Do not rely on the pwdLastSet attribute when updating AD entries
Closes #34467 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
This commit is contained in:
Pedro Igor
Alexander Schwartz
parent
ac25844731
commit
4ad462fbd3
3 changed files with 10 additions and 3 deletions
|
|
@ -8,3 +8,11 @@ If you are using a custom theme that extends any of the `keycloak` themes and ar
|
||||||
----
|
----
|
||||||
darkMode=false
|
darkMode=false
|
||||||
----
|
----
|
||||||
|
|
||||||
|
= LDAP users are created as enabled by default when using Microsoft Active Directory
|
||||||
|
|
||||||
|
If you are using Microsoft AD and creating users through the administrative interfaces, the user will created as enabled by default.
|
||||||
|
|
||||||
|
In previous versions, it was only possible to update the user status after setting a (non-temporary) password to the user.
|
||||||
|
This behavior was not consistent with other built-in user storages as well as not consistent with others LDAP vendors supported
|
||||||
|
by the LDAP provider.
|
||||||
|
|
|
||||||
|
|
@ -42,7 +42,6 @@ import org.keycloak.models.UserModel;
|
||||||
import org.keycloak.models.utils.reflection.Property;
|
import org.keycloak.models.utils.reflection.Property;
|
||||||
import org.keycloak.models.utils.reflection.PropertyCriteria;
|
import org.keycloak.models.utils.reflection.PropertyCriteria;
|
||||||
import org.keycloak.models.utils.reflection.PropertyQueries;
|
import org.keycloak.models.utils.reflection.PropertyQueries;
|
||||||
import org.keycloak.storage.ldap.LDAPConfig;
|
|
||||||
import org.keycloak.storage.ldap.idm.model.LDAPDn;
|
import org.keycloak.storage.ldap.idm.model.LDAPDn;
|
||||||
import org.keycloak.storage.ldap.idm.model.LDAPObject;
|
import org.keycloak.storage.ldap.idm.model.LDAPObject;
|
||||||
import org.keycloak.storage.ldap.idm.query.Condition;
|
import org.keycloak.storage.ldap.idm.query.Condition;
|
||||||
|
|
|
||||||
|
|
@ -248,7 +248,7 @@ public class MSADUserAccountControlStorageMapper extends AbstractLDAPStorageMapp
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void setEnabled(boolean enabled) {
|
public void setEnabled(boolean enabled) {
|
||||||
if (ldapProvider.getEditMode() == UserStorageProvider.EditMode.WRITABLE && getPwdLastSet() > 0) {
|
if (UserStorageProvider.EditMode.WRITABLE.equals(ldapProvider.getEditMode())) {
|
||||||
MSADUserAccountControlStorageMapper.logger.debugf("Going to propagate enabled=%s for ldapUser '%s' to MSAD", enabled, ldapUser.getDn().toString());
|
MSADUserAccountControlStorageMapper.logger.debugf("Going to propagate enabled=%s for ldapUser '%s' to MSAD", enabled, ldapUser.getDn().toString());
|
||||||
|
|
||||||
UserAccountControl control = getUserAccountControl(ldapUser);
|
UserAccountControl control = getUserAccountControl(ldapUser);
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue