starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-02-05 00:29:40 +03:00
Code Issues 32 Packages Projects Releases 10 Wiki Activity

No external user ID created when using bwdc and user already has an account #1663

New Issue
Closed
opened 2026-02-05 01:27:36 +03:00 by OVERLORD · 5 comments
OVERLORD commented 2026-02-05 01:27:36 +03:00
Owner
Copy Link

Originally created by @louisfgr on GitHub (Aug 14, 2023).

Originally assigned to: @BlackDex on GitHub.

Subject of the issue

I user Bitwarden directory connector (v2022.11.0) to sync my AD users and groups into my Organisation.
Thereby I noticed that users who already have an account do not get an external id.
This seems to be independent of whether the account already exists because the user is using the private vault and is not yet part of an organization or the user has already been manually invited to the organization.

Deployment environment

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.29.1
  • Web-vault version: v2023.5.0
  • OS/Arch: linux/x86_64
  • Running within Docker: true (Base: Debian)
  • Environment settings overridden: false
  • Uses a reverse proxy: true
  • IP Header check: true (X-Real-IP)
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • Browser/Server Time Check: true
  • Server/NTP Time Check: true
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Database type: SQLite
  • Database version: 3.41.2
  • Clients used:
  • Reverse proxy and version:
  • Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden:

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": false,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://**********************",
  "domain_origin": "*****://**********************",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": 60,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": false,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 336,
  "invitation_org_name": "Bitwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": "/data/vaultwarden.log",
  "log_level": "warn",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "***********************",
  "org_events_enabled": true,
  "org_groups_enabled": true,
  "password_hints_allowed": true,
  "password_iterations": 100000,
  "push_enabled": false,
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": false,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": true,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "**********************",
  "smtp_from_name": "Bitwarden",
  "smtp_host": "*************",
  "smtp_password": null,
  "smtp_port": 25,
  "smtp_security": "off",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": 14,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": false,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Steps to reproduce

Case 1: A user without an account in this Vaultwarden instance is added to an organization via bwdc.
The user is invited and External ID is set successfully.

Case 2: A user with an existing account in this Vaultwarden instance is added to an organization via bwdc.
The user is invited and added to the organization, but no External ID is set.

Case 3: A user who is already part of my organization is to be subsequently managed by bwdc and given an External ID. After synchronization the user seems to be untouched. No External ID has been set.

Expected behaviour

In every case an External ID should be assigned to the user.
Even if the user already exists, an external ID should be assigned, otherwise the permission assignment between Vaultwarden and AD groups will not work.

If this is an issue in bwdc, is there a way to manually assign the External ID?

Originally created by @louisfgr on GitHub (Aug 14, 2023). Originally assigned to: @BlackDex on GitHub. <!-- # ### NOTE: Please update to the latest version of vaultwarden before reporting an issue! This saves you and us a lot of time and troubleshooting. See: * https://github.com/dani-garcia/vaultwarden/issues/1180 * https://github.com/dani-garcia/vaultwarden/wiki/Updating-the-vaultwarden-image # ### --> <!-- Please fill out the following template to make solving your problem easier and faster for us. This is only a guideline. If you think that parts are unnecessary for your issue, feel free to remove them. Remember to hide/redact personal or confidential information, such as passwords, IP addresses, and DNS names as appropriate. --> ### Subject of the issue <!-- Describe your issue here. --> I user Bitwarden directory connector (v2022.11.0) to sync my AD users and groups into my Organisation. Thereby I noticed that users who already have an account do not get an external id. This seems to be independent of whether the account already exists because the user is using the private vault and is not yet part of an organization or the user has already been manually invited to the organization. ### Deployment environment ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.29.1 * Web-vault version: v2023.5.0 * OS/Arch: linux/x86_64 * Running within Docker: true (Base: Debian) * Environment settings overridden: false * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Database type: SQLite * Database version: 3.41.2 * Clients used: * Reverse proxy and version: * Other relevant information: ### Config (Generated via diagnostics page) <details><summary>Show Running Config</summary> **Environment settings which are overridden:** ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": false, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://**********************", "domain_origin": "*****://**********************", "domain_path": "", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_attempts_limit": 3, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": 60, "extended_logging": true, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": false, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "invitation_expiration_hours": 336, "invitation_org_name": "Bitwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": "/data/vaultwarden.log", "log_level": "warn", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "***********************", "org_events_enabled": true, "org_groups_enabled": true, "password_hints_allowed": true, "password_iterations": 100000, "push_enabled": false, "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": false, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": true, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "**********************", "smtp_from_name": "Bitwarden", "smtp_host": "*************", "smtp_password": null, "smtp_port": 25, "smtp_security": "off", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": null, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": 14, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "websocket_address": "0.0.0.0", "websocket_enabled": false, "websocket_port": 3012, "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Steps to reproduce <!-- Tell us how to reproduce this issue. What parameters did you set (differently from the defaults) and how did you start vaultwarden? --> Case 1: A user without an account in this Vaultwarden instance is added to an organization via bwdc. The user is invited and External ID is set successfully. Case 2: A user with an existing account in this Vaultwarden instance is added to an organization via bwdc. The user is invited and added to the organization, but no External ID is set. Case 3: A user who is already part of my organization is to be subsequently managed by bwdc and given an External ID. After synchronization the user seems to be untouched. No External ID has been set. ### Expected behaviour In every case an External ID should be assigned to the user. Even if the user already exists, an external ID should be assigned, otherwise the permission assignment between Vaultwarden and AD groups will not work. If this is an issue in bwdc, is there a way to manually assign the External ID?
OVERLORD added the troubleshooting label 2026-02-05 01:27:36 +03:00
OVERLORD commented 2026-02-05 01:27:41 +03:00
Author
Owner
Copy Link

@BlackDex commented on GitHub (Aug 14, 2023):

We would have to check how this logic works on Bitwarden it self.
I'm not totally sure how this flow goes with existing users from the top of my head.

@BlackDex commented on GitHub (Aug 14, 2023): We would have to check how this logic works on Bitwarden it self. I'm not totally sure how this flow goes with existing users from the top of my head.
OVERLORD commented 2026-02-05 01:27:43 +03:00
Author
Owner
Copy Link

@louisfgr commented on GitHub (Aug 14, 2023):

That's the log on debug level during the bwdc sync:

[2023-08-14 11:52:41.230][request][INFO] POST /api/public/organization/import
[2023-08-14 11:52:41.233][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("org_name")], "org_name")))
[2023-08-14 11:52:41.233][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("img_src")], "img_src")))
[2023-08-14 11:52:41.234][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("org_name")], "org_name")))
[2023-08-14 11:52:41.234][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("url")], "url")))
[2023-08-14 11:52:41.234][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("org_id")], "org_id")))
[2023-08-14 11:52:41.234][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("org_user_id")], "org_user_id")))
[2023-08-14 11:52:41.234][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("email")], "email")))
[2023-08-14 11:52:41.234][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("org_name")], "org_name")))
[2023-08-14 11:52:41.234][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("token")], "token")))
[2023-08-14 11:52:41.235][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("img_src")], "img_src")))
[2023-08-14 11:52:41.235][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("org_name")], "org_name")))
[2023-08-14 11:52:41.235][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("org_name")], "org_name")))
[2023-08-14 11:52:41.235][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("url")], "url")))
[2023-08-14 11:52:41.235][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("org_id")], "org_id")))
[2023-08-14 11:52:41.235][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("org_user_id")], "org_user_id")))
[2023-08-14 11:52:41.235][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("email")], "email")))
[2023-08-14 11:52:41.235][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("org_name_encoded")], "org_name_encoded")))
[2023-08-14 11:52:41.235][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("token")], "token")))
[2023-08-14 11:52:41.257][response][INFO] (ldap_import) POST /api/public/organization/import => 200 OK
[2023-08-14 11:52:45.671][vaultwarden::api::core::two_factor][DEBUG] Sending notifications for incomplete 2FA logins
[2023-08-14 11:52:48.011][request][INFO] GET /alive
[2023-08-14 11:52:48.012][response][INFO] (alive) GET /alive => 200 OK

@louisfgr commented on GitHub (Aug 14, 2023): That's the log on debug level during the bwdc sync: [2023-08-14 11:52:41.230][request][INFO] POST /api/public/organization/import [2023-08-14 11:52:41.233][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("org_name")], "org_name"))) [2023-08-14 11:52:41.233][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("img_src")], "img_src"))) [2023-08-14 11:52:41.234][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("org_name")], "org_name"))) [2023-08-14 11:52:41.234][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("url")], "url"))) [2023-08-14 11:52:41.234][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("org_id")], "org_id"))) [2023-08-14 11:52:41.234][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("org_user_id")], "org_user_id"))) [2023-08-14 11:52:41.234][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("email")], "email"))) [2023-08-14 11:52:41.234][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("org_name")], "org_name"))) [2023-08-14 11:52:41.234][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("token")], "token"))) [2023-08-14 11:52:41.235][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("img_src")], "img_src"))) [2023-08-14 11:52:41.235][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("org_name")], "org_name"))) [2023-08-14 11:52:41.235][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("org_name")], "org_name"))) [2023-08-14 11:52:41.235][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("url")], "url"))) [2023-08-14 11:52:41.235][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("org_id")], "org_id"))) [2023-08-14 11:52:41.235][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("org_user_id")], "org_user_id"))) [2023-08-14 11:52:41.235][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("email")], "email"))) [2023-08-14 11:52:41.235][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("org_name_encoded")], "org_name_encoded"))) [2023-08-14 11:52:41.235][handlebars::render][DEBUG] Rendering value: Path(Relative(([Named("token")], "token"))) [2023-08-14 11:52:41.257][response][INFO] (ldap_import) POST /api/public/organization/import => 200 OK [2023-08-14 11:52:45.671][vaultwarden::api::core::two_factor][DEBUG] Sending notifications for incomplete 2FA logins [2023-08-14 11:52:48.011][request][INFO] GET /alive [2023-08-14 11:52:48.012][response][INFO] (alive) GET /alive => 200 OK
OVERLORD commented 2026-02-05 01:27:46 +03:00
Author
Owner
Copy Link

@louisfgr commented on GitHub (Aug 18, 2023):

Bitwarden has an additional check for this case and adds the external ID to the user.

fd892b2ff4/src/Core/Services/Implementations/OrganizationService.cs (L1850-L1867)

This does not seem to be the case with Vaultwarden.
5b7d7390b0/src/api/core/public.rs (L63-L87)

@louisfgr commented on GitHub (Aug 18, 2023): Bitwarden has an additional check for this case and adds the external ID to the user. https://github.com/bitwarden/server/blob/fd892b2ff4547648a276734fb2b14a8abae2c6f5/src/Core/Services/Implementations/OrganizationService.cs#L1850-L1867 This does not seem to be the case with Vaultwarden. https://github.com/dani-garcia/vaultwarden/blob/5b7d7390b0cc26ebde96d1b8a835e384ee8deb47/src/api/core/public.rs#L63-L87
OVERLORD commented 2026-02-05 01:27:48 +03:00
Author
Owner
Copy Link

@louisfgr commented on GitHub (Aug 24, 2023):

As someone who is not really familiar with Rust, is there anything I can do to help fix this issue sooner?
Alternatively, is there any way to set the external ID manually, e.g. by manually calling an API endpoint or by changing the DB?

@louisfgr commented on GitHub (Aug 24, 2023): As someone who is not really familiar with Rust, is there anything I can do to help fix this issue sooner? Alternatively, is there any way to set the external ID manually, e.g. by manually calling an API endpoint or by changing the DB?
OVERLORD commented 2026-02-05 01:27:51 +03:00
Author
Owner
Copy Link

@BlackDex commented on GitHub (Aug 24, 2023):

I have not had time to look at this yet. You just need to be patient for a fix.

You should be able to modified the database, just check how the other users are listed in the database.

@BlackDex commented on GitHub (Aug 24, 2023): I have not had time to look at this yet. You just need to be patient for a fix. You should be able to modified the database, just check how the other users are listed in the database.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
troubleshooting
wontfix
No Label troubleshooting
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#1663
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?