-
Notifications
You must be signed in to change notification settings - Fork 11.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make it possible to disable builtin authentication #19964
Comments
Yea by default Grafana checks ldap first then local DB, so you can mix. And in the case you have a user that was created before you switched to ldap where the username is the same you will be able to login with both. Think we should by default disable local password logins when LDAP is enabled. |
Related to #6606? Invites will create basic auth accounts which is confusing when basic auth login is completely disabled. |
This is not about disabling basic.auth but about disabling Grafana built in login solution. It should be possible to disable that and only use OAuth, Ldap or anonymous login |
I am marking this as Hacktoberfest issue, as it seems nice to have and beginner friendly. |
Is this issue still pending ? I see an open MR added an year ago. I am thinking of making some contributions and this seems like a good issue to dive into the code |
Hi! Is this issue still open? Will try to reproduce it, and if it's still happening, will try to tackle it as my first contribution. |
@leandro-deveikis or others yes this is still open and you're very welcome to tackle it. There was a PR open targeting to close this, but I just closed it due to this comment. I think my comment explains what we would like to see to be able to accept and merge this. |
Hey all, kind ping for #46978, was reopened and awaits review 😀 |
How ? @bergquist |
What happened: Our Grafana instance was using local authentication (auth.basic). I switched it over to use LDAP (and disable auth.basic). After the change I can successfully login using the LDAP password. I also notice that in the user list, my username is now showing an ldap badge. I then tried to login using my old password, which to my surprise was still working.
What you expected to happen: When activating ldap (and disabling basic authentication), I would expect the old password to be no longer usable, only the LDAP password should be usable.
Keeping these 'old' passwords active is a security risk as the user is not able to update them (the password change functionality is automatically disabled when ldap is enabled) and there are now two passwords which will both give access to the account
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
Environment:
The text was updated successfully, but these errors were encountered: