diff --git a/website/docs/customize/blueprints/v1/models.mdx b/website/docs/customize/blueprints/v1/models.mdx index f6aa69e179..0ef46b5f2c 100644 --- a/website/docs/customize/blueprints/v1/models.mdx +++ b/website/docs/customize/blueprints/v1/models.mdx @@ -70,7 +70,7 @@ For example: `password` and `password_hash` are mutually exclusive; setting both on the same user causes blueprint validation to fail. -Because no raw password is available when `password_hash` is used, authentik only updates the local password verifier. This does not propagate the password to LDAP or Kerberos integrations, even when password writeback is enabled. +`password_hash` follows the [hashed-password import behavior](../../../install-config/automated-install.mdx#authentik_bootstrap_password_hash): it updates only authentik's local password verifier and does not propagate to LDAP or Kerberos integrations. ### `permissions` diff --git a/website/docs/install-config/automated-install.mdx b/website/docs/install-config/automated-install.mdx index a2dbb3a787..e31396a091 100644 --- a/website/docs/install-config/automated-install.mdx +++ b/website/docs/install-config/automated-install.mdx @@ -12,7 +12,7 @@ These can't be defined using the file-based syntax (`file://`), so you can't pas Configure the default password for the `akadmin` user using a pre-hashed Django password value. Only read on the first startup. -This stores the hash directly as authentik's local password verifier. Because authentik never sees the raw password, this does not propagate the password to LDAP or Kerberos integrations, even when password writeback is enabled. +This stores the hash directly as authentik's local password verifier. Because authentik never sees the raw password, hashed-password imports do not propagate the password to LDAP or Kerberos integrations, even when password writeback is enabled. To generate a hash, run this command before your initial deployment: @@ -57,7 +57,7 @@ Setting both `AUTHENTIK_BOOTSTRAP_PASSWORD` and `AUTHENTIK_BOOTSTRAP_PASSWORD_HA For post-install automation, hashed passwords can also be set via blueprints with the `password_hash` user attribute, or via the `/api/v3/core/users//set_password_hash/` API endpoint with the hash provided in the `password` field. The API endpoint requires the `authentik_core.set_user_password_hash` permission and can target regular users or service accounts. -These paths also only update authentik's local password verifier and do not propagate to LDAP or Kerberos integrations. +These paths share the same local-verifier-only behavior as `AUTHENTIK_BOOTSTRAP_PASSWORD_HASH`. ### `AUTHENTIK_BOOTSTRAP_TOKEN`