Do not rely on the pwdLastSet attribute when updating AD entries

Closes #34467

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
This commit is contained in:
Pedro Igor 2024-10-29 21:05:50 -03:00 committed by Alexander Schwartz
parent ac25844731
commit 4ad462fbd3
3 changed files with 10 additions and 3 deletions

View file

@ -8,3 +8,11 @@ If you are using a custom theme that extends any of the `keycloak` themes and ar
---- ----
darkMode=false darkMode=false
---- ----
= LDAP users are created as enabled by default when using Microsoft Active Directory
If you are using Microsoft AD and creating users through the administrative interfaces, the user will created as enabled by default.
In previous versions, it was only possible to update the user status after setting a (non-temporary) password to the user.
This behavior was not consistent with other built-in user storages as well as not consistent with others LDAP vendors supported
by the LDAP provider.

View file

@ -42,7 +42,6 @@ import org.keycloak.models.UserModel;
import org.keycloak.models.utils.reflection.Property; import org.keycloak.models.utils.reflection.Property;
import org.keycloak.models.utils.reflection.PropertyCriteria; import org.keycloak.models.utils.reflection.PropertyCriteria;
import org.keycloak.models.utils.reflection.PropertyQueries; import org.keycloak.models.utils.reflection.PropertyQueries;
import org.keycloak.storage.ldap.LDAPConfig;
import org.keycloak.storage.ldap.idm.model.LDAPDn; import org.keycloak.storage.ldap.idm.model.LDAPDn;
import org.keycloak.storage.ldap.idm.model.LDAPObject; import org.keycloak.storage.ldap.idm.model.LDAPObject;
import org.keycloak.storage.ldap.idm.query.Condition; import org.keycloak.storage.ldap.idm.query.Condition;
@ -373,7 +372,7 @@ public class LDAPUtils {
* Map key are the attributes names in lower case * Map key are the attributes names in lower case
*/ */
public static Map<String, Property<Object>> getUserModelProperties(){ public static Map<String, Property<Object>> getUserModelProperties(){
Map<String, Property<Object>> userModelProps = PropertyQueries.createQuery(UserModel.class) Map<String, Property<Object>> userModelProps = PropertyQueries.createQuery(UserModel.class)
.addCriteria(new PropertyCriteria() { .addCriteria(new PropertyCriteria() {

View file

@ -248,7 +248,7 @@ public class MSADUserAccountControlStorageMapper extends AbstractLDAPStorageMapp
@Override @Override
public void setEnabled(boolean enabled) { public void setEnabled(boolean enabled) {
if (ldapProvider.getEditMode() == UserStorageProvider.EditMode.WRITABLE && getPwdLastSet() > 0) { if (UserStorageProvider.EditMode.WRITABLE.equals(ldapProvider.getEditMode())) {
MSADUserAccountControlStorageMapper.logger.debugf("Going to propagate enabled=%s for ldapUser '%s' to MSAD", enabled, ldapUser.getDn().toString()); MSADUserAccountControlStorageMapper.logger.debugf("Going to propagate enabled=%s for ldapUser '%s' to MSAD", enabled, ldapUser.getDn().toString());
UserAccountControl control = getUserAccountControl(ldapUser); UserAccountControl control = getUserAccountControl(ldapUser);