the LDAP filters such that only a single user should match for testing purposes, and that is working.

The first time it ran, I got the following log output (redacted for identities):

Existing user or invite found with email: user.one@domain.com, Existing user or invite found with email: user.two@domain.com, Existing user or invite found with email: user.three@domain.com, Try to invite user: User.Four2@domain.com, Sent invites to 1 user(s).,

Which is working great so far. The user received their invitation, and I see the user in bitwarden_rs's admin panel. However, the user is not associated with any current organizations in our setup, so my first question is: is there a way to specify which organizations new users should be associated with?

Then, on the next cycle I saw:

Existing user or invite found with email: user.one@domain.com, Existing user or invite found with email: user.two@domain.com, Existing user or invite found with email: user.three@domain.com, Existing user or invite found with email: user.four2@domain.com, Try to invite user: User.Four2@domain.com, Sent invites to 1 user(s).,

I note that it's trying to reinvite the same user. I wonder if it isn't because our AD server returns the email address with capital letters in it, and that the matching is being done on a case sensitive level? I note the following in bitwarden_rs's logs seem to reflect the error in attempting to duplicate an existing user:

[2020-03-05 15:15:28][request][INFO] GET /admin/users [2020-03-05 15:15:28][response][INFO] GET /admin/users (get_users) => 200 OK, [2020-03-05 15:15:28][request][INFO] POST /admin/invite, [2020-03-05 15:15:28][error][ERROR] User already exists, [2020-03-05 15:15:28][response][INFO] POST /admin/invite (invite_user) => 400 Bad Request,

So my second question is: is there a way to fix the case sensitivity of the matching?

Thanks!

ViViDboarder commented 4 years ago

The case matching should be easily fixable. Good catch.

The org invite is not possible with the current version of the admin API. There is an open item to expand the admin API such that the upstream directory connector is supported. That would be ideal.

ViViDboarder commented 4 years ago

Just pushed a PR to fix it. Not sure if you're familiar with Rust, but you can give it a look before I merge it and bump the version to trigger a new build.

j-mikhail commented 4 years ago

Thanks Ian, I appreciate your efforts! I'm not too familiar with Rust I'm afraid, but I'm happy to test out your changes once you merge.

ViViDboarder commented 4 years ago

No worries. I just merged it. I tested locally.