LDAP integration is performed using a small service that queries LDAP and invites users to your Vaultwarden instance. This service is uncreatively named vaultwarden_ldap.
Because of Vaultwardens zero-trust architecture this service does not provide synchronization of passwords but only invitations for new LDAP members.
It is not yet distributed as a binary, but there is an available Docker image vividboarder/vaultwarden_ldap.
Before deploying, you must enable your vaultwarden admin page. This enables the API that the LDAP sync service will use to invite users. The ADMIN_TOKEN
that you set will be used when configuring the LDAP sync service. You must also be sure to not disable the invitation capability. To verify this, double check that the environment variable INVITATIONS_ALLOWED
is not set to false
.
It is also recommended to enable email sending from your Vaultwarden instance so that your users will be notified they can make an account. If you do not, they will still be able to register if they use their LDAP email address, but you will have to inform them on your own.
With these steps done, you can configure and deploy the LDAP sync service. The most up-to-date instructions are to be found on the service Readme itself, but it will involve creating the config.toml
file with the connection info for your Vaultwarden instance, your LDAP instance, as well as the LDAP query you'd like to use to find users.
FAQs
Container Image Usage
- Which container image to use
- Starting a container
- Updating the vaultwarden image
- Using Docker Compose
- Using Podman
Deployment
- Building your own docker image
- Building binary
- Pre-built binaries
- Third-party packages
- Deployment examples
- Proxy examples
- Logrotate example
HTTPS
Configuration
- Overview
- Disable registration of new users
- Disable invitations
- Enabling admin page
- Disable the admin token
- Enabling WebSocket notifications
- Enabling Mobile Client push notification
- Enabling U2F and FIDO2 WebAuthn authentication
- Enabling YubiKey OTP authentication
- Changing persistent data location
- Changing the API request size limit
- Changing the number of workers
- SMTP configuration
- Translating the email templates
- Password hint display
- Disabling or overriding the Vault interface hosting
- Logging
- Creating a systemd service
- Syncing users from LDAP
- Using an alternate base dir (subdir/subpath)
- Other configuration
Database
- Using the MariaDB (MySQL) Backend
- Using the PostgreSQL Backend
- Running without WAL enabled
- Migrating from MariaDB (MySQL) to SQLite