Loom LDAP Browser provides multiple methods for supplying bind credentials. The credential method is specified in each connection profile using the credential_method field.
Available Methods
Loom supports four credential methods:
- Prompt - Interactive password prompt in the TUI
- Command - Execute a shell command that outputs the password
- Keychain - Use the operating system keychain or credential manager
- Vault - Use loom’s encrypted vault (requires
vault_enabled = true)
Prompt Method
The prompt method displays an interactive password prompt when connecting. This is the default and most straightforward method.
[[connections]]
name = "Production"
host = "ldap.example.com"
bind_dn = "cn=admin,dc=example,dc=com"
credential_method = "prompt"
Environment Variable Override
You can set the LOOM_PASSWORD environment variable to skip the interactive prompt:
export LOOM_PASSWORD="secretpassword"
loom-ldapbrowser
Storing passwords in environment variables is convenient but less secure than other methods. The password may be visible in shell history or process listings.
Use Cases
- Quick ad-hoc connections
- Testing and development
- When other credential methods are unavailable
Command Method
The command method executes a shell command and uses its stdout (trimmed) as the password. This integrates with password managers and encrypted storage tools.
[[connections]]
name = "Production"
host = "ldap.example.com"
bind_dn = "cn=admin,dc=example,dc=com"
credential_method = "command"
password_command = "pass show ldap/prod"
Command Examples
Unix pass (Password Store)
password_command = "pass show ldap/production"
1Password CLI
password_command = "op read 'op://Vault/LDAP Production/password'"
Bitwarden CLI
password_command = "bw get password ldap-prod"
GPG-Encrypted File
password_command = "gpg --quiet --decrypt ~/.ldap-password.gpg"
macOS Keychain (via security command)
password_command = "security find-generic-password -w -s 'LDAP Production' -a 'admin'"
Custom Script
password_command = "/usr/local/bin/get-ldap-password.sh production"
Command Requirements
- The command must write the password to stdout (standard output)
- Trailing newlines and carriage returns are automatically trimmed
- The command must exit with status code 0 (success)
- Any output to stderr is logged but ignored
- The command runs with
sh -c, so shell features (pipes, redirects, variables) work
Error Handling
If the command fails, loom displays an error message with the exit status and stderr output. The connection attempt is aborted.
Security Considerations
- Use fully-qualified paths to prevent PATH hijacking
- Ensure the command script/binary has appropriate file permissions (e.g.,
chmod 700)
- Avoid embedding passwords in the command itself
- Commands run with the same privileges as loom (your user account)
Keychain Method
The keychain method uses the operating system’s native credential storage:
- macOS: Keychain Access
- Linux: Secret Service API (GNOME Keyring, KWallet)
- Windows: Windows Credential Manager
[[connections]]
name = "Production"
host = "ldap.example.com"
bind_dn = "cn=admin,dc=example,dc=com"
credential_method = "keychain"
First Connection
On the first connection attempt, loom prompts for the password and stores it in the keychain. Subsequent connections retrieve the password automatically.
Keychain Entry Naming
Passwords are stored with:
- Service:
loom
- Account: The connection profile name (e.g.,
Production)
Managing Keychain Entries
macOS
Open Keychain Access and search for service loom. You can view, edit, or delete entries.
Linux (GNOME)
Use Seahorse (Passwords and Keys) to manage entries under “Login” keychain.
Windows
Open Credential Manager and look for “Generic Credentials” with prefix loom.
Advantages
- Native OS integration
- Password encrypted at rest
- User-level access control
- Works across multiple applications
Limitations
- Requires desktop session with keychain daemon running
- May not work in headless/SSH environments
- Keychain must be unlocked (usually happens at login)
Vault Method
The vault method uses loom’s built-in encrypted vault. This is a portable, cross-platform credential store protected by a master password.
[general]
vault_enabled = true
[[connections]]
name = "Production"
host = "ldap.example.com"
bind_dn = "cn=admin,dc=example,dc=com"
credential_method = "vault"
Vault Setup
- Set
vault_enabled = true in the [general] section
- On first launch, loom prompts you to create a master password
- The encrypted vault is stored at
~/.config/loom-ldapbrowser/vault.dat
Master Password
The vault master password can be provided via:
- Interactive prompt (default)
- Environment variable:
LOOM_VAULT_PASSWORD
- Command-line flag:
--vault-password
# Interactive prompt
loom-ldapbrowser
# Environment variable
export LOOM_VAULT_PASSWORD="masterpassword"
loom-ldapbrowser
# Command-line flag
loom-ldapbrowser --vault-password "masterpassword"
Adding Passwords
When connecting with a vault-enabled profile for the first time, loom prompts for the password and stores it encrypted in the vault.
Security Features
- AES-256-GCM encryption
- Argon2id key derivation (memory-hard, GPU-resistant)
- Per-credential encryption (no single point of failure)
- Vault file is portable across machines
Vault File Location
Default: ~/.config/loom-ldapbrowser/vault.dat
Override with --vault /path/to/vault.dat
Backup Recommendations
- Back up
vault.dat regularly
- Store master password in a password manager
- If you lose the master password, the vault cannot be recovered
The vault file is strongly encrypted. There is no password recovery mechanism. If you forget the master password, you will need to delete vault.dat and recreate all credentials.
Choosing a Method
| Method | Best For | Security Level | Convenience |
|---|
| Prompt | Ad-hoc connections, testing | Low (password in memory) | Medium |
| Command | Integration with existing password managers | High (depends on manager) | High |
| Keychain | Desktop users with OS keychain | High | High |
| Vault | Portable encrypted storage | High | Medium |
Recommendations
- Desktop users: Use keychain for seamless OS integration
- CLI users: Use command with
pass, op, or gpg
- Portable setups: Use vault for encrypted cross-machine storage
- Development: Use prompt with
LOOM_PASSWORD environment variable
Security Best Practices
- Never store passwords in plaintext in configuration files
- Use read-only accounts when possible (set
read_only = true)
- Rotate credentials regularly and update stored passwords
- Use service accounts rather than personal accounts for automated connections
- Audit keychain/vault access periodically
- Use TLS (
tls_mode = "auto" or "ldaps") to encrypt passwords in transit
- Restrict config file permissions:
chmod 600 ~/.config/loom-ldapbrowser/config.toml
Troubleshooting
Command method fails with “command not found”
Use absolute paths:
password_command = "/usr/bin/pass show ldap/prod"
Keychain method fails on Linux
Ensure Secret Service daemon is running:
# Check for GNOME Keyring
ps aux | grep gnome-keyring
# Or KWallet
ps aux | grep kwalletd
Vault password prompt appears repeatedly
Ensure vault_enabled = true in [general] section. If the vault file is corrupted, delete vault.dat to start fresh.
Password contains special characters
All methods handle special characters correctly, including quotes, newlines, and non-ASCII characters (UTF-8 encoded).