[GH-ISSUE #10] The LDAP request is only run on start

kerem commented

2026-03-04 00:59:37 +03:00

Owner

Originally created by @GeorgelT on GitHub (Jan 31, 2025).
Original GitHub issue: https://github.com/sirtoobii/vaultwarden_ldap_sync/issues/10

Thank you for creating this sync script, we've been trying to get this functionality also.

I've managed to get it to work, it recognizes the desired users and filters, but we've noticed that the LDAP request that looks for changes only runs on startup. The guide on the main page runs the docker container detached, meaning it's running like a service.

The ldap_emails variable only gets initialized and populated inside the main loop:

ldap_emails = ldc.get_email_list()

After the main loop you start the long while that doesn't call the ldap function again, just reads the existing emails list.
Either I understand this wrong or there is some timeout/cache in the ldap request, but any changes we make in our LDAP backend doesn't get reflected in the sync job.

If I restart the container a new sync takes place, the new state gets recognized and changes are applied to vaultwarden.

I've tried adding the above line just after the heartbeat and timer area, it did not help.

            # Touch heartbeat file
            with open(args.heartbeat_file, 'a'):
                os.utime(args.heartbeat_file, None)
            time.sleep(args.interval)
            ldap_emails = ldc.get_email_list()

I would really appreciate if the script would live update ldap changes or at least have the timeout known to know when to expect changes to be applied if a new user is added to the ldap filter.

Originally created by @GeorgelT on GitHub (Jan 31, 2025). Original GitHub issue: https://github.com/sirtoobii/vaultwarden_ldap_sync/issues/10 Thank you for creating this sync script, we've been trying to get this functionality also. I've managed to get it to work, it recognizes the desired users and filters, but we've noticed that the LDAP request that looks for changes only runs on startup. The guide on the main page runs the docker container detached, meaning it's running like a service. The ldap_emails variable only gets initialized and populated inside the main loop: ` ldap_emails = ldc.get_email_list()` After the main loop you start the long while that doesn't call the ldap function again, just reads the existing emails list. Either I understand this wrong or there is some timeout/cache in the ldap request, but any changes we make in our LDAP backend doesn't get reflected in the sync job. If I restart the container a new sync takes place, the new state gets recognized and changes are applied to vaultwarden. I've tried adding the above line just after the heartbeat and timer area, it did not help. ``` # Touch heartbeat file with open(args.heartbeat_file, 'a'): os.utime(args.heartbeat_file, None) time.sleep(args.interval) ldap_emails = ldc.get_email_list() ``` I would really appreciate if the script would live update ldap changes or at least have the timeout known to know when to expect changes to be applied if a new user is added to the ldap filter.

kerem

2026-03-04 00:59:37 +03:00

closed this issue
added the
bug
label

kerem commented

2026-03-04 00:59:38 +03:00

Author

Owner

@GeorgelT commented on GitHub (Jan 31, 2025):

It also seems to disable the users, but on next scan/run to not detect the user as disabled. Maybe something has changed in the vaultwarden api:

vaultwarden_ldap_sync    | 2025-01-31:12:21:17 DEBUG [sync.py] Found 2 user(s) in Vaultwarden
vaultwarden_ldap_sync    | 2025-01-31:12:21:17 DEBUG [sync.py] Found 0 vanished user(s)
vaultwarden_ldap_sync    | 2025-01-31:12:21:17 DEBUG [sync.py] Found 0 deleted user(s)
vaultwarden_ldap_sync    | 2025-01-31:12:21:17 DEBUG [sync.py] Found 0 disabled user(s)
vaultwarden_ldap_sync    | 2025-01-31:12:21:17 DEBUG [sync.py] Found 0 enabled user(s)
vaultwarden_ldap_sync    | 2025-01-31:12:21:17 DEBUG [sync.py] Found 0 user(s) with changed emails
vaultwarden_ldap_sync    | 2025-01-31:12:21:17 DEBUG [VaultwardenConnector.py] Cookie store found, loading
vaultwarden_ldap_sync    | 2025-01-31:12:21:17 DEBUG [connectionpool.py] https://xxxxx:443 "GET /office/admin/users HTTP/1.1" 200 6978
vaultwarden_ldap_sync    | 2025-01-31:12:21:17 DEBUG [sync.py] Found 0 user(s) to invite
vaultwarden_ldap_sync    | 2025-01-31:12:21:17 DEBUG [sync.py] Found 1 user(s) to disable
vaultwarden_ldap_sync    | 2025-01-31:12:21:17 DEBUG [VaultwardenConnector.py] Cookie store found, loading
vaultwarden_ldap_sync    | 2025-01-31:12:21:17 DEBUG [connectionpool.py] https://xxxxxx:443 "POST /office/admin/users/a487e68f-e0ec-479e-ab7f-7a3fa0ee282a/disable HTTP/1.1" 200 0
vaultwarden_ldap_sync    | 2025-01-31:12:21:17 INFO [sync.py] Disable user xxxx@xxxxxx
vaultwarden_ldap_sync    | 2025-01-31:12:23:17 DEBUG [VaultwardenConnector.py] Cookie store found, loading
vaultwarden_ldap_sync    | 2025-01-31:12:23:17 DEBUG [connectionpool.py] Resetting dropped connection: xxxxx
vaultwarden_ldap_sync    | 2025-01-31:12:23:17 DEBUG [connectionpool.py] https://xxxxx:443 "GET /office/admin/users HTTP/1.1" 200 6955
vaultwarden_ldap_sync    | 2025-01-31:12:23:17 DEBUG [sync.py] Found 2 user(s) in Vaultwarden
vaultwarden_ldap_sync    | 2025-01-31:12:23:17 DEBUG [sync.py] Found 0 vanished user(s)
vaultwarden_ldap_sync    | 2025-01-31:12:23:17 DEBUG [sync.py] Found 0 deleted user(s)
vaultwarden_ldap_sync    | 2025-01-31:12:23:17 DEBUG [sync.py] Found 0 disabled user(s)
vaultwarden_ldap_sync    | 2025-01-31:12:23:17 DEBUG [sync.py] Found 0 enabled user(s)
vaultwarden_ldap_sync    | 2025-01-31:12:23:17 DEBUG [sync.py] Found 0 user(s) with changed emails

When I re-enable that user on next syncs it doesn't also enable the user again in vaultwarden also.

@GeorgelT commented on GitHub (Jan 31, 2025): It also seems to disable the users, but on next scan/run to not detect the user as disabled. Maybe something has changed in the vaultwarden api: ``` vaultwarden_ldap_sync | 2025-01-31:12:21:17 DEBUG [sync.py] Found 2 user(s) in Vaultwarden vaultwarden_ldap_sync | 2025-01-31:12:21:17 DEBUG [sync.py] Found 0 vanished user(s) vaultwarden_ldap_sync | 2025-01-31:12:21:17 DEBUG [sync.py] Found 0 deleted user(s) vaultwarden_ldap_sync | 2025-01-31:12:21:17 DEBUG [sync.py] Found 0 disabled user(s) vaultwarden_ldap_sync | 2025-01-31:12:21:17 DEBUG [sync.py] Found 0 enabled user(s) vaultwarden_ldap_sync | 2025-01-31:12:21:17 DEBUG [sync.py] Found 0 user(s) with changed emails vaultwarden_ldap_sync | 2025-01-31:12:21:17 DEBUG [VaultwardenConnector.py] Cookie store found, loading vaultwarden_ldap_sync | 2025-01-31:12:21:17 DEBUG [connectionpool.py] https://xxxxx:443 "GET /office/admin/users HTTP/1.1" 200 6978 vaultwarden_ldap_sync | 2025-01-31:12:21:17 DEBUG [sync.py] Found 0 user(s) to invite vaultwarden_ldap_sync | 2025-01-31:12:21:17 DEBUG [sync.py] Found 1 user(s) to disable vaultwarden_ldap_sync | 2025-01-31:12:21:17 DEBUG [VaultwardenConnector.py] Cookie store found, loading vaultwarden_ldap_sync | 2025-01-31:12:21:17 DEBUG [connectionpool.py] https://xxxxxx:443 "POST /office/admin/users/a487e68f-e0ec-479e-ab7f-7a3fa0ee282a/disable HTTP/1.1" 200 0 vaultwarden_ldap_sync | 2025-01-31:12:21:17 INFO [sync.py] Disable user xxxx@xxxxxx vaultwarden_ldap_sync | 2025-01-31:12:23:17 DEBUG [VaultwardenConnector.py] Cookie store found, loading vaultwarden_ldap_sync | 2025-01-31:12:23:17 DEBUG [connectionpool.py] Resetting dropped connection: xxxxx vaultwarden_ldap_sync | 2025-01-31:12:23:17 DEBUG [connectionpool.py] https://xxxxx:443 "GET /office/admin/users HTTP/1.1" 200 6955 vaultwarden_ldap_sync | 2025-01-31:12:23:17 DEBUG [sync.py] Found 2 user(s) in Vaultwarden vaultwarden_ldap_sync | 2025-01-31:12:23:17 DEBUG [sync.py] Found 0 vanished user(s) vaultwarden_ldap_sync | 2025-01-31:12:23:17 DEBUG [sync.py] Found 0 deleted user(s) vaultwarden_ldap_sync | 2025-01-31:12:23:17 DEBUG [sync.py] Found 0 disabled user(s) vaultwarden_ldap_sync | 2025-01-31:12:23:17 DEBUG [sync.py] Found 0 enabled user(s) vaultwarden_ldap_sync | 2025-01-31:12:23:17 DEBUG [sync.py] Found 0 user(s) with changed emails ``` When I re-enable that user on next syncs it doesn't also enable the user again in vaultwarden also.

kerem commented

2026-03-04 00:59:38 +03:00

Author

Owner

@sirtoobii commented on GitHub (Jan 31, 2025):

Hi @GeorgelT, thank you for the report. There is indeed an error in the program logic - get_email_list() should be called inside the loop.

I've tried adding the above line just after the heartbeat and timer area, it did not help.

I suspect this is due to to the long (default) sleep time between sync attempts. I've pushed a new branch test/GeorgeIT with a lowered default value and a "Random" email source. Would you mind giving it a short test?

@sirtoobii commented on GitHub (Jan 31, 2025): Hi @GeorgelT, thank you for the report. There is indeed an error in the program logic - `get_email_list()` should be called inside the loop. > I've tried adding the above line just after the heartbeat and timer area, it did not help. I suspect this is due to to the long (default) sleep time between sync attempts. I've pushed a new branch `test/GeorgeIT` with a lowered default value and a "Random" email source. Would you mind giving it a short test?

kerem commented

2026-03-04 00:59:38 +03:00

Author

Owner

@GeorgelT commented on GitHub (Feb 3, 2025):

Here is the output from the initial startup, it has tried to invite the example emails from the source list.

vaultwarden_ldap_sync    | 2025-02-03:08:56:36 INFO [sync.py] Starting...
vaultwarden_ldap_sync    | 2025-02-03:08:56:36 INFO [sync.py] DRYRUN: False
vaultwarden_ldap_sync    | 2025-02-03:08:56:36 INFO [sync.py] LDAP server: ldap.xxxxx
vaultwarden_ldap_sync    | 2025-02-03:08:56:36 INFO [sync.py] Vaultwarden url: https://xxxxx.xxx/office
vaultwarden_ldap_sync    | 2025-02-03:08:56:36 DEBUG [connectionpool.py] Starting new HTTPS connection (1): xxxxx.xxx:443
vaultwarden_ldap_sync    | 2025-02-03:08:56:36 DEBUG [connectionpool.py] https://xxxxx.xxx:443 "GET /office/admin/users HTTP/1.1" 401 4877
vaultwarden_ldap_sync    | 2025-02-03:08:56:36 DEBUG [VaultwardenConnector.py] Could not authenticate using cookie, trying token
vaultwarden_ldap_sync    | 2025-02-03:08:56:37 DEBUG [connectionpool.py] https://xxxxx.xxx:443 "POST /office/admin HTTP/1.1" 200 13550
vaultwarden_ldap_sync    | 2025-02-03:08:56:37 DEBUG [VaultwardenConnector.py] Authentication using token successful, storing cookie
vaultwarden_ldap_sync    | 2025-02-03:08:56:37 DEBUG [VaultwardenConnector.py] Cookie store found, loading
vaultwarden_ldap_sync    | 2025-02-03:08:56:37 DEBUG [connectionpool.py] https://xxxxx.xxx:443 "GET /office/admin/users HTTP/1.1" 200 6954
vaultwarden_ldap_sync    | 2025-02-03:08:56:37 DEBUG [sync.py] Found 2 user(s) in Vaultwarden
vaultwarden_ldap_sync    | 2025-02-03:08:56:37 DEBUG [sync.py] Found 0 vanished user(s)
vaultwarden_ldap_sync    | 2025-02-03:08:56:37 DEBUG [sync.py] Found 0 deleted user(s)
vaultwarden_ldap_sync    | 2025-02-03:08:56:37 DEBUG [sync.py] Found 0 disabled user(s)
vaultwarden_ldap_sync    | 2025-02-03:08:56:37 DEBUG [sync.py] Found 0 enabled user(s)
vaultwarden_ldap_sync    | 2025-02-03:08:56:37 DEBUG [sync.py] Found 0 user(s) with changed emails
vaultwarden_ldap_sync    | 2025-02-03:08:56:37 DEBUG [VaultwardenConnector.py] Cookie store found, loading
vaultwarden_ldap_sync    | 2025-02-03:08:56:37 DEBUG [connectionpool.py] https://xxxxx.xxx:443 "GET /office/admin/users HTTP/1.1" 200 6954
vaultwarden_ldap_sync    | 2025-02-03:08:56:37 DEBUG [sync.py] Found 5 user(s) to invite
vaultwarden_ldap_sync    | 2025-02-03:08:56:37 DEBUG [sync.py] Found 0 user(s) to disable
vaultwarden_ldap_sync    | 2025-02-03:08:56:37 DEBUG [VaultwardenConnector.py] Cookie store found, loading
vaultwarden_ldap_sync    | 2025-02-03:08:56:37 DEBUG [connectionpool.py] https://xxxxx.xxx:443 "POST /office/admin/invite HTTP/1.1" 200 534
vaultwarden_ldap_sync    | 2025-02-03:08:56:37 INFO [VaultwardenConnector.py] Successfully invited user tester_2@example.com with ID 7442af47-cd5f-46de-a26c-5a6baad30445
vaultwarden_ldap_sync    | 2025-02-03:08:56:37 INFO [sync.py] Invite user tester_2@example.com
vaultwarden_ldap_sync    | 2025-02-03:08:56:37 DEBUG [VaultwardenConnector.py] Cookie store found, loading
vaultwarden_ldap_sync    | 2025-02-03:08:56:37 DEBUG [connectionpool.py] https://xxxxx.xxx:443 "POST /office/admin/invite HTTP/1.1" 200 534
vaultwarden_ldap_sync    | 2025-02-03:08:56:37 INFO [VaultwardenConnector.py] Successfully invited user tester_3@example.com with ID b159416f-f33e-466c-95b9-456fa7eaec35
vaultwarden_ldap_sync    | 2025-02-03:08:56:37 INFO [sync.py] Invite user tester_3@example.com
vaultwarden_ldap_sync    | 2025-02-03:08:56:37 DEBUG [VaultwardenConnector.py] Cookie store found, loading
vaultwarden_ldap_sync    | 2025-02-03:08:56:37 DEBUG [connectionpool.py] https://xxxxx.xxx:443 "POST /office/admin/invite HTTP/1.1" 200 534
vaultwarden_ldap_sync    | 2025-02-03:08:56:37 INFO [VaultwardenConnector.py] Successfully invited user tester_4@example.com with ID 712492b9-8c53-490d-9f23-599c53542a1b
vaultwarden_ldap_sync    | 2025-02-03:08:56:37 INFO [sync.py] Invite user tester_4@example.com
vaultwarden_ldap_sync    | 2025-02-03:08:56:37 DEBUG [VaultwardenConnector.py] Cookie store found, loading
vaultwarden_ldap_sync    | 2025-02-03:08:56:37 DEBUG [connectionpool.py] https://xxxxx.xxx:443 "POST /office/admin/invite HTTP/1.1" 200 534
vaultwarden_ldap_sync    | 2025-02-03:08:56:37 INFO [VaultwardenConnector.py] Successfully invited user tester_1@exmaple.com with ID a202eb44-1031-492b-8cfb-51c5d0c1ad89
vaultwarden_ldap_sync    | 2025-02-03:08:56:37 INFO [sync.py] Invite user tester_1@exmaple.com
vaultwarden_ldap_sync    | 2025-02-03:08:56:37 DEBUG [VaultwardenConnector.py] Cookie store found, loading
vaultwarden_ldap_sync    | 2025-02-03:08:56:37 DEBUG [connectionpool.py] https://xxxxx.xxx:443 "POST /office/admin/invite HTTP/1.1" 200 534
vaultwarden_ldap_sync    | 2025-02-03:08:56:37 INFO [VaultwardenConnector.py] Successfully invited user tester_5@example.com with ID 153ed569-7ed6-412c-b3d1-2f1a90c244e5
vaultwarden_ldap_sync    | 2025-02-03:08:56:37 INFO [sync.py] Invite user tester_5@example.com

I will update you again later, but monday is a lot of meetings day.

LE: it disabled the users from the mail list, but they are not listed as disabled users in the log, they are indeed disabled in the vaultwarden instance.

(vaultwarden_ldap_sync    | 2025-02-03:09:06:37 DEBUG [connectionpool.py] https://xxxxx.xxx:443 "GET /office/admin/users HTTP/1.1" 200 10020
vaultwarden_ldap_sync    | 2025-02-03:09:06:37 DEBUG [sync.py] Found 7 user(s) in Vaultwarden
vaultwarden_ldap_sync    | 2025-02-03:09:06:37 DEBUG [sync.py] Found 0 vanished user(s)
vaultwarden_ldap_sync    | 2025-02-03:09:06:37 DEBUG [sync.py] Found 0 deleted user(s)
vaultwarden_ldap_sync    | 2025-02-03:09:06:37 DEBUG [sync.py] Found 0 disabled user(s)
vaultwarden_ldap_sync    | 2025-02-03:09:06:37 DEBUG [sync.py] Found 0 enabled user(s)
vaultwarden_ldap_sync    | 2025-02-03:09:06:37 DEBUG [sync.py] Found 0 user(s) with changed emails
vaultwarden_ldap_sync    | 2025-02-03:09:06:37 DEBUG [VaultwardenConnector.py] Cookie store found, loading
vaultwarden_ldap_sync    | 2025-02-03:09:06:37 DEBUG [connectionpool.py] https://xxxxx.xxx:443 "GET /office/admin/users HTTP/1.1" 200 10020
vaultwarden_ldap_sync    | 2025-02-03:09:06:37 DEBUG [sync.py] Found 0 user(s) to invite
vaultwarden_ldap_sync    | 2025-02-03:09:06:37 DEBUG [sync.py] Found 3 user(s) to disable
vaultwarden_ldap_sync    | 2025-02-03:09:06:37 DEBUG [VaultwardenConnector.py] Cookie store found, loading
vaultwarden_ldap_sync    | 2025-02-03:09:06:37 DEBUG [connectionpool.py] https://xxxxx.xxx:443 "POST /office/admin/users/712492b9-8c53-490d-9f23-599c53542a1b/disable HTTP/1.1" 200 0
vaultwarden_ldap_sync    | 2025-02-03:09:06:37 INFO [sync.py] Disable user tester_4@example.com
vaultwarden_ldap_sync    | 2025-02-03:09:06:37 DEBUG [VaultwardenConnector.py] Cookie store found, loading
vaultwarden_ldap_sync    | 2025-02-03:09:06:37 DEBUG [connectionpool.py] https://xxxxx.xxx:443 "POST /office/admin/users/7442af47-cd5f-46de-a26c-5a6baad30445/disable HTTP/1.1" 200 0
vaultwarden_ldap_sync    | 2025-02-03:09:06:37 INFO [sync.py] Disable user tester_2@example.com
vaultwarden_ldap_sync    | 2025-02-03:09:06:37 DEBUG [VaultwardenConnector.py] Cookie store found, loading
vaultwarden_ldap_sync    | 2025-02-03:09:06:37 DEBUG [connectionpool.py] https://xxxxx.xxx:443 "POST /office/admin/users/b159416f-f33e-466c-95b9-456fa7eaec35/disable HTTP/1.1" 200 0
vaultwarden_ldap_sync    | 2025-02-03:09:06:37 INFO [sync.py] Disable user tester_3@example.com
vaultwarden_ldap_sync    | 2025-02-03:09:08:37 DEBUG [VaultwardenConnector.py] Cookie store found, loading
vaultwarden_ldap_sync    | 2025-02-03:09:08:37 DEBUG [connectionpool.py] Resetting dropped connection: xxxxx.xxx
vaultwarden_ldap_sync    | 2025-02-03:09:08:37 DEBUG [connectionpool.py] https://xxxxx.xxx:443 "GET /office/admin/users HTTP/1.1" 200 10023
vaultwarden_ldap_sync    | 2025-02-03:09:08:37 DEBUG [sync.py] Found 7 user(s) in Vaultwarden
vaultwarden_ldap_sync    | 2025-02-03:09:08:37 DEBUG [sync.py] Found 0 vanished user(s)
vaultwarden_ldap_sync    | 2025-02-03:09:08:37 DEBUG [sync.py] Found 0 deleted user(s)
vaultwarden_ldap_sync    | 2025-02-03:09:08:37 DEBUG [sync.py] Found 0 disabled user(s)
vaultwarden_ldap_sync    | 2025-02-03:09:08:37 DEBUG [sync.py] Found 0 enabled user(s)
vaultwarden_ldap_sync    | 2025-02-03:09:08:37 DEBUG [sync.py] Found 0 user(s) with changed emails
vaultwarden_ldap_sync    | 2025-02-03:09:08:37 DEBUG [VaultwardenConnector.py] Cookie store found, loading
vaultwarden_ldap_sync    | 2025-02-03:09:08:37 DEBUG [connectionpool.py] https://xxxxx.xxx:443 "GET /office/admin/users HTTP/1.1" 200 10023
vaultwarden_ldap_sync    | 2025-02-03:09:08:37 DEBUG [sync.py] Found 0 user(s) to invite
vaultwarden_ldap_sync    | 2025-02-03:09:08:37 DEBUG [sync.py] Found 0 user(s) to disable
vaultwarden_ldap_sync    | 2025-02-03:09:10:37 DEBUG [VaultwardenConnector.py] Cookie store found, loading
vaultwarden_ldap_sync    | 2025-02-03:09:10:37 DEBUG [connectionpool.py] Resetting dropped connection: xxxxx.xxx
vaultwarden_ldap_sync    | 2025-02-03:09:10:37 DEBUG [connectionpool.py] https://xxxxx.xxx:443 "GET /office/admin/users HTTP/1.1" 200 10023
vaultwarden_ldap_sync    | 2025-02-03:09:10:37 DEBUG [sync.py] Found 7 user(s) in Vaultwarden
vaultwarden_ldap_sync    | 2025-02-03:09:10:37 DEBUG [sync.py] Found 0 vanished user(s)
vaultwarden_ldap_sync    | 2025-02-03:09:10:37 DEBUG [sync.py] Found 0 deleted user(s)
vaultwarden_ldap_sync    | 2025-02-03:09:10:37 DEBUG [sync.py] Found 0 disabled user(s)
vaultwarden_ldap_sync    | 2025-02-03:09:10:37 DEBUG [sync.py] Found 0 enabled user(s)
vaultwarden_ldap_sync    | 2025-02-03:09:10:37 DEBUG [sync.py] Found 0 user(s) with changed emails
vaultwarden_ldap_sync    | 2025-02-03:09:10:37 DEBUG [VaultwardenConnector.py] Cookie store found, loading
vaultwarden_ldap_sync    | 2025-02-03:09:10:37 DEBUG [connectionpool.py] https://xxxxx.xxx:443 "GET /office/admin/users HTTP/1.1" 200 10023
vaultwarden_ldap_sync    | 2025-02-03:09:10:37 DEBUG [sync.py] Found 0 user(s) to invite
vaultwarden_ldap_sync    | 2025-02-03:09:10:37 DEBUG [sync.py] Found 0 user(s) to disable)

@GeorgelT commented on GitHub (Feb 3, 2025): Here is the output from the initial startup, it has tried to invite the example emails from the source list. ``` vaultwarden_ldap_sync | 2025-02-03:08:56:36 INFO [sync.py] Starting... vaultwarden_ldap_sync | 2025-02-03:08:56:36 INFO [sync.py] DRYRUN: False vaultwarden_ldap_sync | 2025-02-03:08:56:36 INFO [sync.py] LDAP server: ldap.xxxxx vaultwarden_ldap_sync | 2025-02-03:08:56:36 INFO [sync.py] Vaultwarden url: https://xxxxx.xxx/office vaultwarden_ldap_sync | 2025-02-03:08:56:36 DEBUG [connectionpool.py] Starting new HTTPS connection (1): xxxxx.xxx:443 vaultwarden_ldap_sync | 2025-02-03:08:56:36 DEBUG [connectionpool.py] https://xxxxx.xxx:443 "GET /office/admin/users HTTP/1.1" 401 4877 vaultwarden_ldap_sync | 2025-02-03:08:56:36 DEBUG [VaultwardenConnector.py] Could not authenticate using cookie, trying token vaultwarden_ldap_sync | 2025-02-03:08:56:37 DEBUG [connectionpool.py] https://xxxxx.xxx:443 "POST /office/admin HTTP/1.1" 200 13550 vaultwarden_ldap_sync | 2025-02-03:08:56:37 DEBUG [VaultwardenConnector.py] Authentication using token successful, storing cookie vaultwarden_ldap_sync | 2025-02-03:08:56:37 DEBUG [VaultwardenConnector.py] Cookie store found, loading vaultwarden_ldap_sync | 2025-02-03:08:56:37 DEBUG [connectionpool.py] https://xxxxx.xxx:443 "GET /office/admin/users HTTP/1.1" 200 6954 vaultwarden_ldap_sync | 2025-02-03:08:56:37 DEBUG [sync.py] Found 2 user(s) in Vaultwarden vaultwarden_ldap_sync | 2025-02-03:08:56:37 DEBUG [sync.py] Found 0 vanished user(s) vaultwarden_ldap_sync | 2025-02-03:08:56:37 DEBUG [sync.py] Found 0 deleted user(s) vaultwarden_ldap_sync | 2025-02-03:08:56:37 DEBUG [sync.py] Found 0 disabled user(s) vaultwarden_ldap_sync | 2025-02-03:08:56:37 DEBUG [sync.py] Found 0 enabled user(s) vaultwarden_ldap_sync | 2025-02-03:08:56:37 DEBUG [sync.py] Found 0 user(s) with changed emails vaultwarden_ldap_sync | 2025-02-03:08:56:37 DEBUG [VaultwardenConnector.py] Cookie store found, loading vaultwarden_ldap_sync | 2025-02-03:08:56:37 DEBUG [connectionpool.py] https://xxxxx.xxx:443 "GET /office/admin/users HTTP/1.1" 200 6954 vaultwarden_ldap_sync | 2025-02-03:08:56:37 DEBUG [sync.py] Found 5 user(s) to invite vaultwarden_ldap_sync | 2025-02-03:08:56:37 DEBUG [sync.py] Found 0 user(s) to disable vaultwarden_ldap_sync | 2025-02-03:08:56:37 DEBUG [VaultwardenConnector.py] Cookie store found, loading vaultwarden_ldap_sync | 2025-02-03:08:56:37 DEBUG [connectionpool.py] https://xxxxx.xxx:443 "POST /office/admin/invite HTTP/1.1" 200 534 vaultwarden_ldap_sync | 2025-02-03:08:56:37 INFO [VaultwardenConnector.py] Successfully invited user tester_2@example.com with ID 7442af47-cd5f-46de-a26c-5a6baad30445 vaultwarden_ldap_sync | 2025-02-03:08:56:37 INFO [sync.py] Invite user tester_2@example.com vaultwarden_ldap_sync | 2025-02-03:08:56:37 DEBUG [VaultwardenConnector.py] Cookie store found, loading vaultwarden_ldap_sync | 2025-02-03:08:56:37 DEBUG [connectionpool.py] https://xxxxx.xxx:443 "POST /office/admin/invite HTTP/1.1" 200 534 vaultwarden_ldap_sync | 2025-02-03:08:56:37 INFO [VaultwardenConnector.py] Successfully invited user tester_3@example.com with ID b159416f-f33e-466c-95b9-456fa7eaec35 vaultwarden_ldap_sync | 2025-02-03:08:56:37 INFO [sync.py] Invite user tester_3@example.com vaultwarden_ldap_sync | 2025-02-03:08:56:37 DEBUG [VaultwardenConnector.py] Cookie store found, loading vaultwarden_ldap_sync | 2025-02-03:08:56:37 DEBUG [connectionpool.py] https://xxxxx.xxx:443 "POST /office/admin/invite HTTP/1.1" 200 534 vaultwarden_ldap_sync | 2025-02-03:08:56:37 INFO [VaultwardenConnector.py] Successfully invited user tester_4@example.com with ID 712492b9-8c53-490d-9f23-599c53542a1b vaultwarden_ldap_sync | 2025-02-03:08:56:37 INFO [sync.py] Invite user tester_4@example.com vaultwarden_ldap_sync | 2025-02-03:08:56:37 DEBUG [VaultwardenConnector.py] Cookie store found, loading vaultwarden_ldap_sync | 2025-02-03:08:56:37 DEBUG [connectionpool.py] https://xxxxx.xxx:443 "POST /office/admin/invite HTTP/1.1" 200 534 vaultwarden_ldap_sync | 2025-02-03:08:56:37 INFO [VaultwardenConnector.py] Successfully invited user tester_1@exmaple.com with ID a202eb44-1031-492b-8cfb-51c5d0c1ad89 vaultwarden_ldap_sync | 2025-02-03:08:56:37 INFO [sync.py] Invite user tester_1@exmaple.com vaultwarden_ldap_sync | 2025-02-03:08:56:37 DEBUG [VaultwardenConnector.py] Cookie store found, loading vaultwarden_ldap_sync | 2025-02-03:08:56:37 DEBUG [connectionpool.py] https://xxxxx.xxx:443 "POST /office/admin/invite HTTP/1.1" 200 534 vaultwarden_ldap_sync | 2025-02-03:08:56:37 INFO [VaultwardenConnector.py] Successfully invited user tester_5@example.com with ID 153ed569-7ed6-412c-b3d1-2f1a90c244e5 vaultwarden_ldap_sync | 2025-02-03:08:56:37 INFO [sync.py] Invite user tester_5@example.com ``` I will update you again later, but monday is a lot of meetings day. LE: it disabled the users from the mail list, but they are not listed as disabled users in the log, they are indeed disabled in the vaultwarden instance. ``` (vaultwarden_ldap_sync | 2025-02-03:09:06:37 DEBUG [connectionpool.py] https://xxxxx.xxx:443 "GET /office/admin/users HTTP/1.1" 200 10020 vaultwarden_ldap_sync | 2025-02-03:09:06:37 DEBUG [sync.py] Found 7 user(s) in Vaultwarden vaultwarden_ldap_sync | 2025-02-03:09:06:37 DEBUG [sync.py] Found 0 vanished user(s) vaultwarden_ldap_sync | 2025-02-03:09:06:37 DEBUG [sync.py] Found 0 deleted user(s) vaultwarden_ldap_sync | 2025-02-03:09:06:37 DEBUG [sync.py] Found 0 disabled user(s) vaultwarden_ldap_sync | 2025-02-03:09:06:37 DEBUG [sync.py] Found 0 enabled user(s) vaultwarden_ldap_sync | 2025-02-03:09:06:37 DEBUG [sync.py] Found 0 user(s) with changed emails vaultwarden_ldap_sync | 2025-02-03:09:06:37 DEBUG [VaultwardenConnector.py] Cookie store found, loading vaultwarden_ldap_sync | 2025-02-03:09:06:37 DEBUG [connectionpool.py] https://xxxxx.xxx:443 "GET /office/admin/users HTTP/1.1" 200 10020 vaultwarden_ldap_sync | 2025-02-03:09:06:37 DEBUG [sync.py] Found 0 user(s) to invite vaultwarden_ldap_sync | 2025-02-03:09:06:37 DEBUG [sync.py] Found 3 user(s) to disable vaultwarden_ldap_sync | 2025-02-03:09:06:37 DEBUG [VaultwardenConnector.py] Cookie store found, loading vaultwarden_ldap_sync | 2025-02-03:09:06:37 DEBUG [connectionpool.py] https://xxxxx.xxx:443 "POST /office/admin/users/712492b9-8c53-490d-9f23-599c53542a1b/disable HTTP/1.1" 200 0 vaultwarden_ldap_sync | 2025-02-03:09:06:37 INFO [sync.py] Disable user tester_4@example.com vaultwarden_ldap_sync | 2025-02-03:09:06:37 DEBUG [VaultwardenConnector.py] Cookie store found, loading vaultwarden_ldap_sync | 2025-02-03:09:06:37 DEBUG [connectionpool.py] https://xxxxx.xxx:443 "POST /office/admin/users/7442af47-cd5f-46de-a26c-5a6baad30445/disable HTTP/1.1" 200 0 vaultwarden_ldap_sync | 2025-02-03:09:06:37 INFO [sync.py] Disable user tester_2@example.com vaultwarden_ldap_sync | 2025-02-03:09:06:37 DEBUG [VaultwardenConnector.py] Cookie store found, loading vaultwarden_ldap_sync | 2025-02-03:09:06:37 DEBUG [connectionpool.py] https://xxxxx.xxx:443 "POST /office/admin/users/b159416f-f33e-466c-95b9-456fa7eaec35/disable HTTP/1.1" 200 0 vaultwarden_ldap_sync | 2025-02-03:09:06:37 INFO [sync.py] Disable user tester_3@example.com vaultwarden_ldap_sync | 2025-02-03:09:08:37 DEBUG [VaultwardenConnector.py] Cookie store found, loading vaultwarden_ldap_sync | 2025-02-03:09:08:37 DEBUG [connectionpool.py] Resetting dropped connection: xxxxx.xxx vaultwarden_ldap_sync | 2025-02-03:09:08:37 DEBUG [connectionpool.py] https://xxxxx.xxx:443 "GET /office/admin/users HTTP/1.1" 200 10023 vaultwarden_ldap_sync | 2025-02-03:09:08:37 DEBUG [sync.py] Found 7 user(s) in Vaultwarden vaultwarden_ldap_sync | 2025-02-03:09:08:37 DEBUG [sync.py] Found 0 vanished user(s) vaultwarden_ldap_sync | 2025-02-03:09:08:37 DEBUG [sync.py] Found 0 deleted user(s) vaultwarden_ldap_sync | 2025-02-03:09:08:37 DEBUG [sync.py] Found 0 disabled user(s) vaultwarden_ldap_sync | 2025-02-03:09:08:37 DEBUG [sync.py] Found 0 enabled user(s) vaultwarden_ldap_sync | 2025-02-03:09:08:37 DEBUG [sync.py] Found 0 user(s) with changed emails vaultwarden_ldap_sync | 2025-02-03:09:08:37 DEBUG [VaultwardenConnector.py] Cookie store found, loading vaultwarden_ldap_sync | 2025-02-03:09:08:37 DEBUG [connectionpool.py] https://xxxxx.xxx:443 "GET /office/admin/users HTTP/1.1" 200 10023 vaultwarden_ldap_sync | 2025-02-03:09:08:37 DEBUG [sync.py] Found 0 user(s) to invite vaultwarden_ldap_sync | 2025-02-03:09:08:37 DEBUG [sync.py] Found 0 user(s) to disable vaultwarden_ldap_sync | 2025-02-03:09:10:37 DEBUG [VaultwardenConnector.py] Cookie store found, loading vaultwarden_ldap_sync | 2025-02-03:09:10:37 DEBUG [connectionpool.py] Resetting dropped connection: xxxxx.xxx vaultwarden_ldap_sync | 2025-02-03:09:10:37 DEBUG [connectionpool.py] https://xxxxx.xxx:443 "GET /office/admin/users HTTP/1.1" 200 10023 vaultwarden_ldap_sync | 2025-02-03:09:10:37 DEBUG [sync.py] Found 7 user(s) in Vaultwarden vaultwarden_ldap_sync | 2025-02-03:09:10:37 DEBUG [sync.py] Found 0 vanished user(s) vaultwarden_ldap_sync | 2025-02-03:09:10:37 DEBUG [sync.py] Found 0 deleted user(s) vaultwarden_ldap_sync | 2025-02-03:09:10:37 DEBUG [sync.py] Found 0 disabled user(s) vaultwarden_ldap_sync | 2025-02-03:09:10:37 DEBUG [sync.py] Found 0 enabled user(s) vaultwarden_ldap_sync | 2025-02-03:09:10:37 DEBUG [sync.py] Found 0 user(s) with changed emails vaultwarden_ldap_sync | 2025-02-03:09:10:37 DEBUG [VaultwardenConnector.py] Cookie store found, loading vaultwarden_ldap_sync | 2025-02-03:09:10:37 DEBUG [connectionpool.py] https://xxxxx.xxx:443 "GET /office/admin/users HTTP/1.1" 200 10023 vaultwarden_ldap_sync | 2025-02-03:09:10:37 DEBUG [sync.py] Found 0 user(s) to invite vaultwarden_ldap_sync | 2025-02-03:09:10:37 DEBUG [sync.py] Found 0 user(s) to disable) ```

kerem commented

2026-03-04 00:59:38 +03:00

Author

Owner

@GeorgelT commented on GitHub (Feb 3, 2025):

Ok we were able to check the LDAP filtering. We have 2 test users that we add or remove to the filtered group.

At the moment I can't see any change in the outputs of the debuglog with changes we make in LDAP. Manually running the ldap requests we get the updated data, we can exclude ldap-caching behaviours.

The behaviour mentioned previously, if I enable a user after he has been disabled, he should be enabled again in the instance once he's back in the ldap group. When the user gets back to the group nothing happens. Even after container rebuilds/restarts.

@GeorgelT commented on GitHub (Feb 3, 2025): Ok we were able to check the LDAP filtering. We have 2 test users that we add or remove to the filtered group. At the moment I can't see any change in the outputs of the debuglog with changes we make in LDAP. Manually running the ldap requests we get the updated data, we can exclude ldap-caching behaviours. The behaviour mentioned previously, if I enable a user after he has been disabled, he should be enabled again in the instance once he's back in the ldap group. When the user gets back to the group nothing happens. Even after container rebuilds/restarts.

kerem commented

2026-03-04 00:59:38 +03:00

Author

Owner

@sirtoobii commented on GitHub (Feb 8, 2025):

The behaviour mentioned previously, if I enable a user after he has been disabled, he should be enabled again in the instance once he's back in the ldap group. When the user gets back to the group nothing happens. Even after container rebuilds/restarts.

Can confirm this behavior, working on it

@sirtoobii commented on GitHub (Feb 8, 2025): > The behaviour mentioned previously, if I enable a user after he has been disabled, he should be enabled again in the instance once he's back in the ldap group. When the user gets back to the group nothing happens. Even after container rebuilds/restarts. Can confirm this behavior, working on it

kerem commented

2026-03-04 00:59:38 +03:00

Author

Owner

@sirtoobii commented on GitHub (Feb 9, 2025):

@GeorgelT I ended up doing a major refactoring of the entire codebase. Can you test this branch?

Short summary of changes:

Replaced dicts with dataclasses
Restructured the folder structure to be more Pythonic
Fixed issue where the email source was only updated once
Re-enable users who reappear in the email source
Added an option to adopt users
Added an option to reset the local state

@sirtoobii commented on GitHub (Feb 9, 2025): @GeorgelT I ended up doing a major refactoring of the entire codebase. Can you test [this branch](https://github.com/sirtoobii/vaultwarden_ldap_sync/tree/big-refactor)? Short summary of changes: - Replaced dicts with dataclasses - Restructured the folder structure to be more Pythonic - Fixed issue where the email source was only updated once - Re-enable users who reappear in the email source - Added an option to adopt users - Added an option to reset the local state

kerem commented

2026-03-04 00:59:38 +03:00

Author

Owner

@GeorgelT commented on GitHub (Feb 11, 2025):

I was able to do some testing, not sure if something is buggy, but it doesn't list what it found in vaultwarden anymore. We tried disabling a user than re-enable it and nothing changed in the debugging output. On the vaultwareden side also nothing has changed. I don't think it works anymore. We let it run for some time and even restarted it a couple of times.

vaultwarden_ldap_sync    | 2025-02-11:11:41:30 INFO [sync.py] Starting...
vaultwarden_ldap_sync    | 2025-02-11:11:41:30 INFO [sync.py] DRYRUN: False
vaultwarden_ldap_sync    | 2025-02-11:11:41:30 INFO [sync.py] LDAP server: ldap.xxxxxxx
vaultwarden_ldap_sync    | 2025-02-11:11:41:30 INFO [sync.py] Vaultwarden URL: https://xxx.xxxxxxx/office
vaultwarden_ldap_sync    | 2025-02-11:11:41:30 DEBUG [connectionpool.py] Starting new HTTPS connection (1): safebox.xxxxxxx:443
vaultwarden_ldap_sync    | 2025-02-11:11:41:30 DEBUG [connectionpool.py] https://safebox.xxxxxxx:443 "GET /office/admin/users HTTP/1.1" 401 282
vaultwarden_ldap_sync    | 2025-02-11:11:41:30 DEBUG [vaultwarden.py] Could not authenticate using cookie, trying token
vaultwarden_ldap_sync    | 2025-02-11:11:41:31 DEBUG [connectionpool.py] https://safebox.xxxxxxx:443 "POST /office/admin HTTP/1.1" 200 13550
vaultwarden_ldap_sync    | 2025-02-11:11:41:31 DEBUG [vaultwarden.py] Authentication using token successful, storing cookie
vaultwarden_ldap_sync    | 2025-02-11:11:41:31 DEBUG [vaultwarden.py] Cookie store found, loading
vaultwarden_ldap_sync    | 2025-02-11:11:41:31 DEBUG [connectionpool.py] https://safebox.xxxxxxx:443 "GET /office/admin/users HTTP/1.1" 200 10638
vaultwarden_ldap_sync    | 2025-02-11:11:43:31 DEBUG [vaultwarden.py] Cookie store found, loading
vaultwarden_ldap_sync    | 2025-02-11:11:43:31 DEBUG [connectionpool.py] Resetting dropped connection: safebox.xxxxxxx
vaultwarden_ldap_sync    | 2025-02-11:11:43:31 DEBUG [connectionpool.py] https://safebox.xxxxxxx:443 "GET /office/admin/users HTTP/1.1" 200 10638

Previously even if I were to ignore the vaultwarden listing I would see the requests to the admin api. I don't think it does anything right now or maybe I tested something wrong.

@GeorgelT commented on GitHub (Feb 11, 2025): I was able to do some testing, not sure if something is buggy, but it doesn't list what it found in vaultwarden anymore. We tried disabling a user than re-enable it and nothing changed in the debugging output. On the vaultwareden side also nothing has changed. I don't think it works anymore. We let it run for some time and even restarted it a couple of times. ``` vaultwarden_ldap_sync | 2025-02-11:11:41:30 INFO [sync.py] Starting... vaultwarden_ldap_sync | 2025-02-11:11:41:30 INFO [sync.py] DRYRUN: False vaultwarden_ldap_sync | 2025-02-11:11:41:30 INFO [sync.py] LDAP server: ldap.xxxxxxx vaultwarden_ldap_sync | 2025-02-11:11:41:30 INFO [sync.py] Vaultwarden URL: https://xxx.xxxxxxx/office vaultwarden_ldap_sync | 2025-02-11:11:41:30 DEBUG [connectionpool.py] Starting new HTTPS connection (1): safebox.xxxxxxx:443 vaultwarden_ldap_sync | 2025-02-11:11:41:30 DEBUG [connectionpool.py] https://safebox.xxxxxxx:443 "GET /office/admin/users HTTP/1.1" 401 282 vaultwarden_ldap_sync | 2025-02-11:11:41:30 DEBUG [vaultwarden.py] Could not authenticate using cookie, trying token vaultwarden_ldap_sync | 2025-02-11:11:41:31 DEBUG [connectionpool.py] https://safebox.xxxxxxx:443 "POST /office/admin HTTP/1.1" 200 13550 vaultwarden_ldap_sync | 2025-02-11:11:41:31 DEBUG [vaultwarden.py] Authentication using token successful, storing cookie vaultwarden_ldap_sync | 2025-02-11:11:41:31 DEBUG [vaultwarden.py] Cookie store found, loading vaultwarden_ldap_sync | 2025-02-11:11:41:31 DEBUG [connectionpool.py] https://safebox.xxxxxxx:443 "GET /office/admin/users HTTP/1.1" 200 10638 vaultwarden_ldap_sync | 2025-02-11:11:43:31 DEBUG [vaultwarden.py] Cookie store found, loading vaultwarden_ldap_sync | 2025-02-11:11:43:31 DEBUG [connectionpool.py] Resetting dropped connection: safebox.xxxxxxx vaultwarden_ldap_sync | 2025-02-11:11:43:31 DEBUG [connectionpool.py] https://safebox.xxxxxxx:443 "GET /office/admin/users HTTP/1.1" 200 10638 ``` Previously even if I were to ignore the vaultwarden listing I would see the requests to the admin api. I don't think it does anything right now or maybe I tested something wrong.

kerem commented

2026-03-04 00:59:38 +03:00

Author

Owner

@sirtoobii commented on GitHub (Feb 11, 2025):

Pushed a fix for the missing print statements, can you try again (don't forget to rebuild the container)

@sirtoobii commented on GitHub (Feb 11, 2025): Pushed a fix for the missing print statements, can you try again (don't forget to rebuild the container)

kerem commented

2026-03-04 00:59:38 +03:00

Author

Owner

@GeorgelT commented on GitHub (Feb 11, 2025):

First of, thank you very much for being so responsive. The new debug listing looks very good.

Things I can confirm at the moment:

ldap check is being done after each run, this is good now.

Shortened output from one run to the next:

......
vaultwarden_ldap_sync    |  * adoption_candidates: 2
vaultwarden_ldap_sync    | Pending changes:
vaultwarden_ldap_sync    |  * Invite: 0
vaultwarden_ldap_sync    |  * Enable: 0
vaultwarden_ldap_sync    |  * Disable: 0
vaultwarden_ldap_sync    |
.........
vaultwarden_ldap_sync    |  * email_vanished_in_both: 0
vaultwarden_ldap_sync    |  * users_with_changed_email: 0
vaultwarden_ldap_sync    |  * adoption_candidates: 1
vaultwarden_ldap_sync    | Pending changes:
vaultwarden_ldap_sync    |  * Invite: 0
vaultwarden_ldap_sync    |  * Enable: 0
vaultwarden_ldap_sync    |  * Disable: 0
vaultwarden_ldap_sync    |

Not sure what the "adoption_candidates" flag is, but the listing from the instance itself does not seem to be represented correctly. Even after it invites/enables/disables users.

vaultwarden_ldap_sync    | 2025-02-11:13:51:16 DEBUG [sync.py] Difference compared to local state/emails source:
vaultwarden_ldap_sync    |  * user_ids_enabled_in_vw: 0
vaultwarden_ldap_sync    |  * user_ids_enable_in_src: 0
vaultwarden_ldap_sync    |  * user_ids_disabled_in_vw: 0
vaultwarden_ldap_sync    |  * user_ids_vanished_in_vw: 0
vaultwarden_ldap_sync    |  * email_vanished_in_src: 0
vaultwarden_ldap_sync    |  * email_vanished_in_both: 0
vaultwarden_ldap_sync    |  * users_with_changed_email: 0
vaultwarden_ldap_sync    |  * adoption_candidates: 1
vaultwarden_ldap_sync    | Pending changes:
vaultwarden_ldap_sync    |  * Invite: 1
vaultwarden_ldap_sync    |  * Enable: 0
vaultwarden_ldap_sync    |  * Disable: 0
vaultwarden_ldap_sync    |
.........
vaultwarden_ldap_sync    | 2025-02-11:13:53:16 DEBUG [sync.py] Difference compared to local state/emails source:
vaultwarden_ldap_sync    |  * user_ids_enabled_in_vw: 0
vaultwarden_ldap_sync    |  * user_ids_enable_in_src: 0
vaultwarden_ldap_sync    |  * user_ids_disabled_in_vw: 0
vaultwarden_ldap_sync    |  * user_ids_vanished_in_vw: 0
vaultwarden_ldap_sync    |  * email_vanished_in_src: 0
vaultwarden_ldap_sync    |  * email_vanished_in_both: 0
vaultwarden_ldap_sync    |  * users_with_changed_email: 0
vaultwarden_ldap_sync    |  * adoption_candidates: 1
vaultwarden_ldap_sync    | Pending changes:
vaultwarden_ldap_sync    |  * Invite: 0
vaultwarden_ldap_sync    |  * Enable: 0
vaultwarden_ldap_sync    |  * Disable: 0

I've manually removed the one user, that is no longer in ldap above. When I add him back he gets invited to vaultwarden as normal, he also gets disabled when I remove him from ldap and now he also gets re-enabled when he's back in the group.

vaultwarden_ldap_sync    | Pending changes:
vaultwarden_ldap_sync    |  * Invite: 1
vaultwarden_ldap_sync    |  * Enable: 0
vaultwarden_ldap_sync    |  * Disable: 0
....
vaultwarden_ldap_sync    | 2025-02-11:13:51:16 INFO [vaultwarden.py] Successfully invited user test.user@xxxx.com with ID c7dac133-0d9a-4bb5-a3ba-ccdd44cd4029
vaultwarden_ldap_sync    | 2025-02-11:13:51:16 INFO [sync.py]  Invite user test.user@xxxx.com
......
vaultwarden_ldap_sync    | Pending changes:
vaultwarden_ldap_sync    |  * Invite: 0
vaultwarden_ldap_sync    |  * Enable: 0
vaultwarden_ldap_sync    |  * Disable: 1
vaultwarden_ldap_sync    |
......
vaultwarden_ldap_sync    | 2025-02-11:13:59:16 INFO [sync.py]  User test.user@xxxx.com DISABLED in Vaultwarden
.......
vaultwarden_ldap_sync    | Pending changes:
vaultwarden_ldap_sync    |  * Invite: 0
vaultwarden_ldap_sync    |  * Enable: 1
vaultwarden_ldap_sync    |  * Disable: 0
vaultwarden_ldap_sync    |
vaultwarden_ldap_sync    | 2025-02-11:14:03:17 DEBUG [vaultwarden.py] Cookie store found, loading
........
vaultwarden_ldap_sync    | 2025-02-11:14:03:17 INFO [sync.py]  User test.user@xxxx.com ENABLED in Vaultwarden

I would say that the desired basic functionality now works as long as user is added/managed by the plugin. Existing users are not adopted or detected from the vaultwarden instance itself. Local state is not being read correctly from vaultwarden I guess.

For completeness my vaultwarden instance has the following version numbers if you wish to debug the API response:

Server Installed Update
1.32.7
Server Latest
1.33.2
Web Installed
2024.6.2c
Database
SQLite: 3.46.0

Thank you for the fixes so far!

@GeorgelT commented on GitHub (Feb 11, 2025): First of, thank you very much for being so responsive. The new debug listing looks very good. Things I can confirm at the moment: 1. ldap check is being done after each run, this is good now. Shortened output from one run to the next: ``` ...... vaultwarden_ldap_sync | * adoption_candidates: 2 vaultwarden_ldap_sync | Pending changes: vaultwarden_ldap_sync | * Invite: 0 vaultwarden_ldap_sync | * Enable: 0 vaultwarden_ldap_sync | * Disable: 0 vaultwarden_ldap_sync | ......... vaultwarden_ldap_sync | * email_vanished_in_both: 0 vaultwarden_ldap_sync | * users_with_changed_email: 0 vaultwarden_ldap_sync | * adoption_candidates: 1 vaultwarden_ldap_sync | Pending changes: vaultwarden_ldap_sync | * Invite: 0 vaultwarden_ldap_sync | * Enable: 0 vaultwarden_ldap_sync | * Disable: 0 vaultwarden_ldap_sync | ``` 2. Not sure what the "adoption_candidates" flag is, but the listing from the instance itself does not seem to be represented correctly. Even after it invites/enables/disables users. ``` vaultwarden_ldap_sync | 2025-02-11:13:51:16 DEBUG [sync.py] Difference compared to local state/emails source: vaultwarden_ldap_sync | * user_ids_enabled_in_vw: 0 vaultwarden_ldap_sync | * user_ids_enable_in_src: 0 vaultwarden_ldap_sync | * user_ids_disabled_in_vw: 0 vaultwarden_ldap_sync | * user_ids_vanished_in_vw: 0 vaultwarden_ldap_sync | * email_vanished_in_src: 0 vaultwarden_ldap_sync | * email_vanished_in_both: 0 vaultwarden_ldap_sync | * users_with_changed_email: 0 vaultwarden_ldap_sync | * adoption_candidates: 1 vaultwarden_ldap_sync | Pending changes: vaultwarden_ldap_sync | * Invite: 1 vaultwarden_ldap_sync | * Enable: 0 vaultwarden_ldap_sync | * Disable: 0 vaultwarden_ldap_sync | ......... vaultwarden_ldap_sync | 2025-02-11:13:53:16 DEBUG [sync.py] Difference compared to local state/emails source: vaultwarden_ldap_sync | * user_ids_enabled_in_vw: 0 vaultwarden_ldap_sync | * user_ids_enable_in_src: 0 vaultwarden_ldap_sync | * user_ids_disabled_in_vw: 0 vaultwarden_ldap_sync | * user_ids_vanished_in_vw: 0 vaultwarden_ldap_sync | * email_vanished_in_src: 0 vaultwarden_ldap_sync | * email_vanished_in_both: 0 vaultwarden_ldap_sync | * users_with_changed_email: 0 vaultwarden_ldap_sync | * adoption_candidates: 1 vaultwarden_ldap_sync | Pending changes: vaultwarden_ldap_sync | * Invite: 0 vaultwarden_ldap_sync | * Enable: 0 vaultwarden_ldap_sync | * Disable: 0 ``` I've manually removed the one user, that is no longer in ldap above. When I add him back he gets invited to vaultwarden as normal, he also gets disabled when I remove him from ldap and now he also gets re-enabled when he's back in the group. ``` vaultwarden_ldap_sync | Pending changes: vaultwarden_ldap_sync | * Invite: 1 vaultwarden_ldap_sync | * Enable: 0 vaultwarden_ldap_sync | * Disable: 0 .... vaultwarden_ldap_sync | 2025-02-11:13:51:16 INFO [vaultwarden.py] Successfully invited user test.user@xxxx.com with ID c7dac133-0d9a-4bb5-a3ba-ccdd44cd4029 vaultwarden_ldap_sync | 2025-02-11:13:51:16 INFO [sync.py] Invite user test.user@xxxx.com ...... vaultwarden_ldap_sync | Pending changes: vaultwarden_ldap_sync | * Invite: 0 vaultwarden_ldap_sync | * Enable: 0 vaultwarden_ldap_sync | * Disable: 1 vaultwarden_ldap_sync | ...... vaultwarden_ldap_sync | 2025-02-11:13:59:16 INFO [sync.py] User test.user@xxxx.com DISABLED in Vaultwarden ....... vaultwarden_ldap_sync | Pending changes: vaultwarden_ldap_sync | * Invite: 0 vaultwarden_ldap_sync | * Enable: 1 vaultwarden_ldap_sync | * Disable: 0 vaultwarden_ldap_sync | vaultwarden_ldap_sync | 2025-02-11:14:03:17 DEBUG [vaultwarden.py] Cookie store found, loading ........ vaultwarden_ldap_sync | 2025-02-11:14:03:17 INFO [sync.py] User test.user@xxxx.com ENABLED in Vaultwarden ``` I would say that the desired basic functionality now works as long as user is added/managed by the plugin. Existing users are not adopted or detected from the vaultwarden instance itself. Local state is not being read correctly from vaultwarden I guess. For completeness my vaultwarden instance has the following version numbers if you wish to debug the API response: Server Installed Update 1.32.7 Server Latest 1.33.2 Web Installed 2024.6.2c Database SQLite: 3.46.0 Thank you for the fixes so far!

kerem commented

2026-03-04 00:59:39 +03:00

Author

Owner

@sirtoobii commented on GitHub (Feb 11, 2025):

Existing users are not adopted or detected from the vaultwarden instance itself. Local state is not being read correctly from vaultwarden I guess.

You need to let it run once with VUS_ADOPT=1 (in .env) as adoption does not happen automatically.

@sirtoobii commented on GitHub (Feb 11, 2025): > Existing users are not adopted or detected from the vaultwarden instance itself. Local state is not being read correctly from vaultwarden I guess. You need to let it run once with `VUS_ADOPT=1` (in `.env`) as adoption does not happen automatically.

kerem commented

2026-03-04 00:59:39 +03:00

Author

Owner

@GeorgelT commented on GitHub (Feb 18, 2025):

I added the above VUS_ADOPT=1 flag but it seems it leads to the container crashing on startup.

vaultwarden_ldap_sync    | 2025-02-18:12:45:54 DEBUG [sync.py] Difference compared to local state/emails source:
vaultwarden_ldap_sync    |  * user_ids_enabled_in_vw: 0
vaultwarden_ldap_sync    |  * user_ids_enable_in_src: 0
vaultwarden_ldap_sync    |  * user_ids_disabled_in_vw: 0
vaultwarden_ldap_sync    |  * user_ids_vanished_in_vw: 0
vaultwarden_ldap_sync    |  * email_vanished_in_src: 0
vaultwarden_ldap_sync    |  * email_vanished_in_both: 0
vaultwarden_ldap_sync    |  * users_with_changed_email: 0
vaultwarden_ldap_sync    |  * adoption_candidates: 1
vaultwarden_ldap_sync    | Pending changes:
vaultwarden_ldap_sync    |  * Invite: 0
vaultwarden_ldap_sync    |  * Enable: 0
vaultwarden_ldap_sync    |  * Disable: 0
vaultwarden_ldap_sync    |
vaultwarden_ldap_sync exited with code 0

@GeorgelT commented on GitHub (Feb 18, 2025): I added the above VUS_ADOPT=1 flag but it seems it leads to the container crashing on startup. ``` vaultwarden_ldap_sync | 2025-02-18:12:45:54 DEBUG [sync.py] Difference compared to local state/emails source: vaultwarden_ldap_sync | * user_ids_enabled_in_vw: 0 vaultwarden_ldap_sync | * user_ids_enable_in_src: 0 vaultwarden_ldap_sync | * user_ids_disabled_in_vw: 0 vaultwarden_ldap_sync | * user_ids_vanished_in_vw: 0 vaultwarden_ldap_sync | * email_vanished_in_src: 0 vaultwarden_ldap_sync | * email_vanished_in_both: 0 vaultwarden_ldap_sync | * users_with_changed_email: 0 vaultwarden_ldap_sync | * adoption_candidates: 1 vaultwarden_ldap_sync | Pending changes: vaultwarden_ldap_sync | * Invite: 0 vaultwarden_ldap_sync | * Enable: 0 vaultwarden_ldap_sync | * Disable: 0 vaultwarden_ldap_sync | vaultwarden_ldap_sync exited with code 0 ```

kerem commented

2026-03-04 00:59:39 +03:00

Author

Owner

@sirtoobii commented on GitHub (Feb 18, 2025):

@GeorgelT This is expected behavior as it is most likely not intended to keep the adoption mode on. I'm going to update the PR to make this more clear.

@sirtoobii commented on GitHub (Feb 18, 2025): @GeorgelT This is expected behavior as it is most likely not intended to keep the adoption mode on. I'm going to update the PR to make this more clear.

kerem commented

2026-03-04 00:59:39 +03:00

Author

Owner

@GeorgelT commented on GitHub (Feb 19, 2025):

If I understand you correctly, it should adopt that user after that one exited run right? It does not seem to do that though. The user that is not addopted is still there even after running it that way.

 * user_ids_enabled_in_vw: 0
 * user_ids_enable_in_src: 0
 * user_ids_disabled_in_vw: 0
 * user_ids_vanished_in_vw: 0
 * email_vanished_in_src: 0
 * email_vanished_in_both: 0
 * users_with_changed_email: 0
 * adoption_candidates: 1
Pending changes:
 * Invite: 0
 * Enable: 0
 * Disable: 0

@GeorgelT commented on GitHub (Feb 19, 2025): If I understand you correctly, it should adopt that user after that one exited run right? It does not seem to do that though. The user that is not addopted is still there even after running it that way. ``` * user_ids_enabled_in_vw: 0 * user_ids_enable_in_src: 0 * user_ids_disabled_in_vw: 0 * user_ids_vanished_in_vw: 0 * email_vanished_in_src: 0 * email_vanished_in_both: 0 * users_with_changed_email: 0 * adoption_candidates: 1 Pending changes: * Invite: 0 * Enable: 0 * Disable: 0 ```

kerem commented

2026-03-04 00:59:39 +03:00

Author

Owner

@ravinder0402 commented on GitHub (Feb 19, 2025):

@GeorgelT @sirtoobii I am getting issue with regular sync means the vaultwarden_ldap_sync database is not storing current data of ldap until this container/pod restart .
Then i found that in sync.py the ldap_emails = ldc.get_email_list() is not placed inside the while loop that will run with every sync after a specific interval of time due to which the current state of user in the ldap is not update in the vaultwarden_ldap_sync database then I paste ldap_emails = ldc.get_email_list() inside the while loop due to which whenever sync run then it will detect the any change on the ldap at every sync and then store them in its database. and we have no need to restart our vaultwarden_ldap_sync container/pod

@ravinder0402 commented on GitHub (Feb 19, 2025): @GeorgelT @sirtoobii I am getting issue with regular sync means the vaultwarden_ldap_sync database is not storing current data of ldap until this container/pod restart . Then i found that in sync.py the ldap_emails = ldc.get_email_list() is not placed inside the while loop that will run with every sync after a specific interval of time due to which the current state of user in the ldap is not update in the vaultwarden_ldap_sync database then I paste ldap_emails = ldc.get_email_list() inside the while loop due to which whenever sync run then it will detect the any change on the ldap at every sync and then store them in its database. and we have no need to restart our vaultwarden_ldap_sync container/pod

kerem commented

2026-03-04 00:59:39 +03:00

Author

Owner

@sirtoobii commented on GitHub (Feb 19, 2025):

@ravinder0402 This bug is the exact reason why @GeorgelT opened this issue in the first place. Please try the "big-refactoring" branch

@sirtoobii commented on GitHub (Feb 19, 2025): @ravinder0402 This bug is the exact reason why @GeorgelT opened this issue in the first place. Please try the "big-refactoring" branch

kerem commented

2026-03-04 00:59:39 +03:00

Author

Owner

@sirtoobii commented on GitHub (Feb 19, 2025):

If I understand you correctly, it should adopt that user after that one exited run right?

@GeorgelT Yes, this is how it's supposed to work. I need to verify this locally. Just to be sure, you're not running with DRY_RUN=1 ?

Edit: Verified that I was using the wrong variable to check if we're in adoption mode. I've pushed a fix to #11

@sirtoobii commented on GitHub (Feb 19, 2025): > If I understand you correctly, it should adopt that user after that one exited run right? @GeorgelT Yes, this is how it's supposed to work. I need to verify this locally. Just to be sure, you're not running with `DRY_RUN=1` ? Edit: Verified that I was using the wrong variable to check if we're in adoption mode. I've pushed a fix to #11

kerem commented

2026-03-04 00:59:39 +03:00

Author

Owner

@ravinder0402 commented on GitHub (Feb 19, 2025):

@sirtoobii I am telling that i have already fixed that issue by adding ldap_emails = ldc.get_email_list() inside the while loop in the sync.py

@ravinder0402 commented on GitHub (Feb 19, 2025): @sirtoobii I am telling that i have already fixed that issue by adding **ldap_emails = ldc.get_email_list()** inside the while loop in the sync.py

kerem commented

2026-03-04 00:59:39 +03:00

Author

Owner

@sirtoobii commented on GitHub (Feb 25, 2025):

@GeorgelT were you able to verify that adoption now works as expected? If yes, I would merge #11 to main. And thank you as well for you continuous help with testing!

@sirtoobii commented on GitHub (Feb 25, 2025): @GeorgelT were you able to verify that adoption now works as expected? If yes, I would merge #11 to main. And thank you as well for you continuous help with testing!

kerem commented

2026-03-04 00:59:39 +03:00

Author

Owner

@GeorgelT commented on GitHub (Feb 28, 2025):

Sorry for the delay, was quite a full week at work with other projects. I redownloaded the branch, reran the container with adopt on and off flag. So far seems to no adopt users just like previously.

Creating vaultwarden_ldap_sync ... done
Attaching to vaultwarden_ldap_sync
vaultwarden_ldap_sync    | 2025-02-28:08:13:41 INFO [sync.py] Starting...
vaultwarden_ldap_sync    | 2025-02-28:08:13:41 INFO [sync.py] DRYRUN: False
vaultwarden_ldap_sync    | 2025-02-28:08:13:41 INFO [sync.py] LDAP server: ldap.xxxxx
vaultwarden_ldap_sync    | 2025-02-28:08:13:41 INFO [sync.py] Vaultwarden URL: https://xxxxxxxxx/office
vaultwarden_ldap_sync    | 2025-02-28:08:13:41 WARNING [sync.py]  Running in adaption mode. Will terminate after this attempt
vaultwarden_ldap_sync    | 2025-02-28:08:13:41 DEBUG [connectionpool.py] Starting new HTTPS connection (1): xxxx:443
vaultwarden_ldap_sync    | 2025-02-28:08:13:41 DEBUG [connectionpool.py] https://xxxxx:443 "GET /office/admin/users HTTP/1.1" 401 282
vaultwarden_ldap_sync    | 2025-02-28:08:13:41 DEBUG [vaultwarden.py] Could not authenticate using cookie, trying token
vaultwarden_ldap_sync    | 2025-02-28:08:13:41 DEBUG [connectionpool.py] https://xxxxx:443 "POST /office/admin HTTP/1.1" 200 13555
vaultwarden_ldap_sync    | 2025-02-28:08:13:41 DEBUG [vaultwarden.py] Authentication using token successful, storing cookie
vaultwarden_ldap_sync    | 2025-02-28:08:13:41 DEBUG [vaultwarden.py] Cookie store found, loading
vaultwarden_ldap_sync    | 2025-02-28:08:13:41 DEBUG [connectionpool.py] https://xxxxxxx:443 "GET /office/admin/users HTTP/1.1" 200 11421
vaultwarden_ldap_sync    | 2025-02-28:08:13:41 DEBUG [sync.py] Difference compared to local state/emails source:
vaultwarden_ldap_sync    |  * user_ids_enabled_in_vw: 0
vaultwarden_ldap_sync    |  * user_ids_enable_in_src: 0
vaultwarden_ldap_sync    |  * user_ids_disabled_in_vw: 0
vaultwarden_ldap_sync    |  * user_ids_vanished_in_vw: 0
vaultwarden_ldap_sync    |  * email_vanished_in_src: 0
vaultwarden_ldap_sync    |  * email_vanished_in_both: 0
vaultwarden_ldap_sync    |  * users_with_changed_email: 0
vaultwarden_ldap_sync    |  * adoption_candidates: 2
vaultwarden_ldap_sync    | Pending changes:
vaultwarden_ldap_sync    |  * Invite: 0
vaultwarden_ldap_sync    |  * Enable: 0
vaultwarden_ldap_sync    |  * Disable: 0
vaultwarden_ldap_sync    |
vaultwarden_ldap_sync exited with code 0

remove flag and rerun, same output:

vaultwarden_ldap_sync    |  * user_ids_enabled_in_vw: 0
vaultwarden_ldap_sync    |  * user_ids_enable_in_src: 0
vaultwarden_ldap_sync    |  * user_ids_disabled_in_vw: 0
vaultwarden_ldap_sync    |  * user_ids_vanished_in_vw: 0
vaultwarden_ldap_sync    |  * email_vanished_in_src: 0
vaultwarden_ldap_sync    |  * email_vanished_in_both: 0
vaultwarden_ldap_sync    |  * users_with_changed_email: 0
vaultwarden_ldap_sync    |  * adoption_candidates: 2
vaultwarden_ldap_sync    | Pending changes:
vaultwarden_ldap_sync    |  * Invite: 0
vaultwarden_ldap_sync    |  * Enable: 0
vaultwarden_ldap_sync    |  * Disable: 0
vaultwarden_ldap_sync    |

subsequent sync runs does not seem to change that.

@GeorgelT commented on GitHub (Feb 28, 2025): Sorry for the delay, was quite a full week at work with other projects. I redownloaded the branch, reran the container with adopt on and off flag. So far seems to no adopt users just like previously. ``` Creating vaultwarden_ldap_sync ... done Attaching to vaultwarden_ldap_sync vaultwarden_ldap_sync | 2025-02-28:08:13:41 INFO [sync.py] Starting... vaultwarden_ldap_sync | 2025-02-28:08:13:41 INFO [sync.py] DRYRUN: False vaultwarden_ldap_sync | 2025-02-28:08:13:41 INFO [sync.py] LDAP server: ldap.xxxxx vaultwarden_ldap_sync | 2025-02-28:08:13:41 INFO [sync.py] Vaultwarden URL: https://xxxxxxxxx/office vaultwarden_ldap_sync | 2025-02-28:08:13:41 WARNING [sync.py] Running in adaption mode. Will terminate after this attempt vaultwarden_ldap_sync | 2025-02-28:08:13:41 DEBUG [connectionpool.py] Starting new HTTPS connection (1): xxxx:443 vaultwarden_ldap_sync | 2025-02-28:08:13:41 DEBUG [connectionpool.py] https://xxxxx:443 "GET /office/admin/users HTTP/1.1" 401 282 vaultwarden_ldap_sync | 2025-02-28:08:13:41 DEBUG [vaultwarden.py] Could not authenticate using cookie, trying token vaultwarden_ldap_sync | 2025-02-28:08:13:41 DEBUG [connectionpool.py] https://xxxxx:443 "POST /office/admin HTTP/1.1" 200 13555 vaultwarden_ldap_sync | 2025-02-28:08:13:41 DEBUG [vaultwarden.py] Authentication using token successful, storing cookie vaultwarden_ldap_sync | 2025-02-28:08:13:41 DEBUG [vaultwarden.py] Cookie store found, loading vaultwarden_ldap_sync | 2025-02-28:08:13:41 DEBUG [connectionpool.py] https://xxxxxxx:443 "GET /office/admin/users HTTP/1.1" 200 11421 vaultwarden_ldap_sync | 2025-02-28:08:13:41 DEBUG [sync.py] Difference compared to local state/emails source: vaultwarden_ldap_sync | * user_ids_enabled_in_vw: 0 vaultwarden_ldap_sync | * user_ids_enable_in_src: 0 vaultwarden_ldap_sync | * user_ids_disabled_in_vw: 0 vaultwarden_ldap_sync | * user_ids_vanished_in_vw: 0 vaultwarden_ldap_sync | * email_vanished_in_src: 0 vaultwarden_ldap_sync | * email_vanished_in_both: 0 vaultwarden_ldap_sync | * users_with_changed_email: 0 vaultwarden_ldap_sync | * adoption_candidates: 2 vaultwarden_ldap_sync | Pending changes: vaultwarden_ldap_sync | * Invite: 0 vaultwarden_ldap_sync | * Enable: 0 vaultwarden_ldap_sync | * Disable: 0 vaultwarden_ldap_sync | vaultwarden_ldap_sync exited with code 0 ``` remove flag and rerun, same output: ``` vaultwarden_ldap_sync | * user_ids_enabled_in_vw: 0 vaultwarden_ldap_sync | * user_ids_enable_in_src: 0 vaultwarden_ldap_sync | * user_ids_disabled_in_vw: 0 vaultwarden_ldap_sync | * user_ids_vanished_in_vw: 0 vaultwarden_ldap_sync | * email_vanished_in_src: 0 vaultwarden_ldap_sync | * email_vanished_in_both: 0 vaultwarden_ldap_sync | * users_with_changed_email: 0 vaultwarden_ldap_sync | * adoption_candidates: 2 vaultwarden_ldap_sync | Pending changes: vaultwarden_ldap_sync | * Invite: 0 vaultwarden_ldap_sync | * Enable: 0 vaultwarden_ldap_sync | * Disable: 0 vaultwarden_ldap_sync | ``` subsequent sync runs does not seem to change that.

kerem commented

2026-03-04 00:59:39 +03:00

Author

Owner

@sirtoobii commented on GitHub (Mar 4, 2025):

Hey @GeorgelT as I cannot reproduce the reported behavior and your first log snippet just ends with exited with code 0 I suspect that your codebase is not updated to the latest commit of #11, can you verify that?

With the latest commit the message should be:

2025-03-04:16:17:07 WARNING [sync.py] Exiting as requested. Either --run_once is explicitly set or implicitly through --reset or --adopt

@sirtoobii commented on GitHub (Mar 4, 2025): Hey @GeorgelT as I cannot reproduce the reported behavior and your first log snippet just ends with `exited with code 0` I suspect that your codebase is not updated to the latest commit of #11, can you verify that? With the latest commit the message should be: ``` 2025-03-04:16:17:07 WARNING [sync.py] Exiting as requested. Either --run_once is explicitly set or implicitly through --reset or --adopt ```

Rows
Columns

[GH-ISSUE #10] The LDAP request is only run on start #9