On 09/08/18 13:53, Mark Hunt wrote:
Hi,
So the situation is when the user is Enabled in the cache but disabled
in MSAD. When you attempt a login with a password Grant it returns
Invalid Credentials. I would expect this to return Account Disabled.
Extended LDAP diagnostic messages should provide this information,
certainly against MSAD anyway.
This is also different behaviour to when you use the refresh token
grant. If the user is Enabled in the cache but disabled in AD the
token request returns Account Disabled. This is the expected behaviour.
The cache would naturally update and you get the right message at
login (password grant), but only once the sync has occurred. We want
to try and avoid resyncing too often, but still get the correct error
messages.
I see. However if you update LDAP directly, there is currently no way to
tell Keycloak to update the cache and invalidate records. So it's always
some compromise between performance (caching enabled with longer
eviction intervals) or more accurate state in Keycloak (caching disabled
or set with shorter intervals).
You can try to tweak Cache policy setting of LDAP provider and
temporarily set it to "NEVER" to see if disable caching will turn to
expected behaviour.
Long term, you may need to do some compromise in the cache settings.
Maybe the possibility is that always when you do bulk update of LDAP
users in your LDAP, you will manually trigger SYNC in Keycloak to update
the state or manually clear the user cache in Keycloak admin console.
This requires that you do all the LDAP changes "at once" instead of
doing the changes continuously during whole day.
Marek
Regards
Mark
Sent from Mail <
https://go.microsoft.com/fwlink/?LinkId=550986> for
Windows 10
------------------------------------------------------------------------
*From:* Marek Posolda <mposolda(a)redhat.com>
*Sent:* Thursday, August 9, 2018 8:57:33 AM
*To:* Mark Hunt; keycloak-user(a)lists.jboss.org
*Subject:* Re: [keycloak-user] LDAP Authentication - Extended Errors
On 07/08/18 22:47, Mark Hunt wrote:
> Hi,
>
> I have been doing some development with Keycloak and specifically
OpenID Connect, Password Grant and an LDAP user federation with Active
Directory. Overall everything is working great but I am a little
surprised that on a token refresh I get told that the user account is
disabled but on a login I do not. The exception to this would be if I
try to login with a disabled account after a user federation sync has
occurred.
>
> Is this a configuration issue or do you need to implement LDAP
diagnostic messages for login?
Not sure I understand. If you go to the admin console, are you seeing
the user is enabled or disabled here? Is user enabled or disabled in MSAD?
One thing to note is, that if you disabled the user directly in MSAD
after it was already synced to Keycloak, the user may be cached in the
Keycloak. So there may be some time needed until the latest information
about enabled/disabled state is propagated from MSAD to the Keycloak
side. You can try to clear the cache to check if it's the case. For long
term, you can tweak caching policy configuration of LDAP provider.
Marek
>
> Thanks for developing a fantastic product!!
>
> Regards
>
> Mark
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user