Authentication Methods

Loom supports multiple authentication methods to securely manage LDAP bind credentials.

Credential Methods Overview

Choose the method that best fits your security requirements:

Method	Description	Best For
Prompt	Interactive password entry	Ad-hoc connections, development
Command	Execute shell command for password	Integration with password managers
Keychain	OS-native credential storage	Convenience with system security
Vault	Loom’s encrypted vault	Portable encrypted storage

The credential method is configured per connection profile. Different profiles can use different methods.

Prompt Method

The simplest method - Loom asks for the password when needed.

Configuration

[[connections]]
name = "My Server"
host = "ldap.example.com"
bind_dn = "cn=admin,dc=example,dc=com"
credential_method = "prompt"

Behavior

Startup Connection
In-TUI Connection

If connecting on startup, you’ll see a terminal password prompt:

Password for cn=admin,dc=example,dc=com: _

Type the password (hidden) and press Enter.

If opening a connection after startup, a password dialog appears in the TUI:

┌─ Enter Password ─────────────────────┐
│                                      │
│ Bind DN: cn=admin,dc=example,dc=com  │
│                                      │
│ Password: **********                 │
│                                      │
│ [Enter] Connect  [Esc] Cancel        │
└──────────────────────────────────────┘

Environment Variable

Skip the prompt by setting LOOM_PASSWORD:

export LOOM_PASSWORD="your-password"
loom-ldapbrowser

Environment variables are visible to other processes and may be logged. Only use this for testing or in secure environments.

Command Method

Execute a shell command to retrieve the password. Works with any password manager or script.

Configuration

[[connections]]
name = "Production"
host = "ldap.example.com"
bind_dn = "cn=admin,dc=example,dc=com"
credential_method = "command"
password_command = "pass show ldap/prod"

How It Works

Loom executes password_command via sh -c
Reads the password from stdout
Trims trailing newlines
Uses the password for LDAP bind

The command must print only the password to stdout. Prompts, warnings, or extra output will cause authentication to fail.

Password Manager Examples

pass - the standard Unix password manager:

credential_method = "command"
password_command = "pass show ldap/production"

Retrieves the password from ~/.password-store/ldap/production.gpg.

Store the password with:

pass insert ldap/production

1Password CLI:

credential_method = "command"
password_command = "op read 'op://Vault/LDAP Production/password'"

Replace Vault and LDAP Production with your vault and item names.

Requires 1Password CLI (op) to be installed and authenticated.

Bitwarden CLI:

credential_method = "command"
password_command = "bw get password 'LDAP Production'"

Session must be unlocked. Set BW_SESSION environment variable or use bw unlock.

Decrypt a GPG-encrypted password file:

credential_method = "command"
password_command = "gpg --quiet --decrypt ~/.ldap-password.gpg"

Create the encrypted file:

echo -n "your-password" | gpg --encrypt --recipient [email protected] > ~/.ldap-password.gpg

Retrieve from macOS Keychain using security:

credential_method = "command"
password_command = "security find-generic-password -w -s 'LDAP Production' -a 'admin'"

Store the password:

security add-generic-password -s "LDAP Production" -a "admin" -w "your-password"

Consider using the native “keychain” method instead for better integration.

Any script that outputs a password:

credential_method = "command"
password_command = "/home/user/bin/get-ldap-password.sh production"

Example script:

#!/bin/bash
# get-ldap-password.sh
environment="$1"
# Your custom logic here
echo -n "retrieved-password"

Make it executable:

chmod +x /home/user/bin/get-ldap-password.sh

Keychain Method

Uses your operating system’s native credential storage.

Configuration

[[connections]]
name = "Production"
host = "ldap.example.com"
bind_dn = "cn=admin,dc=example,dc=com"
credential_method = "keychain"

Platform Support

macOS
Linux
Windows

Keychain AccessPasswords are stored in macOS Keychain with:

Service: loom
Account: Connection profile name (e.g., Production)

View/edit stored passwords:

Open Keychain Access app
Search for loom
Double-click the entry to view/edit

Secret Service (GNOME Keyring, KWallet)Requires a Secret Service provider:

GNOME: gnome-keyring
KDE: kwallet
Others: keepassxc (with Secret Service enabled)

If no Secret Service is available, keychain method will fail. Use “command” or “prompt” instead.

Windows Credential ManagerPasswords are stored in Windows Credential Manager with:

Target: loom/[profile-name]
Username: Bind DN

View/edit stored passwords:

Open Control Panel → Credential Manager
Click Windows Credentials
Find entries starting with loom/

Storing Passwords

On first connection with keychain method:

Loom prompts for the password
After successful authentication, asks: “Save password to keychain?”
If you confirm, the password is stored
Future connections retrieve it automatically

To update a stored password, delete the keychain entry manually and reconnect. Loom will prompt for the new password.

Vault Method

Loom’s built-in encrypted vault for portable, secure storage.

Configuration

Enable vault in general settings:

[general]
vault_enabled = true

[[connections]]
name = "Production"
host = "ldap.example.com"
bind_dn = "cn=admin,dc=example,dc=com"
credential_method = "vault"

Vault Setup

Enable Vault

Add to your config.toml:

[general]
vault_enabled = true

First Launch

On first launch with vault enabled, you’ll be prompted to create a master password:

Create vault master password: _
Confirm master password: _

Store this password safely! There is no password recovery. If forgotten, you’ll lose access to all vault credentials.

Store Credentials

When connecting to a profile with credential_method = "vault":

Loom prompts for the bind password
After successful bind, asks: “Store in vault?”
Password is encrypted and stored

Future Connections

On subsequent launches:

Loom prompts for vault master password (once per session)
All vault credentials are decrypted and available

Vault Location

Linux/macOS: ~/.config/loom-ldapbrowser/vault.dat
Windows: %APPDATA%\loom-ldapbrowser\vault.dat

The vault file is encrypted with AES-256. Backup this file to preserve your stored credentials.

Command-Line Options

# Use custom vault location
loom-ldapbrowser --vault /path/to/vault.dat

# Provide master password via CLI (not recommended)
loom-ldapbrowser --vault-password "master-password"

# Provide via environment variable
export LOOM_VAULT_PASSWORD="master-password"
loom-ldapbrowser

Anonymous Bind

Connect without authentication by leaving bind_dn empty:

[[connections]]
name = "Public Server"
host = "ldap.example.com"
base_dn = "dc=example,dc=com"
# bind_dn is omitted

Anonymous access is often restricted. You may only see public entries or have limited search capabilities.

Security Best Practices

Choose the right method

Production servers:

✅ Use “keychain” or “vault” for persistent storage
✅ Use “command” with a password manager
❌ Avoid “prompt” with LOOM_PASSWORD env var

Development/testing:

✅ Use “prompt” for temporary access
✅ Use “command” if you have a password manager setup

Protect master passwords

Vault master password:

Choose a strong, unique password
Store in your personal password manager
Never share or commit to version control
There is no recovery mechanism

Password manager:

Use your password manager’s security features
Enable MFA/2FA if available
Keep the password manager locked when not in use

Don't commit credentials

When sharing config.toml:✅ Do:

credential_method = "prompt"  # Forces user to provide password

❌ Don’t:

password = "plaintext-password"  # Never store passwords in config!

Loom does not support storing passwords in config.toml. Use credential methods instead.

Use read-only accounts when possible

For browsing/auditing:

bind_dn = "cn=readonly,dc=example,dc=com"
read_only = true

Limits damage if credentials are compromised.

Rotate credentials regularly

Periodically update LDAP bind passwords:

Change the password on the LDAP server
Update stored credentials:
- Keychain: Delete entry, reconnect to store new password
- Vault: Reconnect, Loom will prompt and update
- Command: Update the password in your password manager

Troubleshooting

Keychain access denied

macOS:

Open Keychain Access
Search for loom
Click “Access Control” tab
Add loom-ldapbrowser to allowed applications

Linux:

Ensure a Secret Service provider is running:

ps aux | grep -E "gnome-keyring|kwallet"

Install if missing:

# GNOME
sudo apt install gnome-keyring

# KDE
sudo apt install kwalletmanager

Windows:

Run Loom with administrator privileges once to grant access
Check Windows Defender isn’t blocking credential access

Password command fails

If command method returns an error:

Test the command manually:
```
sh -c "pass show ldap/prod"
```
Ensure it prints only the password
Check command output:
- No prompts or interactive input
- No extra text or formatting
- Command exits with status 0
Check PATH: The command must be in Loom’s PATH. Use full paths if needed:
```
password_command = "/usr/local/bin/pass show ldap/prod"
```

Vault password forgotten

Unfortunately, there is no password recovery for the vault.Options:

Delete vault.dat and start fresh (loses all stored passwords)
Restore from backup if available
Switch affected profiles to a different credential method

Vault encryption is intentionally unrecoverable without the master password.

Bind fails with stored credentials

If authentication fails despite stored credentials:

Verify password is correct:
- Delete stored credential
- Reconnect with prompt method
- Re-store if successful
Check bind DN format:
- OpenLDAP: cn=admin,dc=example,dc=com
- Active Directory: [email protected] or DOMAIN\admin
Check server logs:
- Look for bind failures
- Verify account isn’t locked

Method Comparison

Feature	Prompt	Command	Keychain	Vault
Security	Medium	High*	High	High
Convenience	Low	High	High	High
Portability	High	Medium	Low	Medium
Setup Complexity	None	Medium	Low	Low
Cross-platform	Yes	Yes	Yes**	Yes
Backup/Sync	N/A	External	System	Manual

* Depends on password manager security
** Requires platform-specific credential store

Next Steps

Connection Profiles

Configure profiles with credential methods

Connecting

Connect to LDAP servers

Configuration

Complete configuration reference

TLS Modes

TLS connection modes and security

Get Started

User Guide

Features

Credential Methods Overview

Prompt Method

Configuration

Behavior

Environment Variable

Command Method

Configuration

How It Works

Password Manager Examples

Keychain Method

Configuration

Platform Support

Storing Passwords

Vault Method

Configuration

Vault Setup

Vault Location

Command-Line Options

Anonymous Bind

Security Best Practices

Troubleshooting

Method Comparison

Next Steps

Connection Profiles

Connecting

Configuration

TLS Modes

Build docs developers (and LLMs) love

Get Started

User Guide

Features

​Credential Methods Overview

​Prompt Method

​Configuration

​Behavior

​Environment Variable

​Command Method

​Configuration

​How It Works

​Password Manager Examples

​Keychain Method

​Configuration

​Platform Support

​Storing Passwords

​Vault Method

​Configuration

​Vault Setup

​Vault Location

​Command-Line Options

​Anonymous Bind

​Security Best Practices

​Troubleshooting

​Method Comparison

​Next Steps

Connection Profiles

Connecting

Configuration

TLS Modes

Build docs developers (and LLMs) love

Credential Methods Overview

Prompt Method

Configuration

Behavior

Environment Variable

Command Method

Configuration

How It Works

Password Manager Examples

Keychain Method

Configuration

Platform Support

Storing Passwords

Vault Method

Configuration

Vault Setup

Vault Location

Command-Line Options

Anonymous Bind

Security Best Practices

Troubleshooting

Method Comparison

Next Steps