LDAP vs. local PWD confusion

I am running a zammad instance with LDAP login.
I was not aware of the possible implications of leaving “forgot password” enabled when you are using LDAP. So precisely the case that is mentioned here, happened:

https://admin-docs.zammad.org/en/latest/settings/security.html

A user used the forgot password functionality, thus created a local DB pwd and overrid her LDAP password, and then forgot the locally created one. Now that I know, I will of course disable the"forgot password" feature, but also I want to delete the users local pwd to go back to full LDAP authentication.

How do I do that?
I assume I have to purge the local password somehow from the console?

Thanks

Hi @tilllt

perhaps having the user changing his/her password on LDAP first and then doing an LDAP-sync with Zammad would be an easier path…

My 2 cents.

Martin

Sure. But as i understand the matter:

  • local pwd always overrules ldap password
  • once set locally, changing it in ldap will not “delete” the local password, even after sync they will co-exist

so i have to get rid of the local password somehow. thats my question, i have no idea how to purge the local password.

BTW, the user changed password on LDAP and can use any service that relies on LDAP auth fine. Only zammad insists on the local password now.

if that is the case, then yes… the console is your friend.
Unfortunately, I do not know the answer in that case.

If you find it, please keep us posted :slight_smile:

Best,
Martin

Above statements regarding the password are not entirely true, let me correct that:
Local password and LDAP password life side by side and technically work both.
Zammad does not prefer either one.

Use below command with care, it removes ALL password entries. It does not differ between agent, admin or customer. This is a technical dangerous command. That’s the part you’ll be doing a backup or snapshot before. :wink:

Dangerzone, I absolutely read and understood above and still want to remove all password entries
# within a rails console (zammad run rails c)
User.where.not(password: nil).find_in_batches do |batch|
   batch.each do |user|
      user.update_columns(password: nil)    # not official supported, no support will be provided
      user.touch
   end
end