Nobody seems to get my niche.
There are many, many password manager apps out there, but none of them tick every box for me in my particular situation.
I don’t think I’m asking for much:
- I want a self-hosted password manager app.
- Not in the cloud. Obvs.
- LDAP capability (for an IT Team to be able to share passwords, for example)
The closest I’ve found is BitWarden. Or more specifically, VaultWarden. I was so excited about BitWarden for so many reasons — Organizational capabilities, delegation, data structures for more than just passwords (credit cards, identity info, etc.), etc. And one of their enterprise features is… wait for it… a directory connector which includes AD, LDAP and others.
But it’s expensive. Their enterprise product runs between $3 and $6 per user per month. Doesn’t sound like much, but it adds up. I was a bit let down by the pricing, but then I found out about VaultWarden, which is I guess a “fork” of sorts of BitWarden which includes the enterprise features. I’m not sure of the mechanics of why it exists, but I decided to give it a try.
It was only then that I realized the fatal flaw in my plan. Both of these products are part of the new breed of password managers, billing themselves as zero-knowledge password vaults. And the great selling point of these is the way the encryption works, which is apparently by encrypting your vault with a key derived from your personal password. With me yet? That means it’s fundamentally incompatible with LDAP authentication. The LDAP features provided (in a most difficult manner) by BitWarden and VaultWarden only provide user and group synchronization, not authentication. They provide this by syncing the directory at admin-defined intervals, deleting inactive users and adding new users on each sync, and then sending those users an email inviting them to use the app (and setting their password).
As far down the road as they took me, it was sad to learn I wouldn’t be able to leverage my existing LDAP authentication on this particular app. And i get it. In a zero knowledge world, it’s unacceptable for an admin to reset a user’s LDAP password and then inherit knowledge of all of their stored passwords. But I’m not in a zero-knowledge world. I’m in a shared knowledge world.
I’ll probably use it anyway, with the complication that my users will not have their BitWarden password updated when they are forced to change their LDAP password. Because the organizational features and data structures seem to outweigh that complication. For now, anyway.
By the way, there is an SSO feature included with the enterprise version of BitWarden ($) that solves(-ish) the problem by offloading the key encryption/decryption to stored key pairs in an external database using a complicated, rickety scaffolding of tubes and wires. VaultWarden doesn’t seem to be leaning toward replicating that functionality, and neither do I.