Org member duplication after email change

[mightyBroccoli]

Vaultwarden Support String

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.32.1
• Web-vault version: v2024.6.2c
• OS/Arch: linux/x86_64
• Running within a container: false (Base: Not applicable)
• Environment settings overridden: false
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: MySQL
• Database version: 10.11.6-MariaDB-0+deb12u1
• Clients used:
• Reverse proxy and version:
• Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

**Environment settings which are overridden:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "/var/lib/vaultwarden/data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "/var/lib/vaultwarden/data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "*****://**********************************************************************************************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://**********************", "domain_origin": "*****://**********************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": false, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": 180, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "/var/lib/vaultwarden/data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 168, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": "/var/log/vaultwarden/vaultwarden.log", "log_level": "warn", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "****", "org_events_enabled": true, "org_groups_enabled": true, "password_hints_allowed": true, "password_iterations": 600000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "/var/lib/vaultwarden/data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "/var/lib/vaultwarden/data/sends", "show_password_hint": false, "signups_allowed": true, "signups_domains_whitelist": "****************", "signups_verify": true, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": true, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "************************************", "smtp_from_name": "Vaultwarden", "smtp_host": "********************************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "**************************************************", "templates_folder": "/var/lib/vaultwarden/data/templates", "tmp_folder": "/var/lib/vaultwarden/data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "/var/lib/vaultwarden/web-vault", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ```

Vaultwarden Build Version

v1.32.1

Deployment method

Manually Extracted from Container Image

Custom deployment method

No response

Reverse Proxy

nginx

Host/Server Operating System

Linux

Operating System Version

Debian 12

Clients

Web Vault, Browser Extension, Desktop

Client Version

No response

Steps To Reproduce

• Configure Bitwarden Directory Connector to create the orgs users disallowing email changes for security
• user_a.lastname@company.tld gets created with an external ID from the AD
• user_a.lastname@company.tld changes his/ her name and therefore the changes
• user_a.lastname@company.tld is now user_a.new_lastname@company.tld with the same external ID
• with the next Bitwarden Directory Connector sync a new invite is generated for user_a.new_lastname@company.tld
• the current account gets stripped of all group memberships and the "new" invited accounts gets added to the groups

Expected Result

I would assume that the member invite to an organization is coupled to the already existing externalID info. Thus dropping the invite for user_a.new_lastname@company.tld because the user is already a member matchable through the externalID.

Perfect would be if the sync would also allow an automated system to overwrite the users email based on the active directory info.

Actual Result

Double the invites.

Logs

No response

Screenshots or Videos

No response

Additional Context

No response

[BlackDex]

I'm afraid that this isn't possible. Bitwarden links accounts to email addresses and uses that email address (or login name) as a salt to generate the password hash and private key.

So, if the login changes for that user (the email address) then it is a different account. There is nothing we can do about this, since it's also not possible to just update the username/email address in the database accordingly without any re-encryption/hashing done.