However, what we are seeing is that users who were users before the switch to LDAP authentication can log in with EITHER their old password (as it is stored in the LabKey database) OR their LDAP credentials.

This seems like a bug, because your docs state the following (from https://www.labkey.org/wiki/home/Documentation/page.view?name=configLdap ):

"LDAP Domain: Specifies the email domain that will be authenticated using LDAP. All users signing in with an email addresses from this domain will be authenticated against the LDAP server; all other email addresses will be authenticated against the logins table in the database. Leave blank to not use LDAP authentication (always use the database)."

Would you please let us know if this is a bug or not, and also suggest a way that we can force authentication to use LDAP for these users.

Thanks

Andy Straw University of Rochester