[GH-ISSUE #3688] Deleting users from organisation using directory connector not working #14432

New Issue

Closed

opened 2026-04-23 06:10:34 -05:00 by GiteaMirror · 1 comment

GiteaMirror commented 2026-04-23 06:10:34 -05:00

Owner

Copy Link

Originally created by @bokkabonga on GitHub (Jul 12, 2023).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/3688

Subject of the issue

Deleting users from organisation using directory connector not working

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.29.0-61f90818
• Web-vault version: v2023.5.0
• OS/Arch: linux/x86_64
• Running within Docker: true (Base: Debian)
• Environment settings overridden: true
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: MySQL
• Database version: 10.4.20-MariaDB-1:10.4.20+maria~focal
• Clients used:
• Reverse proxy and version:
• Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden: INVITATION_ORG_NAME, DISABLE_2FA_REMEMBER, AUTHENTICATOR_DISABLE_TIME_DRIFT, LOG_TIMESTAMP_FORMAT, EMAIL_EXPIRATION_TIME, EMAIL_ATTEMPTS_LIMIT

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "*****://***************************************************",
  "db_connection_retries": 10,
  "disable_2fa_remember": true,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://****************",
  "domain_origin": "*****://****************",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": "***",
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Bitwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": "/data/bitwarden.log",
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": 20480,
  "org_creation_users": "***",
  "org_events_enabled": true,
  "org_groups_enabled": true,
  "password_hints_allowed": false,
  "password_iterations": 600000,
  "push_enabled": true,
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "******,******************",
  "signups_verify": true,
  "signups_verify_resend_limit": 3,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "****************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "*****************",
  "smtp_password": null,
  "smtp_port": 25,
  "smtp_security": "off",
  "smtp_ssl": false,
  "smtp_timeout": 15,
  "smtp_username": null,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": 60,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": 5121,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": false,
  "websocket_port": 3012,
  "yubico_client_id": "61202",
  "yubico_secret_key": "***",
  "yubico_server": null
}

• Install method Docker

• Clients used: Directory Connector

• Reverse proxy and version: apache

• MySQL/MariaDB or PostgreSQL version: mariadbsu

• Other relevant details:

Steps to reproduce

1. Create organisation and get API-Key
2. Configure Directory Connector to sync from AzureAD
3. After Users have been invited, remove one or more Users from the sync scope
4. Rerun sync

Expected behaviour

After removing the user from the sync scope, the user should be removed from the organisation, when "Overwrite existing organization users based on current sync settings." is activated

Actual behaviour

The User remains in the organisation and is not removed.

Troubleshooting data

The "test now" also doesn´t list the user under "deleted Users". The logfiles also don´t show any errors

Originally created by @bokkabonga on GitHub (Jul 12, 2023). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/3688 <!-- # ### NOTE: Please update to the latest version of vaultwarden before reporting an issue! This saves you and us a lot of time and troubleshooting. See: * https://github.com/dani-garcia/vaultwarden/issues/1180 * https://github.com/dani-garcia/vaultwarden/wiki/Updating-the-vaultwarden-image # ### --> <!-- Please fill out the following template to make solving your problem easier and faster for us. This is only a guideline. If you think that parts are unnecessary for your issue, feel free to remove them. Remember to hide/redact personal or confidential information, such as passwords, IP addresses, and DNS names as appropriate. --> ### Subject of the issue <!-- Describe your issue here. --> Deleting users from organisation using directory connector not working ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.29.0-61f90818 * Web-vault version: v2023.5.0 * OS/Arch: linux/x86_64 * Running within Docker: true (Base: Debian) * Environment settings overridden: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Database type: MySQL * Database version: 10.4.20-MariaDB-1:10.4.20+maria~focal * Clients used: * Reverse proxy and version: * Other relevant information: ### Config (Generated via diagnostics page) <details><summary>Show Running Config</summary> **Environment settings which are overridden:** INVITATION_ORG_NAME, DISABLE_2FA_REMEMBER, AUTHENTICATOR_DISABLE_TIME_DRIFT, LOG_TIMESTAMP_FORMAT, EMAIL_EXPIRATION_TIME, EMAIL_ATTEMPTS_LIMIT ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "*****://***************************************************", "db_connection_retries": 10, "disable_2fa_remember": true, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://****************", "domain_origin": "*****://****************", "domain_path": "", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_attempts_limit": 3, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "extended_logging": true, "helo_name": null, "hibp_api_key": "***", "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "invitation_expiration_hours": 120, "invitation_org_name": "Bitwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": "/data/bitwarden.log", "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": 20480, "org_creation_users": "***", "org_events_enabled": true, "org_groups_enabled": true, "password_hints_allowed": false, "password_iterations": 600000, "push_enabled": true, "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "******,******************", "signups_verify": true, "signups_verify_resend_limit": 3, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "****************", "smtp_from_name": "Vaultwarden", "smtp_host": "*****************", "smtp_password": null, "smtp_port": 25, "smtp_security": "off", "smtp_ssl": false, "smtp_timeout": 15, "smtp_username": null, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": 60, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": 5121, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "websocket_address": "0.0.0.0", "websocket_enabled": false, "websocket_port": 3012, "yubico_client_id": "61202", "yubico_secret_key": "***", "yubico_server": null } ``` </details> <!-- How the server was installed: Docker image, OS package, built from source, etc. --> * Install method Docker * Clients used: Directory Connector * Reverse proxy and version: apache * MySQL/MariaDB or PostgreSQL version: mariadbsu * Other relevant details: ### Steps to reproduce <!-- Tell us how to reproduce this issue. What parameters did you set (differently from the defaults) and how did you start vaultwarden? --> 1. Create organisation and get API-Key 2. Configure Directory Connector to sync from AzureAD 3. After Users have been invited, remove one or more Users from the sync scope 4. Rerun sync ### Expected behaviour After removing the user from the sync scope, the user should be removed from the organisation, when "Overwrite existing organization users based on current sync settings." is activated ### Actual behaviour The User remains in the organisation and is not removed. ### Troubleshooting data The "test now" also doesn´t list the user under "deleted Users". The logfiles also don´t show any errors

GiteaMirror closed this issue 2026-04-23 06:10:34 -05:00

GiteaMirror commented 2026-04-23 06:10:36 -05:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Jul 12, 2023):

I have tested this using LDAP, and while it also doesn't show the users under the delete option for me, it does delete the actual user which is not in the list anymore. Just make sure have the correct flags set.

Also, if it doesn't list them as deleted, you probably need to clear the previous sync cache, and if you do that, it will remove the user from the organization. It does not remove the user it self, so they can still login and access there personal vault items.

This is not something we can fix, as the actual workings on removing and adding users works just fine.
It's just that the Directory Connector does not make a call to the server to update the status until you clear the cache.

So, it's either a bug in the Directory Connector, or, as what i think a limitation of LDAP (In my case). Since i think AzureAD has some flags available to support disabeling a user, and if that flag is found, the Directory Connector will detect that also, and mark it as deletion.

It might be possible to add this feature to LDAP by configuring it in the right way. But it needs the userAccountControl attribute.
a3c8629f6d/src/services/ldap-directory.service.ts (L305-L318)

And according to this page https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties#list-of-property-flags, it needs to be set to 2

<!-- gh-comment-id:1632647478 --> @BlackDex commented on GitHub (Jul 12, 2023): I have tested this using LDAP, and while it also doesn't show the users under the delete option for me, it does delete the actual user which is not in the list anymore. Just make sure have the correct flags set.  Also, if it doesn't list them as deleted, you probably need to clear the previous sync cache, and if you do that, it will remove the user from the organization. It does not remove the user it self, so they can still login and access there personal vault items. This is not something we can fix, as the actual workings on removing and adding users works just fine. It's just that the Directory Connector does not make a call to the server to update the status until you clear the cache. So, it's either a bug in the Directory Connector, or, as what i think a limitation of LDAP (In my case). Since i think AzureAD has some flags available to support disabeling a user, and if that flag is found, the Directory Connector will detect that also, and mark it as deletion. It might be possible to add this feature to LDAP by configuring it in the right way. But it needs the `userAccountControl` attribute. https://github.com/bitwarden/directory-connector/blob/a3c8629f6d4213b13b40bf0efcfcc33a76f2497c/src/services/ldap-directory.service.ts#L305-L318 And according to this page https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties#list-of-property-flags, it needs to be set to `2`

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

revert-7033-patch-1

cached-config-operations

test_dylint

1.36.0

1.35.8

1.35.7

1.35.6

1.35.5

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#14432