[keycloak-user] Handling disabled users from LDAP

Mon Apr 16 09:04:40 EDT 2018

We've taking the approach of using OpenLDAP ACLs.  If anyone comes across this thread and wonders how we did this:

ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to *
    by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
    by * break
olcAccess: {1}to attrs=userPassword filter="(!(loginDisabled=TRUE))"
    by self read
    by anonymous auth
    by * break
olcAccess: {2}to attrs=userPassword
    by dn="cn=ldap-admin, <BASE>" write 
    by dn="cn=idm-admin,ou=Admin, <BASE>" write
    by dn="cn=syncuser,ou=Admin, <BASE>" read
    by * none
olcAccess: {3}to *
    by dn="cn=ldap-admin,<BASE> " write
    by dn="cn=idm-admin,ou=Admin,<BASE>" write
    by dn="cn=syncuser,ou=Admin,<BASE>" read
    by * read
EOF

-- 
Trey Dockendorf

HPC Systems Engineer
Ohio Supercomputer Center
On 4/11/18, 3:47 AM, "Michael Ströder" <michael at stroeder.com> wrote:

    Dockendorf, Trey wrote:
    > With either approach it sounds like what your describing is getting
    > the loginDisabled attribute into Keycloak.  Once that attribute is
    > stored, how would I go about telling Keycloak to disallow access
    > based on the attribute's value?

    With OpenLDAP's ACLs you should grant auth access to 'userPassword' for
    anonymous based on value of your custom loginDisabled attribute. With
    such an ACL keycloak does not have to know about that attribute at all.
    And all LDAP-enabled applications will behave the same without
    reconfiguration.

    OpenLDAP details are off-topic here.
    You could ask for ACL details on the openldap-technical mailing list.

    Ciao, Michael.