From 5fe65a7d5983b55e15eed0f1cf8d0f7d7a413ee2 Mon Sep 17 00:00:00 2001
From: Christoph Wurst <christoph@winzerhof-wurst.at>
Date: Tue, 11 Apr 2023 18:11:00 +0200
Subject: [PATCH] doc(auth): Warn about disabled token passwords and LDAP
 logout

Auth tokens store the user's login password by default. If the password
changes externally (on LDAP), all connected clients stop syncing after 5
minutes max when the password is verified the next time. A web login
revivess those app passwords.

If storing the password is disabled, the tokens continue to work after
password change. But that also means the clients are not logged out the
same way. This can be fine for some setups and problematic for others.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
---
 config/config.sample.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/config/config.sample.php b/config/config.sample.php
index 57faf8fc832a7..e254b89622d38 100644
--- a/config/config.sample.php
+++ b/config/config.sample.php
@@ -346,6 +346,10 @@
  * characters).
  *
  * By default, the passwords are stored encrypted in the database.
+ *
+ * WARNING: If disabled, password changes on the user back-end (e.g. on LDAP) no
+ * longer log connected clients out automatically. Users can still disconnect
+ * the clients by deleting the app token from the security settings.
  */
 'auth.storeCryptedPassword' => true,