starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-04-26 01:35:54 +03:00
Code Issues 39 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #3685] Group External ID cleared after editing #1644

New issue
Closed
opened 2026-03-03 02:10:52 +03:00 by kerem · 3 comments
kerem commented 2026-03-03 02:10:52 +03:00
Owner
Copy link

Originally created by @MatthewA1 on GitHub (Jul 11, 2023).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/3685

Subject of the issue

When a group created by the Bitwarden Directory Connector is edited through the web vault (for example, by editing the groups Collections access), the External ID field is cleared. This results in duplicates of the group being created when the groups are next synchronized by the BWDC.

Deployment environment

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.29.0
  • Web-vault version: v2023.5.0
  • OS/Arch: linux/x86_64
  • Running within Docker: true (Base: Debian)
  • Environment settings overridden: false
  • Uses a reverse proxy: false
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • Browser/Server Time Check: true
  • Server/NTP Time Check: true
  • Domain Configuration Check: true
  • HTTPS Check: false
  • Database type: SQLite
  • Database version: 3.41.2
  • Clients used:
  • Reverse proxy and version:
  • Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": true,
  "disable_icon_download": false,
  "domain": "****://**************",
  "domain_origin": "****://**************",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": "/data/vaultwarden.log",
  "log_level": "warn",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": true,
  "org_groups_enabled": true,
  "password_hints_allowed": true,
  "password_iterations": 1000000,
  "push_enabled": false,
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "**********,*********",
  "signups_verify": true,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": null,
  "smtp_password": null,
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": true,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

  • Clients used: web vault, desktop, Bitwarden Directory Connector

  • Reverse proxy and version: None

  • Other relevant details: Using Bitwarden Directory Connector in an Active Directory Environment; Organization Groups Enabled

Steps to reproduce

  1. Perform an initial synchronization with the BWDC client
  2. Edit a synchronized group in the web vault (e.g., grant the group permissions to access a collection)
  3. View the newly edited group. You will now see the External ID field has been cleared.
  4. Synchronize the users/groups using the BWDC client again (Clear the cache first unless changes to the users/groups in the directory were made)
  5. Review the groups in the web vault. There will now be two of each group that was edited. The original group (with no External ID) will still exist, but there will also be a second group of the same name with the External ID set, but without the assigned collections.

Expected behaviour

Changes to the group should be saved without affecting fields not edited (or read-only fields)

Actual behaviour

The changes to the group are saved, but the External ID field is cleared as well. This results in duplicates of the group being created the next time synchronization is preformed using the Bitwarden Directory Connector.

Troubleshooting data

I think the cause of this is the API request made by the web vault always sends null for the External ID, even if it is set, as the External ID is a read-only field (at least in the web vault). When a group is edited, the current External ID should be preserved instead of being either overwritten by this value or reset to the default null value.

Originally created by @MatthewA1 on GitHub (Jul 11, 2023). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/3685 ### Subject of the issue When a group created by the Bitwarden Directory Connector is edited through the web vault (for example, by editing the groups Collections access), the External ID field is cleared. This results in duplicates of the group being created when the groups are next synchronized by the BWDC. ### Deployment environment ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.29.0 * Web-vault version: v2023.5.0 * OS/Arch: linux/x86_64 * Running within Docker: true (Base: Debian) * Environment settings overridden: false * Uses a reverse proxy: false * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: false * Database type: SQLite * Database version: 3.41.2 * Clients used: * Reverse proxy and version: * Other relevant information: ### Config (Generated via diagnostics page) <details><summary>Show Running Config</summary> **Environment settings which are overridden:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": true, "disable_icon_download": false, "domain": "****://**************", "domain_origin": "****://**************", "domain_path": "", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_attempts_limit": 3, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "extended_logging": true, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": "/data/vaultwarden.log", "log_level": "warn", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": true, "org_groups_enabled": true, "password_hints_allowed": true, "password_iterations": 1000000, "push_enabled": false, "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": true, "signups_domains_whitelist": "**********,*********", "signups_verify": true, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "", "smtp_from_name": "Vaultwarden", "smtp_host": null, "smtp_password": null, "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": null, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "websocket_address": "0.0.0.0", "websocket_enabled": true, "websocket_port": 3012, "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> * Clients used: web vault, desktop, Bitwarden Directory Connector * Reverse proxy and version: None * Other relevant details: Using Bitwarden Directory Connector in an Active Directory Environment; Organization Groups Enabled ### Steps to reproduce 1. Perform an initial synchronization with the BWDC client 2. Edit a synchronized group in the web vault (e.g., grant the group permissions to access a collection) 3. View the newly edited group. You will now see the External ID field has been cleared. 4. Synchronize the users/groups using the BWDC client again (Clear the cache first unless changes to the users/groups in the directory were made) 5. Review the groups in the web vault. There will now be two of each group that was edited. The original group (with no External ID) will still exist, but there will also be a second group of the same name with the External ID set, but without the assigned collections. ### Expected behaviour Changes to the group should be saved without affecting fields not edited (or read-only fields) ### Actual behaviour The changes to the group are saved, but the External ID field is cleared as well. This results in duplicates of the group being created the next time synchronization is preformed using the Bitwarden Directory Connector. ### Troubleshooting data I think the cause of this is the API request made by the web vault always sends null for the External ID, even if it is set, as the External ID is a read-only field (at least in the web vault). When a group is edited, the current External ID should be preserved instead of being either overwritten by this value or reset to the default null value.
kerem 2026-03-03 02:10:52 +03:00
kerem commented 2026-03-03 02:10:53 +03:00
Author
Owner
Copy link

@tessus commented on GitHub (Jul 11, 2023):

I think the cause of this is the API request made by the web vault always sends null for the External ID, even if it is set, as the External ID is a read-only field (at least in the web vault).

If this is really the case, bitwarden will have to fix this, because the vw devs do not maintain the clients.

Update: However, it might have something to do with the pub fn set_external_id function. It seems to me that the vw server removes the data when an empty string is sent.

<!-- gh-comment-id:1631426075 --> @tessus commented on GitHub (Jul 11, 2023): > I think the cause of this is the API request made by the web vault always sends null for the External ID, even if it is set, as the External ID is a read-only field (at least in the web vault). If this is really the case, bitwarden will have to fix this, because the vw devs do not maintain the clients. Update: However, it might have something to do with the `pub fn set_external_id` function. It seems to me that the vw server removes the data when an empty string is sent.
kerem commented 2026-03-03 02:10:53 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Jul 11, 2023):

Well i was looking at this already, and the whole logic is a bit off i think looking at it right now.
I can remember that in older versions of the web-vault you was able to configure the external-id values (And you still can for collections, but that might be a bug), but currently you can't.

It states it is only used by the Directory Connector and thus it should only be handled by endpoints using that part.
That means, that an update via the web-vault, should not update/set/remove the value, as it also is set as read-only.

I know that with the 2022.12.0 release you could still manually add/update those values. But since 2023.2.0 they made those fields read-only.

So in the end, I think we need to make some changes on the Vaultwarden side.

<!-- gh-comment-id:1631453395 --> @BlackDex commented on GitHub (Jul 11, 2023): Well i was looking at this already, and the whole logic is a bit off i think looking at it right now. I can remember that in older versions of the web-vault you was able to configure the `external-id` values (And you still can for collections, but that might be a bug), but currently you can't. It states it is only used by the Directory Connector and thus it should only be handled by endpoints using that part. That means, that an update via the web-vault, should **not** update/set/remove the value, as it also is set as read-only. I know that with the 2022.12.0 release you could still manually add/update those values. But since 2023.2.0 they made those fields read-only. So in the end, I think we need to make some changes on the Vaultwarden side.
kerem commented 2026-03-03 02:10:54 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Jul 12, 2023):

I have fixed it in the above PR, including some refactoring and other externalId fixes.

<!-- gh-comment-id:1633141532 --> @BlackDex commented on GitHub (Jul 12, 2023): I have fixed it in the above PR, including some refactoring and other `externalId` fixes.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
revert-7033-patch-1
cached-config-operations
test_dylint
1.35.8
1.35.7
1.35.6
1.35.5
1.35.4
1.35.3
1.35.2
1.35.1
1.35.0
1.34.3
1.34.2
1.34.1
1.34.0
1.33.2
1.33.1
1.33.0
1.32.7
1.32.6
1.32.5
1.32.4
1.32.3
1.32.2
1.32.1
1.32.0
1.31.0
1.30.5
1.30.4
1.30.3
1.30.2
1.30.1
1.30.0
1.29.2
1.29.1
1.29.0
1.28.1
1.28.0
1.27.0
1.26.0
1.25.2
1.25.1
1.25.0
1.24.0
1.23.1
1.23.0
1.22.2
1.22.1
1.22.0
1.21.0
1.20.0
1.19.0
1.18.0
1.17.0
1.16.3
1.16.2
1.16.1
1.16.0
1.15.1
1.15.0
1.14.2
1.14.1
1.14
1.13.1
1.13.0
1.12.0
1.11.0
1.10.0
1.9.1
1.9.0
1.8.0
1.7.0
1.6.1
1.6.0
1.5.0
1.4.0
1.3.0
1.2.0
1.1.0
1.0.0
0.13.0
0.12.0
0.11.0
0.10.0
0.9.0
Labels
Clear labels   
SSO

   
Third party

   
better for forum

   
bug

   
bug

   
documentation

   
duplicate

   
enhancement

   
future Vault

   
future Vault

   
future Vault

   
good first issue

   
help wanted

   
low priority

   
notes

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
troubleshooting

   
wontfix
No labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
question
troubleshooting
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/vaultwarden#1644
No description provided.