Until now, the LDAP service has ignored any two-factor authentication activated for individual users, meaning that users could simply log in to the external system with their password (without an OTP token).
Since ChurchTools version 3.58.0, LDAP authentication takes into account an activated two-factor authentication by default.
To enable a user with activated two-factor authentication to register on an external system with their ChurchTools access data, the user must also attach the generated OTP token when entering their password. For example
Username: myusername
Password: mySecurePassword689305 <= the last 6 digits are the generated OTP token
If this new behavior of the LDAP service causes problems for your use case, e.g. because the user’s password cannot be re-entered each time (e.g. because it is stored on a device), there are two options:
You switch off two-factor authentication for the affected users. However, this reduces the login security in ChurchTools. The ChurchTools accesses are then no longer secured by an additional second factor.
You generally switch off two-factor authentication for the LDAP service. The login to external systems then runs as before only with the password (without OTP token), but the ChurchTools login is still secured via two-factor authentication. You can edit the two-factor authentication for the LDAP service in the system settings under Data security / Data privacy
