[keycloak-user] LDAP Authentication - Extended Errors

Hi, I have been doing some development with Keycloak and specifically OpenID Connect, Password Grant and an LDAP user federation with Active Directory. Overall everything is working great but I am a little surprised that on a token refresh I get told that the user account is disabled but on a login I do not. The exception to this would be if I try to login with a disabled account after a user federation sync has occurred. Is this a configuration issue or do you need to implement LDAP diagnostic messages for login? Thanks for developing a fantastic product!! Regards Mark