I've got a branch where I've almost gotten LDAP syncing fully working, but invites don't seem to be working properly.
Even if I try to send an invite directly through the web interface, it just hangs. The user shows in the list, however the logs never show a success or failure response for the request. I've checked the SMTP settings and they appear to be correct. I'll keep debugging though.
https://git.cloudron.io/iamthefij/bitwardenrs-app/tree/ldap-sync
@jdaviescoates Mailpile has both those features: https://www.mailpile.is/
Might be a good app request.
Way back when this first came up in 2017, there was a discussion on the issue boards for Ubuntu. This is the response from the PM at Canonical who added the feature including an explanation of how it has been used in the past and how they intend to use it.
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1701068/comments/11
It can be disabled entirely by running sudo sed -i 's/^ENABLED=.*/ENABLED=0/' /etc/default/motd-news (source).
Debian support would be great, but I thought I'd present a bit more information for folks stumbling on this to read up on and make a decision on how they want to manage their server.
LDAP syncing is now available for bitwarden_rs. Check it out on the wiki.
Do you have your app shared on git.cloudron.io yet? If so I can help contribute.
@JOduMonT First off, that site is just reviewing app permissions. It’s docking Signal for requesting things like access to camera (used for taking and sending photos). That’s not really relevant here.
From a security standpoint, the Signal protocol is the gold standard for secure messaging. Other apps , like WhatsApp have even implemented it themselves.
Signal is also a non-profit and spends a considerable amount of effort in reducing knowledge needed to operate on the server. Their goal is to get to a point you don’t have to trust the server at all.
I have never heard of the app you’re recommending, but I don’t see any information about how they manage their encryption. Their website link (from Google Play) lands on some obscure website that doesn’t really load unless I turn off my tracker blockers. The site then doesn’t really indicate why I should trust them. No information on their funding or security. Also, the Play Store listing says it includes Ads. Which is a huge no-no for privacy.
Telegram is a popular app, but Signal is often recommended for security/privacy. First off, Telegram offers both encrypted and unencrypted messaging and defaults to unencrypted. Group messages cannot even be encrypted at all. In Signal, all is encrypted. Furthermore, when using encryption, Telegram uses a custom crypto algorithm they wrote rather than industry trusted ones like Signal does. This goes against a common maxim in the security industry “don’t roll your own crypto”. It could be just as secure, but less eyes on it means we just don’t know enough about it. Most professionals prefer a tried and true system.
Anyway, I’m pretty passionate about secure messaging, so I’ve done a bit of research here. All that said, unless they are willing to switch, the best one is the one your friends are using. Messaging is useless if you’re the only one with it. Kinda relates to the article will posted about encrypted email in the first place.
Got it working! Turns out I needed to enable SMTP_EXPLICIT_TLS.
Now I just have to schedule the sync task and do some cleanup. Should have a fully ready app soon.
Software Engineer turned Director at a Silicon Valley company.
After the switch to management I was eager for a technical project and decided to take on self hosting for privacy and ethical reasons as well as the technical challenge. I’ve made several attempts at managing all my self hosted services from scratch and eventually found Cloudron.
@will just a note, I don't believe fbartels version supports a using a dump for backing up the database. This means that if the backup is taken while the db is in a transaction, it could be corrupted.
Bitwarden_rs now supports an admin API for making sqlite backups, but does not have any cron embedded. Similar to the way the LDAP sync tool works, an additional script could be added to periodically make dumps of the sqlite database so that it can be properly backed up.
Instead, the version I have is using MySQL, which leverages the native Cloudron backup and restore functionality.
That and the LDAP invite service are the real differences between the two forks. If you do not wish to use automated LDAP invites on my fork, you can select to opt out when installing. This is covered in the readme.
@yusf Yea, the Readme describe the reasoning.
There is no way to actually do true SSO without breaking the model for Bitwarden. The only thing that we can do is automatically invite users to sign up.
The Bitwarden_rs project doesn't have a way to invite without sending an email as when an SMTP server is configured, it will generate unique invite links for each user.
If you disable SSO, you only disable the auto-invite feature. You will then need to invite yourself via the Admin panel (admin token is echoed in the logs and in /app/data/admin_token). You can then invite anyone else you wish manually.
Thanks @nebulon! I'm just realizing that we should be able to improve the experience by using making the default env be SIGNUPS_DOMAINS_WHITELIST=$CLOUDRON_MAIL_DOMAINS, so signups can only be from the the domains that the users have configured for email. A few caveates though, I'm not sure how that variable gets set if you use a relay and it also looks like only $CLOUDRON_MAIL_DOMAIN is set for me, maybe because I have only one email domain.
@murgero Even the Spectre or Plaid importers require being run as separate services: https://github.com/firefly-iii/spectre-importer
@murgero according to the docs, the importers are separate web applications that you host and connect to FF3. Given that Cloudron doesn't really support setting up auxiliary web applications on the box, it looks like the only way to use it would be for me to host the csv-importer on a different server and then direct that to my Cloudron FF3.
Is that how others are using it?
Are there any packaged / bundled importers for the Cloudron FF3 app? I'm not finding any instructions for that, but I'm also new to Firefly.
Software Engineer turned Director at a Silicon Valley company.
After the switch to management I was eager for a technical project and decided to take on self hosting for privacy and ethical reasons as well as the technical challenge. I’ve made several attempts at managing all my self hosted services from scratch and eventually found Cloudron.
@alexanderkings I haven't finished the step of migrating this to a Cloudron app, but I've been using mole to securely forward ports between networks using SSH Private/Public keys. My Docker implementation is Dockamole.
I'm using it already outside of Cloudron to allow my VPS to scrape metrics generated on my home NAS.
The workflow would require a Server container running on Cloudron and then a Client container running on whatever machine you'd like to access the forwarded port. All services on that machine access the service through the local container and it's forwarded to the server container.
Like I said... I haven't gotten it running on Cloudron yet though.
@d19dotca The high level will be to do a sql dump of the database and then restore it on the new system.
@nebulon yea. I wondered that. It would be nice if there was a similar env for any configured domain, not just email.
Thanks @nebulon! I'm just realizing that we should be able to improve the experience by using making the default env be SIGNUPS_DOMAINS_WHITELIST=$CLOUDRON_MAIL_DOMAINS, so signups can only be from the the domains that the users have configured for email. A few caveates though, I'm not sure how that variable gets set if you use a relay and it also looks like only $CLOUDRON_MAIL_DOMAIN is set for me, maybe because I have only one email domain.
@nebulon yea, the best for Cloudron would be a way to silently invite so only ldap users could sign up. Maybe I’ll make that suggestion over at the main project.
I feel that would make a much better experience for users and admins here.
What I did was install it scoped to only my user and then expanded the users to a group later.
@yusf Yea, the Readme describe the reasoning.
There is no way to actually do true SSO without breaking the model for Bitwarden. The only thing that we can do is automatically invite users to sign up.
The Bitwarden_rs project doesn't have a way to invite without sending an email as when an SMTP server is configured, it will generate unique invite links for each user.
If you disable SSO, you only disable the auto-invite feature. You will then need to invite yourself via the Admin panel (admin token is echoed in the logs and in /app/data/admin_token). You can then invite anyone else you wish manually.