Most of our users use LDAP authentication which fills in the name and email. However, **users can later change it on their Profile but we want to prevent that** because the changed name causes chaos and confusion to other users.

**Acceptance criteria**

* Users authenticated by LDAP cannot change their name and email. Begin of the insertionTheir attributes are synced daily anyway, it doesn't make sense to allow such a change.End of the insertion
* Begin of the insertion~~ThisEnd of the insertion Begin of the deletion ThisEnd of the deletion requirement likely needs to be optional, either globally for all LDAP sources or per LDAP source (a bit more complicated but more flexible). This can be achieved even without Admin UI changes if the environment variable flag is Begin of the insertionused.~~End of the insertion Begin of the deletion used.End of the deletion

We (Evolveum) would gladly contribute this feature, I just need some feedback on what is acceptable for you. The profile page for an LDAP user could look like this (normally admin is not an LDAP user, of course, this is just a demo):
<img class="op-uc-image op-uc-image_inline" src="/api/v3/attachments/93568/content">

Begin of the insertion~~AsEnd of the insertion Begin of the deletion AsEnd of the deletion for Admin UI, there could be an option such as &quot;Read-only name and email for LDAP users&quot; either on /admin/settings/users or /admin/settings/authentication or per LDAP, e.g. Begin of the insertion/admin/ldap\_auth\_sources/1/edit~~End of the insertion Begin of the deletion /admin/ldap\_auth\_sources/1/editEnd of the deletion

Begin of the insertion~~IfEnd of the insertion Begin of the deletion IfEnd of the deletion acceptable, I&#39;d prefer that environment variable flag, but I&#39;ll let you Begin of the insertiondecide.~~End of the insertion Begin of the deletion decide.End of the deletion