[keycloak-user] LDAP Authentication - Extended Errors
Marek Posolda
mposolda at redhat.com
Thu Aug 9 03:57:33 EDT 2018
On 07/08/18 22:47, Mark Hunt wrote:
> Hi,
>
> I have been doing some development with Keycloak and specifically OpenID Connect, Password Grant and an LDAP user federation with Active Directory. Overall everything is working great but I am a little surprised that on a token refresh I get told that the user account is disabled but on a login I do not. The exception to this would be if I try to login with a disabled account after a user federation sync has occurred.
>
> Is this a configuration issue or do you need to implement LDAP diagnostic messages for login?
Not sure I understand. If you go to the admin console, are you seeing
the user is enabled or disabled here? Is user enabled or disabled in MSAD?
One thing to note is, that if you disabled the user directly in MSAD
after it was already synced to Keycloak, the user may be cached in the
Keycloak. So there may be some time needed until the latest information
about enabled/disabled state is propagated from MSAD to the Keycloak
side. You can try to clear the cache to check if it's the case. For long
term, you can tweak caching policy configuration of LDAP provider.
Marek
>
> Thanks for developing a fantastic product!!
>
> Regards
>
> Mark
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list