LDAP synchronized account is accepting different password

DrSommerkoffer · July 14, 2021, 3:44pm

I have installed Zammad 4.1 and I have created 3 users manually (admin and agent role). Later I have setup LDAP synchronization for customers, admins and agents. Everything worked find. But then I mentioned that my 3 users that I have created previously are able (after LDAP-synchronsation) to use there LDAP password AND there initially password from manually creation. I would expect that the old passwords would be “overwritten” by LDAP authentication. I only want to use LDAP authentication. Is there a way to deactivate the old credentials?

Used Zammad version: 4.1
Used Zammad installation type: source
Operating system: Ubuntu 20.04
Browser + version: Firefox 89.02

MrGeneration · July 29, 2021, 1:19pm

We do not synchronize ldap passwords.
Would be a bad behavior - we’re always running a live auth request to LDAP.

Our documentation does hint to this behavior:
https://admin-docs.zammad.org/en/latest/manage/roles/user-preferences-permissions.html

You could manually set the password to empty within a Zammad rails console (rails c) - like so:
User.find_by(login: 'john.doe').update(password: nil)

DrSommerkoffer · August 2, 2021, 3:38pm

Thank you very much for your feedback! I have tried to set the password to empty via rails console as described. First I’ve got the error message “Can’t fetch image for … (maybe no avatar available), http code: 422”. After deleting my avatar I was able to execute the command without error. But Zammad still accept my old password and the current password from LDAP.

MrGeneration · August 12, 2021, 3:41pm

That’s not helping.

Please post your command and the return (completely) here.
Make sure to mask your sensitive information like login and password.

DrSommerkoffer · August 16, 2021, 11:28am

Here is the command and the return. I have blurred my user name. It was written correctly and I understand the output that it worked well. But I’m still able to use my old initial password that was setup before configuring LDAP. LDAP password is working as well.

zammad01

dvnkln · August 16, 2021, 12:01pm

Hey @DrSommerkoffer ,

you’re missing the exclamation mark there:
User.find_by(login: 'you@example.com').update**!**(password: 'your_new_password')

Without the **** of course.

cheers

DrSommerkoffer · August 16, 2021, 3:09pm

Thanks for the quick answer. The zammad password isn’t set to “not set”. This is what “update!(password: nil)” should do. Isn’t it? And this may fix my issue but the initial password is still valid and working after executing. Here is the command and the output:

zammad02

MrGeneration · August 30, 2021, 7:36am

Yep, you’re right.
Removing the password doesn’t work in my Zammad 4.1 as well any more.

Could you please create a bug report at https://github/zammad/zammad and reference this thread?
Thanks!

system · December 28, 2021, 7:37am

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.