LDAP synchronized account is accepting different password

I have installed Zammad 4.1 and I have created 3 users manually (admin and agent role). Later I have setup LDAP synchronization for customers, admins and agents. Everything worked find. But then I mentioned that my 3 users that I have created previously are able (after LDAP-synchronsation) to use there LDAP password AND there initially password from manually creation. I would expect that the old passwords would be “overwritten” by LDAP authentication. I only want to use LDAP authentication. Is there a way to deactivate the old credentials?

  • Used Zammad version: 4.1
  • Used Zammad installation type: source
  • Operating system: Ubuntu 20.04
  • Browser + version: Firefox 89.02

We do not synchronize ldap passwords.
Would be a bad behavior - we’re always running a live auth request to LDAP.

Our documentation does hint to this behavior:
https://admin-docs.zammad.org/en/latest/manage/roles/user-preferences-permissions.html

You could manually set the password to empty within a Zammad rails console (rails c) - like so:
User.find_by(login: 'john.doe').update(password: nil)

Thank you very much for your feedback! I have tried to set the password to empty via rails console as described. First I’ve got the error message “Can’t fetch image for … (maybe no avatar available), http code: 422”. After deleting my avatar I was able to execute the command without error. But Zammad still accept my old password and the current password from LDAP.

That’s not helping.

Please post your command and the return (completely) here.
Make sure to mask your sensitive information like login and password.

Here is the command and the return. I have blurred my user name. It was written correctly and I understand the output that it worked well. But I’m still able to use my old initial password that was setup before configuring LDAP. LDAP password is working as well.

zammad01

Hey @DrSommerkoffer ,

you’re missing the exclamation mark there:
User.find_by(login: 'you@example.com').update**!**(password: 'your_new_password')

Without the **** of course.

cheers

Thanks for the quick answer. The zammad password isn’t set to “not set”. This is what “update!(password: nil)” should do. Isn’t it? And this may fix my issue but the initial password is still valid and working after executing. Here is the command and the output:

zammad02

Yep, you’re right.
Removing the password doesn’t work in my Zammad 4.1 as well any more.

Could you please create a bug report at https://github/zammad/zammad and reference this thread?
Thanks!