[keycloak-user] Handling disabled users from LDAP

[Dockendorf, Trey]

We are on Keycloak 3.4.2 using OpenLDAP 2.4.40.  We have implemented ppolicy overlay on the server side to deny authenticated binds when someone's password has expired but we have custom attributes like loginDisabled that also dictates if someone should be granted access.

Thanks,
- Trey

-- 
Trey Dockendorf

HPC Systems Engineer
Ohio Supercomputer Center
On 4/9/18, 3:17 PM, "Marek Posolda" <mposolda at redhat.com> wrote:

    What is your Keycloak version? And what is your LDAP vendor? Is it MSAD? 
    For MSAD, we have builtin support with the MSAD mapper as long as you 
    use "userAccountControl" attribute to track if user is enabled/disabled 
    (which is standard for MSAD environments AFAIK).
    
    Marek
    
    Dne 6.4.2018 v 14:38 Dockendorf, Trey napsal(a):
    > Currently we use Keycloak as an IdP tied to our LDAP environment.  We are curious how we would go about having Keycloak reject logins from accounts we deem disabled in LDAP.  Disabled could be for many reasons, one of which is password expiration.  I see I could add a filter to our User Federation for LDAP, but the user would likely just show up as not found and get no kind of “Your account is disabled” message I presume.
    >
    > Thanks,
    > - Trey
    >
    > --
    > Trey Dockendorf
    > HPC Systems Engineer
    > Ohio Supercomputer Center
    > _______________________________________________
    > keycloak-user mailing list
    > keycloak-user at lists.jboss.org
    > https://lists.jboss.org/mailman/listinfo/keycloak-user