Do not rely on the pwdLastSet attribute when updating AD entries

Closes #34467 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-10-29 21:05:50 -03:00 · 2024-10-29 21:05:50 -03:00 · 4ad462fbd3
commit 4ad462fbd3
parent ac25844731
3 changed files with 10 additions and 3 deletions
--- a/docs/documentation/release_notes/topics/26_1_0.adoc
+++ b/docs/documentation/release_notes/topics/26_1_0.adoc
@ -8,3 +8,11 @@ If you are using a custom theme that extends any of the `keycloak` themes and ar
 ----
 darkMode=false
 ----
+
+= LDAP users are created as enabled by default when using Microsoft Active Directory
+
+If you are using Microsoft AD and creating users through the administrative interfaces, the user will created as enabled by default.
+
+In previous versions, it was only possible to update the user status after setting a (non-temporary) password to the user.
+This behavior was not consistent with other built-in user storages as well as not consistent with others LDAP vendors supported
+by the LDAP provider.
--- a/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPUtils.java
+++ b/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPUtils.java
@ -42,7 +42,6 @@ import org.keycloak.models.UserModel;
 import org.keycloak.models.utils.reflection.Property;
 import org.keycloak.models.utils.reflection.PropertyCriteria;
 import org.keycloak.models.utils.reflection.PropertyQueries;
-import org.keycloak.storage.ldap.LDAPConfig;
 import org.keycloak.storage.ldap.idm.model.LDAPDn;
 import org.keycloak.storage.ldap.idm.model.LDAPObject;
 import org.keycloak.storage.ldap.idm.query.Condition;
@ -373,7 +372,7 @@ public class LDAPUtils {
     * Map key are the attributes names in lower case
     */
    public static Map<String, Property<Object>> getUserModelProperties(){
-        
+
        Map<String, Property<Object>> userModelProps = PropertyQueries.createQuery(UserModel.class)
                .addCriteria(new PropertyCriteria() {

--- a/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/msad/MSADUserAccountControlStorageMapper.java
+++ b/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/msad/MSADUserAccountControlStorageMapper.java
@ -248,7 +248,7 @@ public class MSADUserAccountControlStorageMapper extends AbstractLDAPStorageMapp

        @Override
        public void setEnabled(boolean enabled) {
-            if (ldapProvider.getEditMode() == UserStorageProvider.EditMode.WRITABLE && getPwdLastSet() > 0) {
+            if (UserStorageProvider.EditMode.WRITABLE.equals(ldapProvider.getEditMode())) {
                MSADUserAccountControlStorageMapper.logger.debugf("Going to propagate enabled=%s for ldapUser '%s' to MSAD", enabled, ldapUser.getDn().toString());

                UserAccountControl control = getUserAccountControl(ldapUser);