(4 comments) (0 reactions) (0 assignees)TypeScript (73,744 stars) (13,868 forks)batch import

area/autharea/auth/ldaparea/frontend/loginautomated-triagegood first issuetype/feature-request

Description

Bug Report / Feature Request: "Forgot your password?" link visible with mixed authentication (Basic Auth + LDAP)

What happened?

I have Grafana configured with both Basic Authentication and LDAP:

Admin account: Uses basic authentication (local Grafana account)
Regular users: Use LDAP authentication

The "Forgot your password?" link is visible on the login page for all users, including LDAP users who should not be able to reset their passwords through Grafana (since their passwords are managed by LDAP).

What did you expect to happen?

The "Forgot your password?" link should either:

Be hidden entirely when LDAP is enabled (even if basic auth is also enabled for some accounts), OR
Be configurable via a parameter in grafana.ini to allow administrators to disable it

Proposed configuration (if option 2):

[auth]
disable_forgot_password = false  # default - show the link
disable_forgot_password = true   # hide the link

Why is this a problem?

When using mixed authentication (Basic Auth + LDAP), the "Forgot your password?" link creates serious issues:

User Confusion: LDAP users see the "Forgot your password?" link and attempt to use it, not realizing their authentication is managed externally
Account Conflicts: When LDAP users try to reset their password, it interferes with their LDAP-managed accounts, potentially causing:
- Authentication failures
- Account lockouts
- Confusion about which password to use (LDAP vs Grafana)
Failed Password Resets: LDAP users cannot actually reset their passwords through Grafana since they're managed by LDAP, leading to failed password reset attempts
Support Overhead: IT staff must repeatedly explain to LDAP users why the password reset feature doesn't work for them

My Configuration

grafana.ini:

[auth.ldap]
enabled = true
allow_sign_up = true
config_file = /etc/grafana/ldap.toml

[auth.basic]
enabled = true  # Required for admin account to work

Use case:

I have ONE admin account using basic/local authentication
ALL other users authenticate via LDAP
The "Forgot password" link is visible to everyone, even though it only works for the admin account

Current Behavior

With the current setup:

✅ Admin can log in with local credentials
✅ LDAP users can log in with LDAP credentials
❌ "Forgot your password?" link is visible to ALL users
❌ LDAP users click the link and get confused/errors
❌ No way to hide the link while keeping both auth methods active

How to reproduce

Enable both basic auth and LDAP in grafana.ini:

[auth.ldap]
enabled = true
config_file = /etc/grafana/ldap.toml

[auth.basic]
enabled = true

Configure LDAP with a working LDAP server (ldap.toml)
Keep the admin account as a local/basic auth user
Navigate to the Grafana login page
Observe: "Forgot your password?" link is visible
Try to use "Forgot password" as an LDAP user → fails or creates problems

Expected Behavior

Option 1 (Automatic): When LDAP is enabled, the "Forgot your password?" link should be hidden, regardless of whether basic auth is also enabled.

Option 2 (Configurable - PREFERRED): Add a configuration option to manually control the visibility of the "Forgot your password?" link:

[auth]
disable_forgot_password = true

This would allow administrators to:

Hide the link when using LDAP (even with mixed auth)
Hide the link when using other external auth (OAuth, SAML, etc.)
Keep it visible if desired (for backwards compatibility)

Who is this feature for?

This feature is primarily for:

System administrators managing Grafana instances with external authentication (LDAP, AD, OAuth, SAML)
Organizations that want to eliminate confusion around password management
Security teams that need to enforce centralized authentication without user-facing password reset options

Additional context

Related Issues:

Issue #76046 - "Login form: forgot password link not hidden when using LDAP" (Closed - Fixed by PR #79895)
- Note: This fix only hides the link when LDAP is the ONLY authentication method
- My issue: The link still appears when using BOTH basic auth AND LDAP
Issue #3670 - "Ability to disable forgot your password" (Closed in 2016)
Issue #17443 - "Clean way to remove 'Forgot your password?' link on start page"

Why the existing fix (PR #79895) doesn't solve my problem:

PR #79895 fixed the issue for setups using ONLY LDAP authentication. However, it doesn't work for mixed authentication scenarios where:

Basic auth is enabled (for admin account)
LDAP is enabled (for regular users)
Both need to coexist

In this case, Grafana detects that basic auth is enabled and shows the "Forgot password" link, even though 99% of users are LDAP users who shouldn't see it.

Current Workaround:

The only current workaround is to manually edit the HTML template files, which:

Is not a clean solution
Gets overwritten on every Grafana upgrade
Requires file system access
Is not officially supported

Similar existing functionality:

Grafana already has similar patterns:

disable_login_form - hides the entire login form when using OAuth/SSO
Password change UI is already disabled when LDAP/auth proxy is active

This feature would follow the same pattern by giving administrators control over whether the password reset link appears.

Expected behavior

When disable_forgot_password = true in grafana.ini:

The "Forgot your password?" link should not be visible on the login page
The password reset endpoint should still be accessible (for backward compatibility) but not advertised
No other login functionality should be affected

Environment

Authentication setup: Mixed (Basic Auth + LDAP)
- Basic auth: Enabled (for admin account)
- LDAP: Enabled (for all regular users)
Problem: "Forgot password" link visible to all users, including LDAP users
Grafana version: All versions (this is a feature gap)

Is this a bug or feature request?

This could be treated as either:

Bug: The "Forgot password" link should be hidden when LDAP is enabled, even if basic auth is also enabled (since PR #79895 was supposed to fix this, but doesn't work for mixed auth scenarios)
Feature Request: Add a configuration option disable_forgot_password to give administrators manual control over the link visibility

I believe option 2 (feature request) is the better approach, as it:

Gives administrators full control
Works for any authentication scenario (LDAP, OAuth, SAML, etc.)
Provides backward compatibility
Follows the same pattern as disable_login_form

Note: This is a quality-of-life improvement for administrators managing Grafana with external authentication systems. It would reduce user confusion and support ticket volume related to password management.

Contributor guide

Tech stack: typescriptangulargo
Domain: authenticationfrontend
Issue type: feature
Difficulty: 3
Estimated time: 1-2 days
Activity status: fresh
Clarity: clear
Prerequisites: Grafana auth internalsAngular componentsConfiguration pattern
Newbie friendliness: 70
Research direction: Investigate the existing `disable login form` configuration in Grafana's login page implementation. Look at the frontend code for the login screen (likely in packages/grafana ui or similar). Examine how the `disable login form` flag hides the login form and replicate that pattern for the 'Forgot password?' link. Also review the configuration handling in the backend to add the new `disable forgot password` flag. Refer to the linked PR #79895 and issues #76046 and #17443 for context. Ensure the solution works with mixed authentication (Basic Auth + LDAP).