LDAP vs. local PWD confusion

tilllt · January 21, 2021, 12:58pm

I am running a zammad instance with LDAP login.
I was not aware of the possible implications of leaving “forgot password” enabled when you are using LDAP. So precisely the case that is mentioned here, happened:

https://admin-docs.zammad.org/en/latest/settings/security.html

A user used the forgot password functionality, thus created a local DB pwd and overrid her LDAP password, and then forgot the locally created one. Now that I know, I will of course disable the"forgot password" feature, but also I want to delete the users local pwd to go back to full LDAP authentication.

How do I do that?
I assume I have to purge the local password somehow from the console?

Thanks

rsysadmin · January 21, 2021, 3:42pm

Hi @tilllt

perhaps having the user changing his/her password on LDAP first and then doing an LDAP-sync with Zammad would be an easier path…

My 2 cents.

Martin

tilllt · January 21, 2021, 3:46pm

Sure. But as i understand the matter:

local pwd always overrules ldap password
once set locally, changing it in ldap will not “delete” the local password, even after sync they will co-exist

so i have to get rid of the local password somehow. thats my question, i have no idea how to purge the local password.

tilllt · January 21, 2021, 3:48pm

BTW, the user changed password on LDAP and can use any service that relies on LDAP auth fine. Only zammad insists on the local password now.

rsysadmin · January 21, 2021, 3:56pm

if that is the case, then yes… the console is your friend.
Unfortunately, I do not know the answer in that case.

If you find it, please keep us posted

Best,
Martin

MrGeneration · February 9, 2021, 9:55am

Above statements regarding the password are not entirely true, let me correct that:
Local password and LDAP password life side by side and technically work both.
Zammad does not prefer either one.

Use below command with care, it removes ALL password entries. It does not differ between agent, admin or customer. This is a technical dangerous command. That’s the part you’ll be doing a backup or snapshot before.

Dangerzone, I absolutely read and understood above and still want to remove all password entries

# within a rails console (zammad run rails c)
User.where.not(password: nil).find_in_batches do |batch|
   batch.each do |user|
      user.update_columns(password: nil)    # not official supported, no support will be provided
      user.touch
   end
end

system · June 9, 2021, 9:55am

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.