Re: [keycloak-user] Handling disabled users from LDAP
We are on Keycloak 3.4.2 using OpenLDAP 2.4.40. We have implemented ppolicy overlay on
the server side to deny authenticated binds when someone's password has expired but we
have custom attributes like loginDisabled that also dictates if someone should be granted
access.
Thanks,
- Trey
--
Trey Dockendorf
HPC Systems Engineer
Ohio Supercomputer Center
On 4/9/18, 3:17 PM, "Marek Posolda" <mposolda(a)redhat.com> wrote:
What is your Keycloak version? And what is your LDAP vendor? Is it MSAD?
For MSAD, we have builtin support with the MSAD mapper as long as you
use "userAccountControl" attribute to track if user is enabled/disabled
(which is standard for MSAD environments AFAIK).
Marek
Dne 6.4.2018 v 14:38 Dockendorf, Trey napsal(a):
Currently we use Keycloak as an IdP tied to our LDAP environment. We
are curious how we would go about having Keycloak reject logins from accounts we deem
disabled in LDAP. Disabled could be for many reasons, one of which is password
expiration. I see I could add a filter to our User Federation for LDAP, but the user
would likely just show up as not found and get no kind of “Your account is disabled”
message I presume.
Thanks,
- Trey
--
Trey Dockendorf
HPC Systems Engineer
Ohio Supercomputer Center
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user