Password change disabled if LDAP enabled, even if user is not LDAP user

We have a setup where LDAP is enabled and LDAP users are mapped to one org. We have other organizations, where users are manually created. However, when any user - including non-LDAP users - try to change their password from their user preferences page, they are shown a message

You cannot change password when ldap or auth proxy authentication is enabled.

Is this by design, or am I missing something? Should Grafana not keep track of which users are managed via LDAP and which are “internal” users managed by Grafana, and allow the latter to change their passwords? By the way, it does seem possible to change all user passwords from the Server Admin page (even for LDAP users…)

LDAP is ment to replace the local db passwords , not designed to be mixed

Thanks for the clarification, I suppose that makes sense for the majority of use cases.

Quick follow-up question: if we turn off LDAP authentication, would all users that were enrolled through LDAP be “lost”? Or would they remain in the local database (perhaps with passwords needing to be reset)? We’re looking to transition away from LDAP, and would like for it to be relatively painless

yes, they would remain but with no passwords

Great, thanks for the explanation! Should make transitioning relatively straightforward.