[keycloak-user] Setting the 'Credentials - Temporary' flag on when creating a new user causes the user to be disabled in MSAD/LDAP(?)
Edgar Vonk - Info.nl
Edgar at info.nl
Fri Dec 2 03:04:36 EST 2016
hi,
Since we migrated from Keycloak 2.0.0.Final to 2.3.0.Final we noticed the following behaviour:
1/ create a new user in Keycloak from the Keycloak admin UI
2/ set a password in the Credentials tab and leave the ‘Temporary’ flag set to on
3/ if you look in Active Directory (we use an LDAP provider with MSAD account controls) the users’s userAccountControl attribute is now set to 546. This means: 'Disabled, Password Not Required’
4/ when the user attempts to log in she gets an error message saying that the account is inactive; also the ‘User Enabled’ flag in Keycloak now suddenly changes from enabled to disabled
This is the process we used to follow in Keycloak 2.0.0.Final to create users but it stopped working in 2.3.0.Final.
After having spent quite some time tracking the issue down we found out that it was the ‘Temporary’ flag in de Credentials tab that causes this issue. When we set this flag to false (i.e. not a temporary password) we see that in AD the userAccountControl attribute is set to its normal value 512 as we would expect. Now the user can log in normally.
Is this a bug introduced after 2.0.0.Final or a desired change in behaviour? I could not find a JIRA issue regarding this change.
PS: we are confused about the ‘Temporary’ flag in any case. Exactly what is it meant for? The fact that a user needs to change her password on first login does not seem to be controlled by this flag in any case but rather by the Required User Action with value ‘Change password’?
cheers,
Edgar
More information about the keycloak-user
mailing list