The API secret key is shown in clear text in the Connector settings (at least for Azure AD, I haven't tested whether this is different for others).

As its own name indicates, the secret key must be secret and this is a disclosure of sensitive information and I already found it very concerning when I had to do a screenshare with Bitwarden support to troubleshoot one issue and my key was there visible in clear text.

Hi!
I'm attempting to set up Directory Connector on my Domain Controller, to link in with my Bitwarden docker installation ( mprasil/bitwarden:latest ), on an Ubuntu VM in the same subnet.
When clicking on Sync, I have shown an error, "An unexpected error has occurred"

Hitting the "Test now" button displays a list of AD accounts with email addresses, as intended.
See here

Hitting the "Sync" button shows the error, and also an error in the Developer console
See here

My Domain settings

I've tried version 2.6.1 and 2.6.2 and I did try one of the earlier version but I cannot remember which one now

Please do keep in mind this is a homelab :)

The email attribute (displayName in DC) for the deleted users returned from active directory are duplicates and preventing a sync. It would be best to create an error message that indicates there is a "Duplicate email address in the Deleted Users", then the user can know that they need to change or hard delete one of the deleted users to prevent the conflict. We may see the use case where an admin is unable to change or delete a deleted user and in this case we may want to enable an optional filter that will allow us to filter out one of the deleted users with the duplicate email address.

Hi,

I have tried to sync with G Suite using both App and CLI but wasn't successful either way.

CLI responds with:
[object Object]

App responds with:
An unexpected error has occurred.

The app.log just says:

[2019-06-11 15:57:06.611] [info] Querying users - nextPageToken:null
[2019-06-11 15:57:07.214] [info] Querying deleted users - nextPageToken:null
[2019-06-11 15:57:09.646] [info] Querying users - nextPageToken:null
[2019-06-11 15:57:10.190] [info] Querying deleted users - nextPageToken:null

I have tried using two different Bitwarden user which had either Admin or Owner permission. bwdc test prints the list of users just fine.

I don't have any hint at where it breaks right now and I might compile and debug it more later today. Any help is appreciated though, as always.

Thanks!

Hi,

So I tested the BWDC v2.6.2 with BW v1.34 and the sync works great. Except that in the "test" feature, it shows me all deleted users tag.
I know that it works and send the mail, but why do it shows tags ?
And, do it send the mail to deleted users ?

Thanks for your time !

Have a great day

Larger organizations have hundreds or thousands of security groups which would then get synced into Bitwarden (project groups for example). The API currently limits the import to contain only 200 groups and eventually 1,000 users.

What I did to avoid this is to split the import task into the user part and group batched part (sending groups by 200). Is this the correct approach? What's the reason for these limits?

The batched split is available in this fork: https://github.com/hajekj/directory-connector/blob/master/src/services/sync.service.ts#L90

Hello,

After running the portable windows Bitwarden connector, i expected the configuration file (data.json) to be under %AppData%/Bitwarden Directory Connector/. The directory contains only one folder logs which is also empty.

Can you tell me where the portable windows exe stores the data.json file?

Cheers,
Frédéric

Please add a service to the windows app to run the connector automatically without the requirement that the app needs to be opened.

Hi

I did do the first method "Include:Group A " but then I have to specify each users under users before they get an invite.

So the second method is (from my understanding) invite all users in the group by using the syntax 'includeGroup:xxxx-xxxx-xxx"

I clicked test - but I was expecting only my test group to appear and the one test user, but the test that run listed all the groups I have in Azure AD.

Is this normal behavior?

Kind Regards,

Using the Bitwarden directory connector I ran into the issue that I received code 500 errors from the API when attempting to sync without further explanation what's wrong.

In the end I figured out (by looking at the test sync output) that some e-mails appeared multiple times. Background in my case is that I have some fake users for administrative testing.

I worked around the issue by giving them unique addresses but others would probably appreciate being told about what's wrong since a 500 leaves you blind without backend code insight or a running instance with a debugger attached.

I leave some error messages here so others can find it when searching

Failed to load resource: the server responded with a status of 500 ()

ERROR Error: Uncaught (in promise): ErrorResponse: {"message":"An unhandled server error has occurred.","validationErrors":null,"statusCode":500}
    at resolvePromise (vendor.js:339183)
    at vendor.js:339093
    at rejected (tabs.component.html:19)
    at ZoneDelegate.push.ZoneDelegate.invoke (vendor.js:338757)
    at Object.onInvoke (vendor.js:4179)
    at ZoneDelegate.push.ZoneDelegate.invoke (vendor.js:338756)
    at Zone.push.Zone.run (vendor.js:338507)
    at vendor.js:339241
    at ZoneDelegate.push.ZoneDelegate.invokeTask (vendor.js:338790)
    at Object.onInvokeTask (vendor.js:4170)

Since directory connector (macos) did an auto-update from 2.4 to 2.5.1, my sync with ldap is broken, I can't even do a "test", no errors, nothing.

I reinstalled 2.5, same issue.

I reinstalled the 2.4 version, everything is OK.

This Issue is similar to the one that has already been closed: #16

Essentially we get the same error message. But the proposed solution (remove repeated pathing) didn't work out for us.

Here's our config:

{

  "directoryType": 0,
  "directoryConfig_0": {
    "ssl": true,
    "sslAllowUnauthorized": true,
    "port": "636",
    "currentUser": false,
    "ad": false,
    "hostname": "ldap.otc-service.internal",
    "rootPath": "dc=otc,dc=app",
    "username": "cn=bind_username,ou=profile,dc=otc,dc=app",
        "sslCaPath": "xxxxxxxx.crt",
    "password": "xxxxxxx"
  },
  "directoryConfig_2": {},
  "directoryConfig_1": {},
  "directoryConfig_3": {},
  "syncConfig": {
    "users": true,
    "groups": false,
    "interval": 5,
    "removeDisabled": false,
    "overwriteExisting": false,
    "useEmailPrefixSuffix": false,
    "creationDateAttribute": "whenCreated",
    "revisionDateAttribute": "whenChanged",
    "emailPrefixAttribute": "sAMAccountName",
    "memberAttribute": "memberUid",
    "userObjectClass": "person",
    "groupObjectClass": "posixGroup",
    "userEmailAttribute": "mail",
    "groupNameAttribute": "cn",
    "userFilter": "",
    "groupFilter": "",
    "groupPath": "ou=group",
    "userPath": "ou=people"
  },

bind usernames are under ou=profile,,dc=otc,dc=app users are in ou=people,dc=otc,dc=app and groups in ou=group,dc=otc,dc=app

When doing the sync test it shows this error

./bwdc test
missing paged control

ldapsearch works fine with that bind user

Any Ideas?

When the Root Path setting does not contain a dc= part the search path is not build correctly.
Test case:
Root Path o=organisation
User Path ou=hr,o=organisation

Test sync logs to terminal:
[16:45:08.440] [info] User search: ou=hr,o=organisation,n => (&(&(objectClass=inetOrgPerson)) (|(employeeType=developer)(employeeType=office)))
Notice the rouge ,n at the end of the path, resulting in a wrong DN

When configuring the Root path as o=organisation,dc=domaincontroller and User Path as ou=hr,o=organisation the console logs User search: ou=hr,o=organisation,dc=domaincontroller => [...] as expected.

When I see it correctly this would be caused by :

Tested with Linux AppImage version 2.6.2

Although BWDC recognizes all 100+ users in our Azure AD, it only assigns up to (the first) 100 to a single group (sync test & actual sync). If the missing group members (no. 101, 102, ...) are added manually on the browser, BWDC removes (only) them from that group with the next sync.

Tested with BWDC v2.6.2 on macOS, logged in to a self-hosted BW environment running server version 1.33.1 with an Enterprise plan. Might be a coincident: We used to have exactly 100 user seats with our license but increased that limit to 110 recently.

What I've tried so far (mainly because I assumed BWDC would still have our previous 100 user seats in its cache):

• Rebooted machine running BWDC
• Cleared BWDC sync cache
• Logged out of BWDC and in again
• Deleted ~/Library/Application Support/Bitwarden Directory Connector
• Reinstalled BWDC app (desktop & CLI)
• Ran BWDC in different macOS accounts
• Removed and re-added app registration in AAD
• Re-downloaded bitwarden_organization_license.json from our bitwarden.com organization & re-uploaded it to our self-hosted environment
  ...

I might be wrong but suspect that it might have something to do with the paging of MS Graph data and its $top query parameter to specify the page size of the result set when getting the members of an AAD group. Quote:

If the request is paged and you don't added the $top query parameter, is there a default or maximal page size on the request? If yes, how big are they?

Unfortunately (per the referenced page) there's no consistency across APIs on the default or maximum size. For example, in Azure AD (users, groups, devices etc) the default is 100 and max 999.

Let me know if you need any additional information from me. Thanks!

For the second time now we found the file ~/.config/Bitwarden Directory Connector/data.json was reset to what seems to be a generic default. There are no log entries or other hints that could point to the reason why this is happening.
The setup is fairly standard (i assume). Local installation of Bitwarden with an Enterprise license, bwdc syncs users and groups from AD to BW

For what it's worth, it seems that it happened on 0:30 AM local time in both instances.

Versions:
OS: Ubuntu 18.04, latest patch state
bwdc: 2.6.2

We are syncing users and groups from our OpenLDAP to bitwarden. But some groups are missing users. The users themselves are synced correctly they are just missing in the group in bitwarden. After removing the user from the group and adding them again they correctly appear in the group.

For Example user 'A' and user 'B' are members of the group 'team-x' in LDAP. When we sync this to bitwarden only 'B' is shown to be a member of 'team-x'. Only after removing 'A' from the group in LDAP and adding him again the sync adds 'A' to 'team-x' in bitwarden.

We couldn't find a connection between the affected users or groups. We are using version 2.9.1 of the connector.

Hi,

I'm running latest Bitwarden and I want to migrate from the Desktop Sync application on Windows to the CLI on Linux.

I installed the contents of the zip to /usr/local/bin and made sure that all dependencies are met.

System: Debian 9 amd64

Unfortunately, I'm not able to log in:

root@pwsafe:~# bwdc config server https://pwsafe.mylocal.domain/
Saved setting `server`.
root@pwsafe:~# bwdc login --method 1
? Email address: <account-for-sync>
? Master password: [hidden]
request to https://pwsafe.mylocal.domain/api/accounts/prelogin failed, reason: self signed certificate in certificate chain

We have a local PKI and this works fine with Bitwarden and the sync client from the Domain-joined Windows system. The CA is also installed on the linux server where the sync client runs:

root@pwsafe:~# openssl s_client -connect pwsafe.mylocal.domain:443
CONNECTED(00000003)
<SNIP>
verify return:1
---
Certificate chain
<SNIP>
---
Server certificate
-----BEGIN CERTIFICATE-----
<SNIP>
-----END CERTIFICATE-----
<SNIP>
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 9582 bytes and written 269 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: F222F3510AC10B96391785026656DB143E268C67DD522BC64EEEC57CB0AE783A
    Session-ID-ctx:
    Master-Key: 8B204E3ABC1C29E9627B7D8E02D23D34634EFEBC0FDC723D99F44F9D09AD115F63F9D9578CEA1BDD56CDFEB2710FD43B
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1562846182
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes

Is there anything I have to configure beforehand? In my understanding, bwdc should use the system's certificate store.

The documentation for setting up bwdc cli doesn't really help. For example, logging in when 2-FA is enabled doesn't work (the tool says the password is wrong). The help says that a special method parameter needs to be provided and that those methods are documented, but I didn't find any of them in the documentation.

bwdc login --help
Usage: login [options] [email] [password]

Log into a user account.

Options:

  --method <method>  Two-step login method.
  --code <code>      Two-step login code.
  -h, --help         output usage information

  Notes:

    See docs for valid `method` enum values.

  Examples:

    bw login
    bw login [email protected] myPassword321
    bw login [email protected] myPassword321 --method 1 --code 249213

Can you please add instructions how to use the CLI application with 2-FA enabled to the docs?

bitwarden is installed on On-premises Ubuntu 16.04 ( Docker )

Can access Bitwarden on web interface, Test Organization is also created

now i want to integrate it with AD, i have installed bitwarden connector on my laptop ( windows 10 )
but i can't login to bitwarden account via connector.

i can access bitwarden on premises server via FQDN

What Port is used by bitwarden directory connector ?

Any guild-lines or steps on how to integrate Bitwarden connector with bitwarden on premises?

Are there any plans on making the directory connector available for linux?

I've tried this in both the CLI and GUI versions of the application. I'm receiving a duplicate response as the one in issue #21. I didn't want to necro that issue, so here we are. My redacted configuration (from the CLI version) is as follows, with domain names, personal info, and infrastructure removed.

{
  "installedVersion": "2.6.2",
  "environmentUrls": {
    "base": "https://bitwarden.example.com",
    "api": null,
    "identity": null,
    "webVault": null,
    "icons": null,
    "notifications": null,
    "events": null
  },
  "appId": "REDACTED",
  "accessToken": "REDACTED",
  "refreshToken": "REDACTED",
  "userEmail": "REDACTED",
  "userId": "REDACTED",
  "kdf": 0,
  "kdfIterations": 5000,
  "key": "REDACTED",
  "keyHash": "REDACTED",
  "encKey": "REDACTED",
  "encPrivateKey": "REDACTED",
  "organizationId": "REDACTED",
  "directoryType": 0,
  "directoryConfig_0": {
    "ssl": false,
    "sslAllowUnauthorized": false,
    "port": 389,
    "currentUser": false,
    "ad": true,
    "hostname": "ad1.example.com",
    "rootPath": "dc=example,dc=com",
    "username": "REDACTED",
    "password": "REDACTED"
  },
  "directoryConfig_2": {},
  "directoryConfig_1": {},
  "directoryConfig_3": {},
  "syncConfig": {
    "users": true,
    "groups": false,
    "interval": 5,
    "removeDisabled": false,
    "overwriteExisting": false,
    "useEmailPrefixSuffix": true,
    "creationDateAttribute": "whenCreated",
    "revisionDateAttribute": "whenChanged",
    "emailPrefixAttribute": "sAMAccountName",
    "memberAttribute": "MemberOf",
    "userObjectClass": "user",
    "groupObjectClass": "group",
    "userEmailAttribute": "mail",
    "groupNameAttribute": "name",
    "userFilter": "(&(memberOf=CN=Bitwarden,OU=Groups,DC=example,DC=com))",
    "groupPath": "OU=Groups",
    "userPath": "CN=Users"
  }
}

I get the error:

[2020-05-14 11:49:59][rocket::rocket][INFO] POST /api/organizations/REDACTED/import application/json; charset=utf-8:
[2020-05-14 11:49:59][_][ERROR] No matching routes for POST /api/organizations/REDACTED/import application/json; charset=utf-8.
[2020-05-14 11:49:59][_][WARN] Responding with 404 Not Found catcher.
[2020-05-14 11:49:59][_][INFO] Response succeeded.

It's worth noting that even in the GUI, where the I select the Organization from the dropdown box, this is happening. When I run a test sync, the correct users come back so I know it's not an issue with the connection to the directory. It's definitely an issue with the OrganizationId being returned by BitWarden being...incorrect? Or something. I can load that organization in the web UI and the same string that's returned in the error message is in the URL, so it seems at a glance to be correct. Not sure what's going on here.

nevermind

Ref: https://www.keycloak.org/

Which time limit? To bitwarden? (we are using vault.bitwarden.com) or the LDAP Server? Since migrating to vault.bitwarden.com from our selfhosted instance we are getting this messages multiple times.

When synchronizing an Azure AD when a user filter is set and a user without email is present in the AAD, the error message "Cannot read property 'trim' of undefined" appears and the synchronization or test sync aborts.

When a call comes from "azure-directory.services.ts" > "getUsers", the result string can be "undefined" (if the user does not have an email).

As described in the documentation:

The G Suite APIs do not provide a way to filter groups directly, however, you can use our custom filtering syntax that allows you to exclude or include a comma separated list of group names.

However, I believe this is no longer the case:
https://developers.google.com/admin-sdk/directory/v1/guides/search-groups

The API should support searches by email, name and memberKey with custom operators for equality (=) and :{PREFIX}* allowing you to filter groups more dynamically. For example, it would be fantastic to prefix all Bitwarden related groups with BITWARDEN-... in G suite and then include them in the directory connector filter with a single expression name:BITWARDEN-* so that even groups with this prefix created in the future are synced.

I'm trying to sync my org to bitwarden cloud with the connector, however only groups are being created.
Command line output -

➜  bwdc-macos-2.6-1.1 ./bwdc clear-cache
The sync cache has been cleared.
➜  bwdc-macos-2.6-1.1 ./bwdc sync --response
{"success":true,"data":{"noColor":false,"object":"message","title":"Syncing complete.","message":"Synced 33 group(s) and 35 user(s)."}}

Test returns the proper users to be created.

`
Hi I have configured sync with FreeIPA server:

{
	"directoryType": 0,
	"directoryConfig_0": {
		"ssl": true,
		"sslAllowUnauthorized": false,
		"port": "636",
		"currentUser": false,
		"ad": false,
		"password": "[STORED SECURELY]",
		"hostname": "freeipa.example.org",
		"rootPath": "cn=accounts,dc=example,dc=org",
		"username": "uid=bitwarden-svc,cn=users,cn=accounts,dc=example,dc=org"
	},
	"syncConfig": {
		"users": true,
		"groups": true,
		"interval": 5,
		"removeDisabled": false,
		"useEmailPrefixSuffix": false,
		"creationDateAttribute": "createTimestamp",
		"revisionDateAttribute": "modifyTimestamp",
		"emailPrefixAttribute": "uid",
		"memberAttribute": "member",
		"userObjectClass": "person",
		"groupObjectClass": "groupOfNames",
		"userEmailAttribute": "mail",
		"groupNameAttribute": "cn",
		"groupPath": "cn=groups,cn=accounts,dc=example,dc=org",
		"userPath": "cn=users,cn=accounts,dc=example,dc=org",
		"userFilter": "(!(uid=*-svc))"
	}
}

But when I try to sync, I have an error:

./bwdc test
missing paged control

Since 2.8.2 is out, our LDAP sync is not working properly anymore. I'll describe symptoms hereafter. All symptoms are true with Directory Connector as the AppImage AND the CLI.

• bwdc test : displays the proper list of users (71) and groups (29).
• bwdc sync : no error, in GUI a popup says "71 users and 29 groups synced", however in the vault there is no new user (65 including those who have not yet accepted the invite). Groups are correctly synced, though.
• bwdc clear-cache : no error
• bwdc sync : same result, annonces 71 users and 29 groups, but only sync groups.

If I delete or add a new group, the next sync is properly reflecting the changes. If I delete or add a new user, the next sync detect it (so LDAP connection is fine) and announces syncing it, but in the webvault there is no new user added.

No error whatsoever, no alert, no warning in dev tools, all seems to be ok but still, it doesn't work.
Organization has currently 75 seats available, that's 4 more than needed.

Probably not related, but a strange thing happens when syncing : we have a group for tech administrators, in which I am myself. It is named "SecOps", and is properly detected in LDAP (bwdc test) with 7 users including myself. These 7 users are declared as Organization's owner, as they are allowed (and asked) to maintain collections and sync, etc. On each sync however, despite being correctly detected as members of group SecOps, all of us are removed from the group, excepted one. There is a single user, also ranked as owner, which is kept in SecOps groups, all other are removed and must be added back manually.

I'm starting to think this directory connector is haunted by some wandering soul down here...

As send per mail:

For STARTTLS you first have to connect to a unencrypted connection, then you have to start your TLS session with client.starttls: http://ldapjs.org/client.html#starttls

You should also catch an error if it occurs, my suggestion is to make a list instead of checkbox with:

Encryption: None, STARTTLS, SSL

The sync apparently fails silently if the number of synced users is bigger than the number of available seats. The UI says X users where synced, when in fact not a single one was synced.

None of the log files indicated that a sync failed. Not on the local client (directory connector) and not in any of the logs on the server. The nginx access log indicates, that the request to /import was successful (200).

Before the update, this worked OK:

DC=OurCompany,DC=net

But after the update to 2.7.0, it didn't.
We needed to change it for:

dc=OurCompany,dc=net

The problem is now solved, but do you have any idea why is it so?

Hey there,

imagine I have a security group Foo that contains Bar (group) and Baz (person). Group Bar contains Qux (user). When I sync this setup using this tool it will set up groups Foo and Bar, however, group Foo only contains Baz as member.

Hello,

we are running bitwarden server on a linux server (CLI only) and wanted to add the directory synchronisation as a cronjob on the server. For that we installed the bitwarden connector cli and copied over the data.json file.

In the data.json file, the password for the ldap directory is not saved and even when replacing the [STORED SECURELY] string with the actual password, the bwdc cli-tool replaces it with null.

We then tried to add the password via bwdc config ldap.password PASS we first received a message about X11.

# bwdc config ldap.password PASS
Cannot autolaunch D-Bus without X11 $DISPLAY

The solution of exporting the output of dbus-launch from darkyat in #17 worked, but lead to the next error.

# export $(dbus-launch)
# bwdc config ldap.password PASS
** Message: 15:12:18.946: Remote error from secret service: org.freedesktop.Secret.Error.IsLocked: Cannot create an item in a locked collection
Cannot create an item in a locked collection

Executing bwdc sync tells me, that the username and password are not configured and is hanging until forcefully aborted with Ctrl+C

# bwdc sync
Username/password are not configured.
Ctrl+C

Some system specs

# docker -v
Docker version 1.13.1, build b2f74b2/1.13.1
# bwdc -v
2.6.1

Cheers,
Frédéric

I am currently working on dockerizing the CLI of the directory-connector and already overcome a ton of obstacles so far. Unfortunately, as my use-case is to use a gsuite connector, I am now stuck with setting the key using bwdc config gsuite.key.

What format does this command expect? I tried provding:

• a filename to the private-key as x509 PEM
• a filename to the JSON
• the JSON itself
• the private-key as X509 PEM itself

Operation System: Ubuntu / Debian
Keyring: gnome-keyring 3.20.0-3

When using the private-key as X509 itself, I fail with error: unknown option `-----BEGIN PRIVATE KEY-----\nXYZ. Providing any other kind of string works fine but fails with error:0906D06C:PEM routines:PEM_read_bio:no start line when runnning bwdc test.

From what I see looking at your code, I would expect you ask for the key as it is in the JSON to create the JWT token, in that case shouldn't it be: -----BEGIN PRIVATE KEY-----\nXYZXYZXYZ? This however results in an error: unknown option as mentioned above.

Any help is appreciated!

Regards,
Harry

When using this to sync from GSuite, if a user is an owner of the group they are not counted as being a member of the group; therefore they are not added to the group in Bitwarden.

Documentation for the API states that owners must be members of the group :

OWNER – This role can change send messages to the group, add or remove members, change member roles, change group's settings, and delete the group. An OWNER must be a member of the group.

https://developers.google.com/admin-sdk/directory/v1/guides/manage-group-members

Hi,
I'm using self-hotsed bitwarden with openldap and bwdc CLI. Everything hosted on linux.
Some time ago bwdc started reporting error The model state is invalid. and I don't know what does it mean.
Can somebody help me, please?

Following the instructions for running the bwdc cli on headless linux I set the environmental variable BITWARDENCLI_CONNECTOR_PLAINTEXT_SECRETS to true. However, I still get the error "Cannot autolaunch D-Bus without X11 $DISPLAY"

[root bw]# bwdc --version
2.6.1
[root bw]# echo $BITWARDENCLI_CONNECTOR_PLAINTEXT_SECRETS
true
[root bw]# bwdc test
Cannot autolaunch D-Bus without X11 $DISPLAY
[root bw]# cat /etc/os-release
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"

Hi,

I've been checking through the request logs for the Azure Active Directory from Bitwarden Directory Connector...

Current settings

Sync Users with includeGroup filter
Sync Groups with no filters

Efficiency measures

1. BWDC downloads all the users through https://graph.microsoft.com/v1.0/users?$select=id,mail,userPrincipalName,displayName,accountEnabled, however, it doesn't need a list of all the users, as it does not manifest in to the Bitwarden Organisation (due to the includeGroup User Filter)

2. Because of the includeGroup filter, BWDC keeps doing numerous https://graph.microsoft.com/v1.0/users/{id}/checkMemberGroups requests.

I guess it would be sufficient to just make use of either of the following for each 'includeGroup':

• https://graph.microsoft.com/v1.0/groups/{groupId}/members?$select=id,mail,userPrincipalName,displayName,accountEnabled - for direct members
• or https://graph.microsoft.com/v1.0/groups/{groupId}/transitiveMembers?$select=id,mail,userPrincipalName,displayName,accountEnabled - for nested members

3. BWDC downloads the members of every group, which does not manifest onto the Bitwarden Organisation, so, I believe that wouldn't be necessary either?

Does anyone have an idea what this means? It's not a seat limit.

Failed to load resource: the server responded with a status of 500 ()
vendor.js:4615 ERROR Error: Uncaught (in promise): errorResponse_ErrorResponse: {"response":{"Object":"error","Message":"An unhandled server error has occurred.","ValidationErrors":null,"ExceptionMessage":null,"ExceptionStackTrace":null,"InnerExceptionMessage":null},"message":"An unhandled server error has occurred.","validationErrors":null,"statusCode":500}
at resolvePromise (vendor.js:349507)
at vendor.js:349414
at rejected (utils.ts:100)
at ZoneDelegate.push.ZoneDelegate.invoke (vendor.js:349061)
at Object.onInvoke (vendor.js:28632)
at ZoneDelegate.push.ZoneDelegate.invoke (vendor.js:349060)
at Zone.push.Zone.run (vendor.js:348818)
at vendor.js:349566
at ZoneDelegate.push.ZoneDelegate.invokeTask (vendor.js:349096)
at Object.onInvokeTask (vendor.js:28620)

We noticed the connector doesn't support LDAPS as of yet. We plan to disable unencrypted connections to our Active Directory in the next months. For that we would need BitWarden to support those first.

Is this on the roadmap?

Current directory-connector version: 1.2.0

This seems like a bug. On a headless Ubuntu 18.04 server if I try to run certain commands I get the following output:

"Cannot autolaunch D-Bus without X11 $DISPLAY"

Specifically I got this when trying to run sync and test. This is just a test install so I went ahead and installed a GUI to be able to complete what I was testing. It turns out that I didn't have a username/password configured. It seems however this message is displayed (perhaps the way it's set to be bold and red?) requires x11.

This makes it hard to impossible to use the CLI feature on headless systems.

1

Are there plans to make a synchronization tool without a GUI? Only CLI mode.

The connector doesn't handle Google Directory API pagination and thus only synchronize 200 groups even if the organization has more.

We already discussed that by mail, I'm filling up a GitHub issue for better follow-up on that.

I extracted both bwdc and keytar.node into /usr/local/bin and made bwdc executable. However, when I run bwdc I get the following error:

pkg/prelude/bootstrap.js:1176
throw error;
^

Error: libsecret-1.so.0: cannot open shared object file: No such file or directory
at Object.Module._extensions..node (internal/modules/cjs/loader.js:729:18)
at Module.load (internal/modules/cjs/loader.js:610:32)
at tryModuleLoad (internal/modules/cjs/loader.js:549:12)
at Function.Module._load (internal/modules/cjs/loader.js:541:3)
at Module.require (internal/modules/cjs/loader.js:648:17)
at Module.require (pkg/prelude/bootstrap.js:1157:31)
at require (internal/modules/cjs/helpers.js:20:18)
at Object. (/snapshot/directory-connector/node_modules/keytar/lib/keytar.js:1:76)
at Module._compile (pkg/prelude/bootstrap.js:1252:22)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:711:10)

How can I fix this?

bwdc store wrong data in cache.
sync command doesn't make any changes but users in Bitwarden and LDAP out of sync.
test command returns correct users list from LDAP.
last-sync users - shows that users were synced an hour ago. But in Bitwarden no new users for a week.

Only clear-cache & sync make full sync.
Is it normal behavior? What is bwdc sync TTL?

bwdc v 2.6.2
Headerless Ubuntu server

As far as I understood, the cli is only supposed to be used once it was set up with the Desktop application. This makes no sense in my opinion:

• Bitwarden itself runs on Docker which runs on Linux (yes, there are Windows / OS X solutions but let's consider a serious productive setup)
• Linux servers usually have no GUI
• Having the sync functionality on the same server, accessible by different users, is desirable in many scenarios (like multiple admins in charge of Bitwarden)

It's a pain to set up the sync using the CLI only and to be honest, every time I'm using it I'm in fear of destroying the company's complete password data.

The GUI application makes me feel a little more comfortable, but comes also with downsides. Since it has an administrative token for Bitwarden (without 2-FA) stored somewhere, having it stored next to my browser history doesn't feel good. Even if you move it to a "considered-secure" server, a remaining issue is that the configuration is stored in a user's profile. It makes administration of users impossible for multiple Bitwarden admins.

To conclude, I really like Bitwarden but the directory connector gives me regular headaches. It's unmaintainable in a scenario with more than one administrator and a headless Bitwarden server.

I've been thinking about solutions to this problem for quite some time. I think the most solid and user friendly option is to integrate it into the web interface or admin backend. Since the data format of the console and GUI application are the same, I'd come up with the following (probably naive) setup:

• a new container, directory-sync or something, runs alongside the other containers in the on-prem scenario. It shouldn't be large or consume a lot of resources since it only needs bwdc-cli and its requirements.
• the GUI application is moved to the web/admin interface. I don't know how much work this is, but I (again, me being naive) would believe that when there's a nodejs application that needs to go into a browser, big parts of the code can be copied over with little modifications.
• Changes in the GUI are synchronized to the bwdc-cli container. Communication and synchronization between the web frontend and the cli are probably the harder parts here and since I'm not too familiar with the Bitwarden architecture, I don't have a suggestion on how to achieve this yet.

In my opinion, the manual and outsourced directory sync is a show stopper for many organizations since it is hard to maintain even with small teams. I'd love to hear your opinions and discuss problems/solutions.

If you have a group that contains (for example) the whole company i.e. "All users in the organisation":

then the bitwarden sync does not put all the users in the group when being sync'd