I think you can do this by modifying the CSS in includes/css/passman.css

It might be a bit hard if you don't understand CSS though

I think what would help here, is if individual API tokens could be associated with a Role to restrict their access, rather than all API tokens just having the same global read/write over everything.

That way, puppet could use an API token with read-only privileges to just one part of the tree; other applications could have read/write to different sections.

Mike seems to be asking for the API privileges to be further restricted to certain fields in the item.  This would be good if we could define roles to have permissions at a field level rather than folder or item level, but it might be a bit hard to achieve, particularly with userdefined fields

+1 for the idea of different roles for different API tokens

The ldap filter used to find the user object appears to be

     $filter = "(&(".$SETTINGS['ldap_user_attribute']."=$username)(objectClass=".$SETTINGS['ldap_object_class']."))";

This could be problematic if a search matches more than one item.

Maybe, have an API search function that returns a list of fully-qualified items names (IE with path and everything) so that a second call can be made to retrieve whichever one is required?

(This is the way the equivalent calls in Thycotic's SecretServer do it)

To be honest, I think you'd be better off having 2 teampass servers with local mysql databases, then set up a master-slave replication from A to B, and have an haproxy over the top in active/passive mode.  Set server B to be read-only.  Then you have a hot read-only standby, and it's more secure than having a whole galera cluster to bother about.  You can also do regular mysql dumps on both servers for backup purposes.

When you define the LDAP, have "Teampass local users only" set to NO.  This will create the users in Teampass on their first login, but with no role (only personal space, if you have that enabled).

Then you can log in as admin, select Manage Users, then edit a user to add them to the role(s) you want.

You can link Teampass to the AD LDAP for authentication.  However there is not currently a way to link a Role to an AD Group.  You need to manually assign each user to a Role via the admin interface.

We cheated by modifying the teampass code so that newly-created users default to a specific set of Roles and options

Sounds like your cluster is already out of synch.  I would completely reset your cluster; IE on the non-primary nodes, completey wipe the mysql data directory and restart forcing a full state transfer so that you know all nodes are in synch.  Drop the database and recreate it in the new clean cluster.  Then run your install via the primary node only (if you have a load balancer over the top or something then make it active-standby rather than active-active to prevent race conditions when doing  complex operations).  Once all is set up, you can run via the load balancer as you wont be doing large index operations any more.

E.G. something like this (but also needs the UI code for editing the setting of course)

            } else {
                // verify the user GA code
                if ($tfa->verifyCode($data['ga'], $dataReceived['GACode'],(isset($SETTINGS['ga_discrepancy'])?$SETTINGS['ga_discrepancy']:1))) {
                    $proceedIdentification = true;
                } else {
                    $proceedIdentification = false;
                    $logError = "ga_code_wrong";
                }
            }

+1 for this

I suppose the auto-generate routines could also be given an option of avoiding ambiguous characters (IE, no 0 O, l , I, 1 ) though that reduces the entropy of the generated passwords.

Using Courier (or similar) font for displaying the passwords so they can be visually copied is a good idea.  I have also seen other systems where they can display the password phonetically (i.e. "foo1" is displayed as "foxtrot - oscar - oscar - one") for reading out