From 12532ee32d5324afb6d104f48f1c60cfca80fd3f Mon Sep 17 00:00:00 2001
From: CEbbinghaus <git@cebbinghaus.com>
Date: Tue, 21 Jan 2025 20:45:06 +1100
Subject: [PATCH] Book: Added small section on primary cred fallback (#3365)

---
 book/src/accounts/account_policy.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/book/src/accounts/account_policy.md b/book/src/accounts/account_policy.md
index 024006cf9..c6c5674bf 100644
--- a/book/src/accounts/account_policy.md
+++ b/book/src/accounts/account_policy.md
@@ -188,6 +188,23 @@ account policy for a group. For example, to set the allowlist for all persons, r
 kanidm group account-policy webauthn-attestation-ca-list idm_all_persons trusted-authenticators
 ```
 
+### Setting Primary Credential Fallback
+
+The primary credential fallback enables behavior which allows authenticating
+using the primary account password when logging in via LDAP.
+
+If both an LDAP and primary password are specified, Kanidm will only accept the LDAP password.
+
+```bash
+kanidm group account-policy allow-primary-cred-fallback <group name> <enabled>
+```
+
+to disable it for a group you would run:
+
+```bash
+kanidm group account-policy allow-primary-cred-fallback <group name> false
+```
+
 ## Global Settings
 
 There are a small number of account policy settings that are set globally rather than on a per group