Before reporting an issue

[X] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

ldap

Describe the bug

When using Microsoft Active Directory LDAP backend, a default LDAP mapper is pre-configured, namely "MSAD Account Controls"

!image

Now, if the user is disabled in LDAP, enable operation simply does not work. The userAccountControl is never modified in LDAP - but UI does say that "the user has been saved"

!image

Additionally, if creation of Users in LDAP is enabled (WRITABLE edit mode), then the user is by default created with userAccountControl with value "546", which, according to online decoder located at https://www.techjutsu.ca/uac-decoder decodes to

!image

Version

25.0.2

Regression

[ ] The issue is a regression

Expected behavior

I am able to enable an already disabled user in LDAP and enable a newly created one - or create a user that's enabled.

Actual behavior

I cannot enable newly created user and users disabled in LDAP

How to Reproduce?

I am providing partial export of the LDAP component

```
{
"realm": "primary",
"components":

{ {code}

"org.keycloak.storage.UserStorageProvider": [
{
"id": "3d9e47d1-5cd5-4df4-a4ea-3cdab797fb4f",
"name": "AD LDAP",
"providerId": "ldap",
"subComponents": {
"org.keycloak.storage.ldap.mappers.LDAPStorageMapper": [
{
"id": "2957f424-b4a1-4ff9-a070-55b64f91e963",
"name": "MSAD account controls",
"providerId": "msad-user-account-control-mapper",
"subComponents": {},
"config":

{ "always.read.enabled.value.from.ldap": [ "true" ] }

},
{
"id": "0e0a7c5f-de2f-4aa3-96b3-41905862d4f1",
"name": "sAMAccountName",
"providerId": "user-attribute-ldap-mapper",
"subComponents": {},
"config":

{ "ldap.attribute": [ "sAMAccountName" ], "attribute.force.default": [ "false" ], "is.mandatory.in.ldap": [ "true" ], "is.binary.attribute": [ "false" ], "read.only": [ "true" ], "always.read.value.from.ldap": [ "true" ], "user.model.attribute": [ "username" ] }

},
{
"id": "30bac14e-cfe7-44c7-8ceb-f183be54a9ae",
"name": "first name",
"providerId": "user-attribute-ldap-mapper",
"subComponents": {},
"config":

{ "ldap.attribute": [ "givenName" ], "attribute.force.default": [ "false" ], "is.mandatory.in.ldap": [ "false" ], "is.binary.attribute": [ "false" ], "read.only": [ "false" ], "always.read.value.from.ldap": [ "true" ], "user.model.attribute": [ "firstName" ] }

},
{
"id": "b9840a5e-5283-46b9-ad62-0c75f5fa1a21",
"name": "accountExpires",
"providerId": "hardcoded-ldap-attribute-mapper",
"subComponents": {},
"config":

{ "ldap.attribute.value": [ "0" ], "ldap.attribute.name": [ "accountExpires" ] }

},
{
"id": "447be09e-1790-4120-bd06-86721374e78d",
"name": "modify date",
"providerId": "user-attribute-ldap-mapper",
"subComponents": {},
"config":

{ "ldap.attribute": [ "whenChanged" ], "is.mandatory.in.ldap": [ "false" ], "read.only": [ "true" ], "always.read.value.from.ldap": [ "true" ], "user.model.attribute": [ "modifyTimestamp" ] }

},
{
"id": "952d61c4-46d1-48ae-bdd0-bdef55c6a0fb",
"name": "username",
"providerId": "user-attribute-ldap-mapper",
"subComponents": {},
"config":

{ "ldap.attribute": [ "cn" ], "attribute.force.default": [ "false" ], "is.mandatory.in.ldap": [ "true" ], "is.binary.attribute": [ "false" ], "always.read.value.from.ldap": [ "true" ], "read.only": [ "true" ], "user.model.attribute": [ "username" ] }

},
{
"id": "e6fe0978-0846-4784-b975-26f2dcb88dde",
"name": "last name",
"providerId": "user-attribute-ldap-mapper",
"subComponents": {},
"config":

{ "ldap.attribute": [ "sn" ], "attribute.force.default": [ "false" ], "is.mandatory.in.ldap": [ "false" ], "is.binary.attribute": [ "false" ], "always.read.value.from.ldap": [ "true" ], "read.only": [ "false" ], "user.model.attribute": [ "lastName" ] }

},
{
"id": "fdf58f39-125e-4675-a206-abe7d940711a",
"name": "email",
"providerId": "user-attribute-ldap-mapper",
"subComponents": {},
"config":

{ "ldap.attribute": [ "mail" ], "is.mandatory.in.ldap": [ "false" ], "attribute.force.default": [ "false" ], "is.binary.attribute": [ "false" ], "read.only": [ "false" ], "always.read.value.from.ldap": [ "false" ], "user.model.attribute": [ "email" ] }

},
{
"id": "a1583f8e-0cfc-4202-a691-c382d15c7227",
"name": "creation date",
"providerId": "user-attribute-ldap-mapper",
"subComponents": {},
"config":

{ "ldap.attribute": [ "whenCreated" ], "attribute.force.default": [ "false" ], "is.mandatory.in.ldap": [ "false" ], "is.binary.attribute": [ "false" ], "read.only": [ "true" ], "always.read.value.from.ldap": [ "true" ], "user.model.attribute": [ "createTimestamp" ] }

}
]
},
"config":

{ "serverPrincipal": [ "HTTP/redacted@REDACTED" ], "pagination": [ "false" ], "fullSyncPeriod": [ "604800" ], "startTls": [ "false" ], "connectionPooling": [ "true" ], "usersDn": [ "CN=Users,DC=REDACTED" ], "cachePolicy": [ "DEFAULT" ], "useKerberosForPasswordAuthentication": [ "false" ], "importEnabled": [ "true" ], "enabled": [ "true" ], "bindCredential": [ "REDACTED" ], "bindDn": [ "CN=keycloak,CN=Users,DC=REDACTED" ], "changedSyncPeriod": [ "86400" ], "usernameLDAPAttribute": [ "cn" ], "vendor": [ "ad" ], "uuidLDAPAttribute": [ "objectGUID" ], "allowKerberosAuthentication": [ "true" ], "connectionUrl": [ "ldaps://REDACTED" ], "syncRegistrations": [ "true" ], "authType": [ "simple" ], "krbPrincipalAttribute": [ "userPrincipalName" ], "debug": [ "true" ], "searchScope": [ "2" ], "keyTab": [ "/etc/keycloak.keytab" ], "useTruststoreSpi": [ "always" ], "usePasswordModifyExtendedOp": [ "false" ], "kerberosRealm": [ "REDACTED" ], "trustEmail": [ "true" ], "userObjectClasses": [ "top, person, organizationalPerson, user" ], "rdnLDAPAttribute": [ "cn" ], "readTimeout": [ "0" ], "editMode": [ "WRITABLE" ], "validatePasswordPolicy": [ "true" ], "batchSizeForSync": [ "1000" ] }

}
]

}
```

For my testing, I use samba AD. If necessary, I can provide instructions on how to set up a server on a virtual machine.

Anything else?

No response