[keycloak-user] Handling disabled users from LDAP
Marek Posolda
mposolda at redhat.com
Wed Apr 11 05:14:09 EDT 2018
I think you will need to implement your own LDAP mapper for this. You
can take a look at some existing mappers for inspiration (For example
MSADUserAccountControlStorageMapper)
Marek
Dne 10.4.2018 v 18:06 Dockendorf, Trey napsal(a):
> With either approach it sounds like what your describing is getting the loginDisabled attribute into Keycloak. Once that attribute is stored, how would I go about telling Keycloak to disallow access based on the attribute's value?
>
> Below is an example of LDAP record where login should be disabled.
>
> Thanks,
> - Trey
>
> dn: cn=<username>,ou=People,<base DN>
> displayName: first last
> employeeType: REGULAR
> gecos: first last
> ou: OSC Operations
> cn: <username>
> employeeStatus: ACTIVE
> gidNumber: 103
> company: Ohio Supercomputer Center
> uid: <username>
> mail: <email>
> homeDirectory: /users/<username>
> title: Employee
> uidNumber: 20821
> sn: lastname
> objectClass: inetOrgPerson
> objectClass: organizationalPerson
> objectClass: person
> objectClass: top
> objectClass: posixAccount
> objectClass: oscUser
> objectClass: shadowAccount
> givenName: firstname
> jobCode: FALSE
> loginDisabled: TRUE
> loginShell: /bin/bash
>
More information about the keycloak-user
mailing list