You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
By default, creating users in Active Directory via LDAP results in locked/disabled accounts. Normally, a second query is needed to set the userAccountControl attribute (to for example 512) in order to enable the account. That attribute can't be set when the user is being created, but rather after the user creation.
That's why it works to enable new users from keycloak if one, for example, creates hardcoded ldap attributes for userPassword and pwdLastSet on Keycloak. If these aren't set, a user needs to be enabled on Active Directory.
It would be nice to have some options specific for Active Directory, even if as simple as "enable user after importing/creating", or "default user access controls" for finer definition of the attributes.
This would be very important when using Active Directory for new users who do not need to choose to set a password right away. If they are already logged in via SAML, for example, they just need to have access to a service, which will be blocked if the service reads user accounts from Active Directory.
Details
I think a good place for such options would be on the ldap provider configuration for user federation. if one chooses "Active Directory" as a vendor, options for post-creation attribute-setting could show up.
Or, even better, an option that could work on every ldap provider who might have a similar issue: add an option on mappers so that they can be applied right after user creation, instead of concomitantly with the user creation.
The text was updated successfully, but these errors were encountered:
This adds an option to enable new imported users to Active Directory
right after registration.
The purpose of this is to have user accounts enabled on Active Directory
before the user has created a password.
This is accomplished by:
- creating a random `unicodePwd` attribute
- applying 512 to the `userAccountControl` attribute
The accompanying change to the UI is committed to its repo.
Closeskeycloak#16849
Description
By default, creating users in Active Directory via LDAP results in locked/disabled accounts. Normally, a second query is needed to set the
userAccountControl
attribute (to for example 512) in order to enable the account. That attribute can't be set when the user is being created, but rather after the user creation.That's why it works to enable new users from keycloak if one, for example, creates hardcoded ldap attributes for
userPassword
andpwdLastSet
on Keycloak. If these aren't set, a user needs to be enabled on Active Directory.It would be nice to have some options specific for Active Directory, even if as simple as "enable user after importing/creating", or "default user access controls" for finer definition of the attributes.
Discussion
#16842
Motivation
This would be very important when using Active Directory for new users who do not need to choose to set a password right away. If they are already logged in via SAML, for example, they just need to have access to a service, which will be blocked if the service reads user accounts from Active Directory.
Details
I think a good place for such options would be on the ldap provider configuration for user federation. if one chooses "Active Directory" as a vendor, options for post-creation attribute-setting could show up.
Or, even better, an option that could work on every ldap provider who might have a similar issue: add an option on mappers so that they can be applied right after user creation, instead of concomitantly with the user creation.
The text was updated successfully, but these errors were encountered: