You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
With the new option "update internal password on login" (password_login_update_internal_password) disabled, I expected, that passwords are not written to the database anymore.
But the password is still written to the internal database, if a user changes his password via authentik.
To Reproduce
Steps to reproduce the behavior:
configure an LDAP source
disable "update internal password on login" for this source (the default for new sources)
login to authentik with an LDAP account username
verify, that the content of the password field in the authentik_core_user table for this user is still empty
change the password of the user in authentik's password change dialog (new password: pw1)
the password field of the authentik_core_user table is non-empty (probably containing the hash of pw1)
change the password directly in the LDAP directory (not via authentik) to pw2
try to login into authentik with pw1: works (probably based on the password field stored in authentik's database)
try to login into authentik with pw2: works (probably based on the password stored in LDAP)
Expected behavior
I expected, that the new setting "update internal password on login" is supposed to fix issue #6122 (it was closed by #8377).
In this case, the password field should never be written.
Thus, the following details seem to be undesirable from my point of view:
The password field in the authentik_core_user table should stay empty under all circumstances.
The old password (pw1) should not be usable anymore after a password change in LDAP.
Version and Deployment (please complete the following information):
authentik version: 2024.4.0
Deployment: docker-compose
The text was updated successfully, but these errors were encountered:
Well, that's really up to the admin to configure. If you don't want your user to be able to change their password (because they should use the LDAP one), then they should be denied to run a password change flow (by default default-password-change).
password changes made via authentik are synchronized by authentik to our LDAP server
This works beautifully and is in line with the intended use-case of the LDAP feature in authentik.
The only problem is, that authentik is storing a password in its own internal database, even though the configuration setting "update internal password on login" is disabled. This was probably just an oversight and should (IMO) obviously be fixed.
Describe the bug
With the new option "update internal password on login" (
password_login_update_internal_password
) disabled, I expected, that passwords are not written to the database anymore.But the password is still written to the internal database, if a user changes his password via authentik.
To Reproduce
Steps to reproduce the behavior:
password
field in theauthentik_core_user
table for this user is still emptypw1
)password
field of theauthentik_core_user
table is non-empty (probably containing the hash ofpw1
)pw2
pw1
: works (probably based on thepassword
field stored in authentik's database)pw2
: works (probably based on the password stored in LDAP)Expected behavior
I expected, that the new setting "update internal password on login" is supposed to fix issue #6122 (it was closed by #8377).
In this case, the password field should never be written.
Thus, the following details seem to be undesirable from my point of view:
password
field in theauthentik_core_user
table should stay empty under all circumstances.pw1
) should not be usable anymore after a password change in LDAP.Version and Deployment (please complete the following information):
The text was updated successfully, but these errors were encountered: