Ability to disable the fallback of authentication to local passwords when LDAP (and likely all external auth) is unavailable

[quantumzedno]

NetBox version

4.0.2

Feature type

Change to existing functionality

Proposed functionality

Currently our netbox install is setup as follows:

LDAP authentication backend to a proxy server that injects 2FA for additional security

I preformed the following test:
logged into netbox as user with permissions to modify accounts
used to built in password change function to set a given user's password to "test"
logged into the account with "test" password (was not prompted for 2FA as I was not using external auth
user then logged in with their AD password and was prompted for 2FA
attempted to relog in with "test" password and it was still viable

This tells me that even when LDAP auth is available that local password on the account is a valid login option, so in the event that a bad actor ever gets access to a logged in session of a user with permissions to edit accounts they could create a back door with no traceability

I would therefore like to propose one of the following:

1. Logging into a netbox account via external auth automatically regenerates built in account password on successful login

2. capability to disable this fall back behavior so that if LDAP/external auth is unavailable (or even if it is) then auth does not try and use local credentials at all (fail closed - requires additional consideration / local service account for disaster recovery)

3. logging into a netbox account via external auth caches a hash of the password used to login as the local password to allow users to login with "last good password" in the event auth servers are down, but again would want this configurable as it still bypasses 2FA in our use case

Extra request:

improve reporting functionality on password changes - email automatically sent to user if their password is ever changed

Use case

having this be a configurable feature would be ideal to allow additional control over security while still leaving the default behavior the same incase certain netbox implementations rely on this for backup purposes (personally, i would like to leverage a specific built in service account with appropriate login reporting for this purpose but having options seems preferable for different usecases

Database changes

No response

External dependencies

No response

[jeffgdotorg]

Thanks for your interest in helping improve NetBox.

While the motivation for your feature request makes a lot of sense, the proposal you offer feels a bit too narrowly tailored to your particular use case. This is a reflection on you; we've wrestled quite a bit recently with how to address this kind of need. I personally opened #15842 to capture a similar proposal (see the edit history of the issue body).

I'm closing this issue as a duplicate of #15842, and encourage you to add your thoughts to that issue.

In the meantime, if you're handy with Python, you might consider using the local_settings.py mechanism introduced in #16127 as a hook for introducing custom code to accomplish your goal.