Re: [keycloak-user] Handling disabled users from LDAP

With either approach it sounds like what your describing is getting the loginDisabled attribute into Keycloak. Once that attribute is stored, how would I go about telling Keycloak to disallow access based on the attribute's value? Below is an example of LDAP record where login should be disabled. Thanks, - Trey dn: cn=<username>,ou=People,<base DN> displayName: first last employeeType: REGULAR gecos: first last ou: OSC Operations cn: <username> employeeStatus: ACTIVE gidNumber: 103 company: Ohio Supercomputer Center uid: <username> mail: <email> homeDirectory: /users/<username> title: Employee uidNumber: 20821 sn: lastname objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top objectClass: posixAccount objectClass: oscUser objectClass: shadowAccount givenName: firstname jobCode: FALSE loginDisabled: TRUE loginShell: /bin/bash -- Trey Dockendorf HPC Systems Engineer Ohio Supercomputer Center On 4/10/18, 10:42 AM, "Marek Posolda" <mposolda(a)redhat.com&gt; wrote: I think you would either need to use User Attribute LDAP Mapper, but not sure if it's possible. I am not 100% sure about your LDAP structure. Or you need to implement custom LDAP Storage mapper then. Marek Dne 10.4.2018 v 15:30 Dockendorf, Trey napsal(a):