Suppress authentik password cache for LDAP sources

[septatrix]

Is your feature request related to a problem? Please describe.
Some users have strict requirements where and how password are stored.
For LDAP sources (not sure about other external sources) Authentik however writes the passwords in its own (hashed) format back to internal tables. This potentially reduced password security and in the case that always binding to LDAP is enabled also does not offer any performance benefits regardless.

Describe the solution you'd like
An option to suppress writing the password to authentik tables for external sources (LDAP).

Describe alternatives you've considered
Because we liked authentik so far during an internal testing phase I currently consider adding a Postgres trigger to prevent any writebacks to the password column of the user table (except for the akadmin user). This is obviously fragile, hacky, and is not possible for setups with both local and external users.

Additional context
Discord discussion

[sumpfralle]

This is also an issue at our setup.

We work around this with a cron job, which discards LDAP-based passwords periodically:

#!/bin/sh
#
# Remove the internally stored LDAP passwords from the authentik database.
# This forces authentik to execute an LDAP bind for the next login of these users.
#
# Execute this script periodically in order to work around synchronisation issues
# (e.g. password changes in the LDAP directory).
#
# Maybe you need to set the environment variable "AUTHENTIK_SOURCE_NAME"
# according to your authentik setup.
#
# See https://github.com/goauthentik/authentik/issues/6122
#

set -eu


DOCKER_POSTGRESQL_CONTAINER_NAME="${DOCKER_POSTGRESQL_CONTAINER_NAME:-authentik_postgresql_1}"
AUTHENTIK_SOURCE_NAME="${AUTHENTIK_SOURCE_NAME:-goauthentik.io/sources/ldap}"


# Variables are resolved in the context of the container's shell (the docker compose environment
# variables are available there).
# The `--quiet` parameter is intentionally not used for `psql` in order to get feedback. You should
# use `chronic` or similar tools to suppress this output in a cron job.
docker exec -i "$DOCKER_POSTGRESQL_CONTAINER_NAME" /bin/sh <<EOF
  psql --dbname "\$POSTGRES_DB" --username "\$POSTGRES_USER" <<EOFPSQL
    update authentik_core_user set password = '' where password != '' and path = '$AUTHENTIK_SOURCE_NAME' and type = 'internal';
EOFPSQL
EOF

Running this script periodically (e.g. every few minutes via cron) forces Authentik to use a fresh LDAP bind for (almost) every login of LDAP users.

Of course, this is fragile and hacky.
Thus, it would be great, if Authentik could be configured to stop caching LDAP passwords.

[septatrix]

My ideal of using a trigger does not seem to work sadly

CREATE OR REPLACE FUNCTION discard_ldap_password() RETURNS TRIGGER AS $$
BEGIN
    IF NEW.path == 'goauthentik.io/sources/cdedb-ldap' THEN
        NEW.password = ''
    END IF;
    RETURN NEW;
END;
$$ LANGUAGE plpgsql;

CREATE TRIGGER prevent_password_caching
    BEFORE UPDATE OR INSERT
    ON authentik_core_user
    FOR EACH ROW
    EXECUTE PROCEDURE discard_ldap_password();

Maybe someone sees an issue with this but I do not expect this to a something wrong with the trigger. It works as expected and the password from users under the goauthentik.io/sources/cdedb-ldap path are never saved to the DB. For some reason however this breaks login which I do not understand as that would mean that authentik reads the password twice or something equally weird and unintuitive...?!

[sumpfralle]

It works as expected and the password from users under the goauthentik.io/sources/cdedb-ldap path are never saved to the DB. For some reason however this breaks login which I do not understand as that would mean that authentik reads the password twice or something equally weird and unintuitive...?!

I could imagine, that authentik uses some kind of database caching, which would be unaware of your trigger post-processing. Thus, logins would be rejected based on the cached value.
(assuming the cached value differs from the password stored in the LDAP directory)

Maybe restart authentik (and redis - just for ensuring a reset of the cache storage) in order to sync the possible cache with your LDAP-based reality?

[septatrix]

This effectively reverts 50172e5 which does not contain any reasoning for the change (nor is part of a PR).
What was your motivation for this change back then @BeryJu?

[BeryJu]

This effectively reverts 50172e5 which does not contain any reasoning for the change (nor is part of a PR). What was your motivation for this change back then @BeryJu?

If I remember correctly the reason for that change back then is to reduce the coupling (and basically allow authentik (or as it was called back then, passbook) logins when LDAP was unavailable