Details

    • Steps to Reproduce:
      Hide
      1. Create a new Keycloak instance
      2. Connect user federation for any MSAD LDAP directory
      3. Choose any user and disable them in LDAP, and also set a required password change for them
      4. Look in the Keycloak admin UI and notice that they are enabled, where they should in fact be disabled
      Show
      Create a new Keycloak instance Connect user federation for any MSAD LDAP directory Choose any user and disable them in LDAP, and also set a required password change for them Look in the Keycloak admin UI and notice that they are enabled, where they should in fact be disabled
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      The logic that Keycloak uses to determine whether an LDAP user is disabled seems to be incorrect. Note the method linked below. When a user is marked disabled in LDAP, and they have a pending password reset, Keycloak will incorrectly determine that they are enabled. This doesn't make sense, as they are most definitely disabled per userAccountControl.

      https://github.com/keycloak/keycloak/blob/ac71ee963357396814d3b5bf9f950758a19987a4/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/msad/MSADUserAccountControlStorageMapper.java#L222

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  lounsbrough David Lounsbrough
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated: