CLI: Configuring password fails with "Cannot create an item in a locked collection"

[fgierlinger]

Hello,

we are running bitwarden server on a linux server (CLI only) and wanted to add the directory synchronisation as a cronjob on the server. For that we installed the bitwarden connector cli and copied over the data.json file.

In the data.json file, the password for the ldap directory is not saved and even when replacing the [STORED SECURELY] string with the actual password, the bwdc cli-tool replaces it with null.

We then tried to add the password via bwdc config ldap.password PASS we first received a message about X11.

# bwdc config ldap.password PASS
Cannot autolaunch D-Bus without X11 $DISPLAY

The solution of exporting the output of dbus-launch from darkyat in #17 worked, but lead to the next error.

# export $(dbus-launch)
# bwdc config ldap.password PASS
** Message: 15:12:18.946: Remote error from secret service: org.freedesktop.Secret.Error.IsLocked: Cannot create an item in a locked collection
Cannot create an item in a locked collection

Executing bwdc sync tells me, that the username and password are not configured and is hanging until forcefully aborted with Ctrl+C

# bwdc sync
Username/password are not configured.
Ctrl+C

Some system specs

# docker -v
Docker version 1.13.1, build b2f74b2/1.13.1
# bwdc -v
2.6.1

Cheers,
Frédéric

[kspearrin]

It seems like we just need an update that will allow people to optionally store the secret values in the data.json file in plaintext. Maybe an environment variable can override the default behavior that requires keytar/x11.

[kspearrin]

Could you try the latest dev build from here:
https://ci.appveyor.com/project/bitwarden/directory-connector/build/job/lpitiinai8yusl50/artifacts

Then set the following environment variable:

export BITWARDENCLI_CONNECTOR_PLAINTEXT_SECRETS=true

This will allow you to then store and read the ldap password as a plaintext string in the data.json file.

This should also remove the dependency on keytar and x11.

NOTE: The desktop application is not compatible with plaintext secrets, so you will not be able to use it with the bwdc CLI app.

[fgierlinger]

It worked with the latest build and the environment variable set.

$ ./bwdc test
Cannot autolaunch D-Bus without X11 $DISPLAY
$ export BITWARDENCLI_CONNECTOR_PLAINTEXT_SECRETS=true
$ ./bwdc test
{"groups":[{"externalId":"...}]}

Before the successfull run we had a blocked port between the host and the LDAP-Server and ran into a timeout. This lead to an unhandled exception error.

./bwdc test
events.js:167
      throw er; // Unhandled 'error' event
      ^

Error: connect ETIMEDOUT 172.x.x.x:389
    at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1158:14)
Emitted 'error' event at:
    at Backoff.<anonymous> (/snapshot/directory-connector/node_modules/ldapjs/lib/client/client.js:1231:12)
    at Backoff.emit (events.js:182:13)
    at Backoff.backoff (/snapshot/directory-connector/node_modules/backoff/lib/backoff.js:41:14)
    at /snapshot/directory-connector/node_modules/ldapjs/lib/client/client.js:1217:15
    at f (/snapshot/directory-connector/node_modules/once/once.js:25:25)
    at Socket.onResult (/snapshot/directory-connector/node_modules/ldapjs/lib/client/client.js:1016:7)
    at Object.onceWrapper (events.js:273:13)
    at Socket.emit (events.js:182:13)
    at emitErrorNT (internal/streams/destroy.js:82:8)
    at emitErrorAndCloseNT (internal/streams/destroy.js:50:3)

[kspearrin]

Thanks for testing. I will close this now and add some documentation.