[keycloak-user] Setting the 'Credentials - Temporary' flag on when creating a new user causes the user to be disabled in MSAD/LDAP(?)

[Stian Thorgersen]

Seems like a bug to me - can you create a JIRA please?

On 2 December 2016 at 09:04, Edgar Vonk - Info.nl <Edgar at info.nl> wrote:

> hi,
>
> Since we migrated from Keycloak 2.0.0.Final to 2.3.0.Final we noticed the
> following behaviour:
>
> 1/ create a new user in Keycloak from the Keycloak admin UI
> 2/ set a password in the Credentials tab and leave the ‘Temporary’ flag
> set to on
> 3/ if you look in Active Directory (we use an LDAP provider with MSAD
> account controls) the users’s userAccountControl attribute is now set to
> 546. This means: 'Disabled, Password Not Required’
> 4/ when the user attempts to log in she gets an error message saying that
> the account is inactive; also the ‘User Enabled’ flag in Keycloak now
> suddenly changes from enabled to disabled
>
> This is the process we used to follow in Keycloak 2.0.0.Final to create
> users but it stopped working in 2.3.0.Final.
>
> After having spent quite some time tracking the issue down we found out
> that it was the ‘Temporary’ flag in de Credentials tab that causes this
> issue. When we set this flag to false (i.e. not a temporary password) we
> see that in AD the userAccountControl attribute is set to its normal value
> 512 as we would expect. Now the user can log in normally.
>
> Is this a bug introduced after 2.0.0.Final or a desired change in
> behaviour? I could not find a JIRA issue regarding this change.
>
> PS: we are confused about the ‘Temporary’ flag in any case. Exactly what
> is it meant for? The fact that a user needs to change her password on first
> login does not seem to be controlled by this flag in any case but rather by
> the  Required User Action with value ‘Change password’?
>
> cheers,
>
> Edgar
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user