Setting the 'Credentials - Temporary' flag on when creating a new user causes the user to be disabled in MSAD/LDAP(?)
2:04 a.m.
hi,
Since we migrated from Keycloak 2.0.0.Final to 2.3.0.Final we noticed the following
behaviour:
1/ create a new user in Keycloak from the Keycloak admin UI
2/ set a password in the Credentials tab and leave the ‘Temporary’ flag set to on
3/ if you look in Active Directory (we use an LDAP provider with MSAD account controls)
the users’s userAccountControl attribute is now set to 546. This means: 'Disabled,
Password Not Required’
4/ when the user attempts to log in she gets an error message saying that the account is
inactive; also the ‘User Enabled’ flag in Keycloak now suddenly changes from enabled to
disabled
This is the process we used to follow in Keycloak 2.0.0.Final to create users but it
stopped working in 2.3.0.Final.
After having spent quite some time tracking the issue down we found out that it was the
‘Temporary’ flag in de Credentials tab that causes this issue. When we set this flag to
false (i.e. not a temporary password) we see that in AD the userAccountControl attribute
is set to its normal value 512 as we would expect. Now the user can log in normally.
Is this a bug introduced after 2.0.0.Final or a desired change in behaviour? I could not
find a JIRA issue regarding this change.
PS: we are confused about the ‘Temporary’ flag in any case. Exactly what is it meant for?
The fact that a user needs to change her password on first login does not seem to be
controlled by this flag in any case but rather by the Required User Action with value
‘Change password’?
cheers,
Edgar
11:38 p.m.
Seems like a bug to me - can you create a JIRA please?
On 2 December 2016 at 09:04, Edgar Vonk - Info.nl <Edgar(a)info.nl> wrote:
hi,
Since we migrated from Keycloak 2.0.0.Final to 2.3.0.Final we noticed the
following behaviour:
1/ create a new user in Keycloak from the Keycloak admin UI
2/ set a password in the Credentials tab and leave the ‘Temporary’ flag
set to on
3/ if you look in Active Directory (we use an LDAP provider with MSAD
account controls) the users’s userAccountControl attribute is now set to
546. This means: 'Disabled, Password Not Required’
4/ when the user attempts to log in she gets an error message saying that
the account is inactive; also the ‘User Enabled’ flag in Keycloak now
suddenly changes from enabled to disabled
This is the process we used to follow in Keycloak 2.0.0.Final to create
users but it stopped working in 2.3.0.Final.
After having spent quite some time tracking the issue down we found out
that it was the ‘Temporary’ flag in de Credentials tab that causes this
issue. When we set this flag to false (i.e. not a temporary password) we
see that in AD the userAccountControl attribute is set to its normal value
512 as we would expect. Now the user can log in normally.
Is this a bug introduced after 2.0.0.Final or a desired change in
behaviour? I could not find a JIRA issue regarding this change.
PS: we are confused about the ‘Temporary’ flag in any case. Exactly what
is it meant for? The fact that a user needs to change her password on first
login does not seem to be controlled by this flag in any case but rather by
the Required User Action with value ‘Change password’?
cheers,
Edgar
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:37 a.m.
Hi Stian,
thanks for the reply. I created a JIRA issue:
https://issues.jboss.org/browse/KEYCLOAK-4046
cheers
Edgar
On 14 Dec 2016, at 06:38, Stian Thorgersen
<sthorger@redhat.com<mailto:sthorger@redhat.com>> wrote:
Seems like a bug to me - can you create a JIRA please?
On 2 December 2016 at 09:04, Edgar Vonk - Info.nl<http://Info.nl>
<Edgar@info.nl<mailto:Edgar@info.nl>> wrote:
hi,
Since we migrated from Keycloak 2.0.0.Final to 2.3.0.Final we noticed the following
behaviour:
1/ create a new user in Keycloak from the Keycloak admin UI
2/ set a password in the Credentials tab and leave the ‘Temporary’ flag set to on
3/ if you look in Active Directory (we use an LDAP provider with MSAD account controls)
the users’s userAccountControl attribute is now set to 546. This means: 'Disabled,
Password Not Required’
4/ when the user attempts to log in she gets an error message saying that the account is
inactive; also the ‘User Enabled’ flag in Keycloak now suddenly changes from enabled to
disabled
This is the process we used to follow in Keycloak 2.0.0.Final to create users but it
stopped working in 2.3.0.Final.
After having spent quite some time tracking the issue down we found out that it was the
‘Temporary’ flag in de Credentials tab that causes this issue. When we set this flag to
false (i.e. not a temporary password) we see that in AD the userAccountControl attribute
is set to its normal value 512 as we would expect. Now the user can log in normally.
Is this a bug introduced after 2.0.0.Final or a desired change in behaviour? I could not
find a JIRA issue regarding this change.
PS: we are confused about the ‘Temporary’ flag in any case. Exactly what is it meant for?
The fact that a user needs to change her password on first login does not seem to be
controlled by this flag in any case but rather by the Required User Action with value
‘Change password’?
cheers,
Edgar
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
3402
days inactive
3414
days old
2 comments
2 participants
participants (2)
-
Edgar Vonk - Info.nl -
Stian Thorgersen