Prevent Username/Email Change by users

nj

Is there a way to prevent normal Cloudron users from changing their username and email? That's because Gitlab, for instance, recommends against using LDAP authentication if the LDAP server supports changing username/email because that can lead to account takeover.

Is there any way to achieve this, or is there a possibility to add this feature in the admin panel?

murgero

@nj If gitlab is the issue here as seen in your example, just use gitlab without ldap by enabling app-authentication in the settings.

nebulon

The username cannot be changed on Cloudron. The user's profile email however can be, but the apps which integrated with LDAP are using the username as the identifier to bind profiles.

girish

All apps (except wikijs iirc) use username as LDAP identifier and the username in Cloudron cannot be changed for the same security reasons that GitLab mentions.

That said, I think it is a good idea to not allow changing email as well (optionally). I have opened https://git.cloudron.io/cloudron/box/-/issues/704

nj

@murgero thanks for the hint, but I'm afraid, I need to authenticate through LDAP only.

girish

We have scheduled this for next release 6.0

girish

This is implemented in 5.4