Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LDAP source: internal password is written after password change (without "update internal password on login") #9518

Open
sumpfralle opened this issue Apr 30, 2024 · 2 comments
Open

LDAP source: internal password is written after password change (without "update internal password on login") #9518

sumpfralle opened this issue Apr 30, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@sumpfralle
Copy link

Describe the bug
With the new option "update internal password on login" (password_login_update_internal_password) disabled, I expected, that passwords are not written to the database anymore.
But the password is still written to the internal database, if a user changes his password via authentik.

To Reproduce
Steps to reproduce the behavior:

  1. configure an LDAP source
  2. disable "update internal password on login" for this source (the default for new sources)
  3. login to authentik with an LDAP account username
  4. verify, that the content of the password field in the authentik_core_user table for this user is still empty
  5. change the password of the user in authentik's password change dialog (new password: pw1)
  6. the password field of the authentik_core_user table is non-empty (probably containing the hash of pw1)
  7. change the password directly in the LDAP directory (not via authentik) to pw2
  8. try to login into authentik with pw1: works (probably based on the password field stored in authentik's database)
  9. try to login into authentik with pw2: works (probably based on the password stored in LDAP)

Expected behavior
I expected, that the new setting "update internal password on login" is supposed to fix issue #6122 (it was closed by #8377).
In this case, the password field should never be written.

Thus, the following details seem to be undesirable from my point of view:

  • The password field in the authentik_core_user table should stay empty under all circumstances.
  • The old password (pw1) should not be usable anymore after a password change in LDAP.

Version and Deployment (please complete the following information):

  • authentik version: 2024.4.0
  • Deployment: docker-compose
@sumpfralle sumpfralle added the bug Something isn't working label Apr 30, 2024
@rissson
Copy link
Member

rissson commented Jun 20, 2024

Well, that's really up to the admin to configure. If you don't want your user to be able to change their password (because they should use the LDAP one), then they should be denied to run a password change flow (by default default-password-change).

@sumpfralle
Copy link
Author

Just for the clarification of the use case:

  • passwords are changed in authentik
  • password changes made via authentik are synchronized by authentik to our LDAP server

This works beautifully and is in line with the intended use-case of the LDAP feature in authentik.

The only problem is, that authentik is storing a password in its own internal database, even though the configuration setting "update internal password on login" is disabled. This was probably just an oversight and should (IMO) obviously be fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sumpfralle @rissson