KEYCLOAK-12437 Revert KEYCLOAK-11802 (#6700)

This reverts commit e018ca3e29 from: Simplifying logic for determining disabled status (#6416) Co-authored-by: brunomedeiros-visagio <55057005+brunomedeiros-visagio@users.noreply.github.com>
2020-01-28 21:59:03 +08:00 · 2020-01-28 21:59:03 +08:00 · 5c910d6f13
commit 5c910d6f13
parent 993ba3179c
1 changed files with 8 additions and 1 deletions
--- a/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/msad/MSADUserAccountControlStorageMapper.java
+++ b/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/msad/MSADUserAccountControlStorageMapper.java
@ -216,7 +216,14 @@ public class MSADUserAccountControlStorageMapper extends AbstractLDAPStorageMapp
        @Override
        public boolean isEnabled() {
            boolean kcEnabled = super.isEnabled();
-            return kcEnabled && !getUserAccountControl(ldapUser).has(UserAccountControl.ACCOUNTDISABLE);
+
+            if (getPwdLastSet() > 0) {
+                // Merge KC and MSAD
+                return kcEnabled && !getUserAccountControl(ldapUser).has(UserAccountControl.ACCOUNTDISABLE);
+            } else {
+                // If new MSAD user is created and pwdLastSet is still 0, MSAD account is in disabled state. So read just from Keycloak DB. User is not able to login via MSAD anyway
+                return kcEnabled;
+            }
        }

        @Override