From 4ad462fbd3db723096de862593c6fede2f775ef9 Mon Sep 17 00:00:00 2001 From: Pedro Igor Date: Tue, 29 Oct 2024 21:05:50 -0300 Subject: [PATCH] Do not rely on the pwdLastSet attribute when updating AD entries Closes #34467 Signed-off-by: Pedro Igor --- docs/documentation/release_notes/topics/26_1_0.adoc | 8 ++++++++ .../main/java/org/keycloak/storage/ldap/LDAPUtils.java | 3 +-- .../mappers/msad/MSADUserAccountControlStorageMapper.java | 2 +- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/docs/documentation/release_notes/topics/26_1_0.adoc b/docs/documentation/release_notes/topics/26_1_0.adoc index 53961ad8b1..1cb30d5645 100644 --- a/docs/documentation/release_notes/topics/26_1_0.adoc +++ b/docs/documentation/release_notes/topics/26_1_0.adoc @@ -8,3 +8,11 @@ If you are using a custom theme that extends any of the `keycloak` themes and ar ---- darkMode=false ---- + += LDAP users are created as enabled by default when using Microsoft Active Directory + +If you are using Microsoft AD and creating users through the administrative interfaces, the user will created as enabled by default. + +In previous versions, it was only possible to update the user status after setting a (non-temporary) password to the user. +This behavior was not consistent with other built-in user storages as well as not consistent with others LDAP vendors supported +by the LDAP provider. diff --git a/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPUtils.java b/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPUtils.java index def88e599b..5f51340dfe 100755 --- a/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPUtils.java +++ b/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPUtils.java @@ -42,7 +42,6 @@ import org.keycloak.models.UserModel; import org.keycloak.models.utils.reflection.Property; import org.keycloak.models.utils.reflection.PropertyCriteria; import org.keycloak.models.utils.reflection.PropertyQueries; -import org.keycloak.storage.ldap.LDAPConfig; import org.keycloak.storage.ldap.idm.model.LDAPDn; import org.keycloak.storage.ldap.idm.model.LDAPObject; import org.keycloak.storage.ldap.idm.query.Condition; @@ -373,7 +372,7 @@ public class LDAPUtils { * Map key are the attributes names in lower case */ public static Map> getUserModelProperties(){ - + Map> userModelProps = PropertyQueries.createQuery(UserModel.class) .addCriteria(new PropertyCriteria() { diff --git a/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/msad/MSADUserAccountControlStorageMapper.java b/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/msad/MSADUserAccountControlStorageMapper.java index 2e01c3b177..592e732527 100644 --- a/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/msad/MSADUserAccountControlStorageMapper.java +++ b/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/msad/MSADUserAccountControlStorageMapper.java @@ -248,7 +248,7 @@ public class MSADUserAccountControlStorageMapper extends AbstractLDAPStorageMapp @Override public void setEnabled(boolean enabled) { - if (ldapProvider.getEditMode() == UserStorageProvider.EditMode.WRITABLE && getPwdLastSet() > 0) { + if (UserStorageProvider.EditMode.WRITABLE.equals(ldapProvider.getEditMode())) { MSADUserAccountControlStorageMapper.logger.debugf("Going to propagate enabled=%s for ldapUser '%s' to MSAD", enabled, ldapUser.getDn().toString()); UserAccountControl control = getUserAccountControl(ldapUser);