Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add "Enable new user after creation" option for Active Directory #16849

Closed
oculos opened this issue Feb 5, 2023 · 1 comment
Closed

Add "Enable new user after creation" option for Active Directory #16849

oculos opened this issue Feb 5, 2023 · 1 comment
Labels
kind/enhancement Categorizes a PR related to an enhancement
Milestone
22.0.0

Comments

@oculos
Copy link

oculos commented Feb 5, 2023

Description

By default, creating users in Active Directory via LDAP results in locked/disabled accounts. Normally, a second query is needed to set the userAccountControl attribute (to for example 512) in order to enable the account. That attribute can't be set when the user is being created, but rather after the user creation.

That's why it works to enable new users from keycloak if one, for example, creates hardcoded ldap attributes for userPassword and pwdLastSet on Keycloak. If these aren't set, a user needs to be enabled on Active Directory.

It would be nice to have some options specific for Active Directory, even if as simple as "enable user after importing/creating", or "default user access controls" for finer definition of the attributes.

Discussion

#16842

Motivation

This would be very important when using Active Directory for new users who do not need to choose to set a password right away. If they are already logged in via SAML, for example, they just need to have access to a service, which will be blocked if the service reads user accounts from Active Directory.

Details

I think a good place for such options would be on the ldap provider configuration for user federation. if one chooses "Active Directory" as a vendor, options for post-creation attribute-setting could show up.

Or, even better, an option that could work on every ldap provider who might have a similar issue: add an option on mappers so that they can be applied right after user creation, instead of concomitantly with the user creation.
@oculos oculos added kind/enhancement Categorizes a PR related to an enhancement status/triage labels Feb 5, 2023
oculos added a commit to oculos/keycloak that referenced this issue Feb 9, 2023
@oculos
Add option to Force enable users created on Active Directory
f3d0b10 
This adds an option to enable new imported users to Active Directory
right after registration.
The purpose of this is to have user accounts enabled on Active Directory
before the user has created a password.
This is accomplished by:
- creating a random `unicodePwd` attribute
- applying 512 to the `userAccountControl` attribute

The accompanying change to the UI is committed to its repo.

Closes keycloak#16849
@oculos oculos mentioned this issue Feb 9, 2023
Closed
@ssilvert
Copy link
Contributor

ssilvert commented Jul 3, 2023

Closing this for now. We can open it back up again with its associated PR if there is future interest by @oculos or someone else.

@ssilvert ssilvert closed this as completed Jul 3, 2023
@ghost ghost removed the status/triage label Jul 3, 2023
@stianst stianst added this to the 22.0.0 milestone Jul 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement Categorizes a PR related to an enhancement
Projects
None yet
Milestone
22.0.0
Development

Successfully merging a pull request may close this issue.

Add option to Force enable users created on Active Directory oculos/keycloak
3 participants
@ssilvert @stianst @oculos