Enforce ldap login for a specific domain

hi there,

is it possible to allow both, mail login and ldap login but enforce ldap login for a specific main domain?

some of our internal users got invited and somehow created an email enabled account, but we’d like those user to user their ldpa account.

is this somehow possible?

mfg

obviously those already created accounts can be migrated with mmctl - but i’d like to skip this manual process

So you want to have multpile supported authentication backends in parallel and LDAP should be enforced only for a list of specific email domains, all others should still use email/password authentication? I don‘t think that this is possible, but as you already found out, you can migrate authentication for specific accounts using the mmctl user migrate_auth command afterwards and you could also script that so it runs permanently in the background and automatically migrates new user accounts to avoid the manual work per account.

Just as a sidenote:
LDAP accounts do not need to be precreated or invited, you can configure it so a specific ldap group is allowed to login to Mattermost only and upon the first successful login of a user in the group, the account will be created and configured correctly.