Enabling/Disabling user does not work with Microsoft AD LDAP via Admin API/UI #31456
Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
ldap
Describe the bug
When using Microsoft Active Directory LDAP backend, a default LDAP mapper is pre-configured, namely "MSAD Account Controls"
Now, if the user is disabled in LDAP, enable operation simply does not work. The userAccountControl is never modified in LDAP - but UI does say that "the user has been saved"
Additionally, if creation of Users in LDAP is enabled (WRITABLE edit mode), then the user is by default created with userAccountControl with value "546", which, according to online decoder located at https://www.techjutsu.ca/uac-decoder decodes to
Version
25.0.2
Regression
- The issue is a regression
Expected behavior
I am able to enable an already disabled user in LDAP and enable a newly created one - or create a user that's enabled.
Actual behavior
I cannot enable newly created user and users disabled in LDAP
How to Reproduce?
I am providing partial export of the LDAP component
{
"realm": "primary",
"components": {
"org.keycloak.storage.UserStorageProvider": [
{
"id": "3d9e47d1-5cd5-4df4-a4ea-3cdab797fb4f",
"name": "AD LDAP",
"providerId": "ldap",
"subComponents": {
"org.keycloak.storage.ldap.mappers.LDAPStorageMapper": [
{
"id": "2957f424-b4a1-4ff9-a070-55b64f91e963",
"name": "MSAD account controls",
"providerId": "msad-user-account-control-mapper",
"subComponents": {},
"config": {
"always.read.enabled.value.from.ldap": [
"true"
]
}
},
{
"id": "0e0a7c5f-de2f-4aa3-96b3-41905862d4f1",
"name": "sAMAccountName",
"providerId": "user-attribute-ldap-mapper",
"subComponents": {},
"config": {
"ldap.attribute": [
"sAMAccountName"
],
"attribute.force.default": [
"false"
],
"is.mandatory.in.ldap": [
"true"
],
"is.binary.attribute": [
"false"
],
"read.only": [
"true"
],
"always.read.value.from.ldap": [
"true"
],
"user.model.attribute": [
"username"
]
}
},
{
"id": "30bac14e-cfe7-44c7-8ceb-f183be54a9ae",
"name": "first name",
"providerId": "user-attribute-ldap-mapper",
"subComponents": {},
"config": {
"ldap.attribute": [
"givenName"
],
"attribute.force.default": [
"false"
],
"is.mandatory.in.ldap": [
"false"
],
"is.binary.attribute": [
"false"
],
"read.only": [
"false"
],
"always.read.value.from.ldap": [
"true"
],
"user.model.attribute": [
"firstName"
]
}
},
{
"id": "b9840a5e-5283-46b9-ad62-0c75f5fa1a21",
"name": "accountExpires",
"providerId": "hardcoded-ldap-attribute-mapper",
"subComponents": {},
"config": {
"ldap.attribute.value": [
"0"
],
"ldap.attribute.name": [
"accountExpires"
]
}
},
{
"id": "447be09e-1790-4120-bd06-86721374e78d",
"name": "modify date",
"providerId": "user-attribute-ldap-mapper",
"subComponents": {},
"config": {
"ldap.attribute": [
"whenChanged"
],
"is.mandatory.in.ldap": [
"false"
],
"read.only": [
"true"
],
"always.read.value.from.ldap": [
"true"
],
"user.model.attribute": [
"modifyTimestamp"
]
}
},
{
"id": "952d61c4-46d1-48ae-bdd0-bdef55c6a0fb",
"name": "username",
"providerId": "user-attribute-ldap-mapper",
"subComponents": {},
"config": {
"ldap.attribute": [
"cn"
],
"attribute.force.default": [
"false"
],
"is.mandatory.in.ldap": [
"true"
],
"is.binary.attribute": [
"false"
],
"always.read.value.from.ldap": [
"true"
],
"read.only": [
"true"
],
"user.model.attribute": [
"username"
]
}
},
{
"id": "e6fe0978-0846-4784-b975-26f2dcb88dde",
"name": "last name",
"providerId": "user-attribute-ldap-mapper",
"subComponents": {},
"config": {
"ldap.attribute": [
"sn"
],
"attribute.force.default": [
"false"
],
"is.mandatory.in.ldap": [
"false"
],
"is.binary.attribute": [
"false"
],
"always.read.value.from.ldap": [
"true"
],
"read.only": [
"false"
],
"user.model.attribute": [
"lastName"
]
}
},
{
"id": "fdf58f39-125e-4675-a206-abe7d940711a",
"name": "email",
"providerId": "user-attribute-ldap-mapper",
"subComponents": {},
"config": {
"ldap.attribute": [
"mail"
],
"is.mandatory.in.ldap": [
"false"
],
"attribute.force.default": [
"false"
],
"is.binary.attribute": [
"false"
],
"read.only": [
"false"
],
"always.read.value.from.ldap": [
"false"
],
"user.model.attribute": [
"email"
]
}
},
{
"id": "a1583f8e-0cfc-4202-a691-c382d15c7227",
"name": "creation date",
"providerId": "user-attribute-ldap-mapper",
"subComponents": {},
"config": {
"ldap.attribute": [
"whenCreated"
],
"attribute.force.default": [
"false"
],
"is.mandatory.in.ldap": [
"false"
],
"is.binary.attribute": [
"false"
],
"read.only": [
"true"
],
"always.read.value.from.ldap": [
"true"
],
"user.model.attribute": [
"createTimestamp"
]
}
}
]
},
"config": {
"serverPrincipal": [
"HTTP/redacted@REDACTED"
],
"pagination": [
"false"
],
"fullSyncPeriod": [
"604800"
],
"startTls": [
"false"
],
"connectionPooling": [
"true"
],
"usersDn": [
"CN=Users,DC=REDACTED"
],
"cachePolicy": [
"DEFAULT"
],
"useKerberosForPasswordAuthentication": [
"false"
],
"importEnabled": [
"true"
],
"enabled": [
"true"
],
"bindCredential": [
"REDACTED"
],
"bindDn": [
"CN=keycloak,CN=Users,DC=REDACTED"
],
"changedSyncPeriod": [
"86400"
],
"usernameLDAPAttribute": [
"cn"
],
"vendor": [
"ad"
],
"uuidLDAPAttribute": [
"objectGUID"
],
"allowKerberosAuthentication": [
"true"
],
"connectionUrl": [
"ldaps://REDACTED"
],
"syncRegistrations": [
"true"
],
"authType": [
"simple"
],
"krbPrincipalAttribute": [
"userPrincipalName"
],
"debug": [
"true"
],
"searchScope": [
"2"
],
"keyTab": [
"/etc/keycloak.keytab"
],
"useTruststoreSpi": [
"always"
],
"usePasswordModifyExtendedOp": [
"false"
],
"kerberosRealm": [
"REDACTED"
],
"trustEmail": [
"true"
],
"userObjectClasses": [
"top, person, organizationalPerson, user"
],
"rdnLDAPAttribute": [
"cn"
],
"readTimeout": [
"0"
],
"editMode": [
"WRITABLE"
],
"validatePasswordPolicy": [
"true"
],
"batchSizeForSync": [
"1000"
]
}
}
]
}
For my testing, I use samba AD. If necessary, I can provide instructions on how to set up a server on a virtual machine.
Anything else?
No response