[keycloak-user] Handling disabled users from LDAP
Dockendorf, Trey
tdockendorf at osc.edu
Tue Apr 10 12:06:19 EDT 2018
With either approach it sounds like what your describing is getting the loginDisabled attribute into Keycloak. Once that attribute is stored, how would I go about telling Keycloak to disallow access based on the attribute's value?
Below is an example of LDAP record where login should be disabled.
Thanks,
- Trey
dn: cn=<username>,ou=People,<base DN>
displayName: first last
employeeType: REGULAR
gecos: first last
ou: OSC Operations
cn: <username>
employeeStatus: ACTIVE
gidNumber: 103
company: Ohio Supercomputer Center
uid: <username>
mail: <email>
homeDirectory: /users/<username>
title: Employee
uidNumber: 20821
sn: lastname
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: posixAccount
objectClass: oscUser
objectClass: shadowAccount
givenName: firstname
jobCode: FALSE
loginDisabled: TRUE
loginShell: /bin/bash
--
Trey Dockendorf
HPC Systems Engineer
Ohio Supercomputer Center
On 4/10/18, 10:42 AM, "Marek Posolda" <mposolda at redhat.com> wrote:
I think you would either need to use User Attribute LDAP Mapper, but not
sure if it's possible. I am not 100% sure about your LDAP structure. Or
you need to implement custom LDAP Storage mapper then.
Marek
Dne 10.4.2018 v 15:30 Dockendorf, Trey napsal(a):
> We are on Keycloak 3.4.2 using OpenLDAP 2.4.40. We have implemented ppolicy overlay on the server side to deny authenticated binds when someone's password has expired but we have custom attributes like loginDisabled that also dictates if someone should be granted access.
>
> Thanks,
> - Trey
>
More information about the keycloak-user
mailing list