[keycloak-user] Setting the 'Credentials - Temporary' flag on when creating a new user causes the user to be disabled in MSAD/LDAP(?)

Edgar Vonk - Info.nl Edgar at info.nl
Wed Dec 14 09:37:52 EST 2016 

Hi Stian,

thanks for the reply. I created a JIRA issue: https://issues.jboss.org/browse/KEYCLOAK-4046

cheers

Edgar

On 14 Dec 2016, at 06:38, Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>> wrote:

Seems like a bug to me - can you create a JIRA please?

On 2 December 2016 at 09:04, Edgar Vonk - Info.nl<http://Info.nl> <Edgar at info.nl<mailto:Edgar at info.nl>> wrote:
hi,

Since we migrated from Keycloak 2.0.0.Final to 2.3.0.Final we noticed the following behaviour:

1/ create a new user in Keycloak from the Keycloak admin UI
2/ set a password in the Credentials tab and leave the ‘Temporary’ flag set to on
3/ if you look in Active Directory (we use an LDAP provider with MSAD account controls) the users’s userAccountControl attribute is now set to 546. This means: 'Disabled, Password Not Required’
4/ when the user attempts to log in she gets an error message saying that the account is inactive; also the ‘User Enabled’ flag in Keycloak now suddenly changes from enabled to disabled

This is the process we used to follow in Keycloak 2.0.0.Final to create users but it stopped working in 2.3.0.Final.

After having spent quite some time tracking the issue down we found out that it was the ‘Temporary’ flag in de Credentials tab that causes this issue. When we set this flag to false (i.e. not a temporary password) we see that in AD the userAccountControl attribute is set to its normal value 512 as we would expect. Now the user can log in normally.

Is this a bug introduced after 2.0.0.Final or a desired change in behaviour? I could not find a JIRA issue regarding this change.

PS: we are confused about the ‘Temporary’ flag in any case. Exactly what is it meant for? The fact that a user needs to change her password on first login does not seem to be controlled by this flag in any case but rather by the  Required User Action with value ‘Change password’?

cheers,

Edgar

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list