[keycloak-user] LDAP Authentication - Extended Errors

Marek Posolda mposolda at redhat.com
Fri Aug 10 02:51:59 EDT 2018 

On 09/08/18 13:53, Mark Hunt wrote:
>
> Hi,
>
> So the situation is when the user is Enabled in the cache but disabled 
> in MSAD. When you attempt a login with a password Grant it returns 
> Invalid Credentials. I would expect this to return Account Disabled. 
> Extended LDAP diagnostic messages should provide this information, 
> certainly against MSAD anyway.
>
> This is also different behaviour to when you use the refresh token 
> grant. If the user is Enabled in the cache but disabled in AD the 
> token request returns Account Disabled. This is the expected behaviour.
>
> The cache would naturally update and you get the right message at 
> login (password grant),  but only once the sync has occurred. We want 
> to try and avoid resyncing too often, but still get the correct error 
> messages.
>
I see. However if you update LDAP directly, there is currently no way to 
tell Keycloak to update the cache and invalidate records. So it's always 
some compromise between performance (caching enabled with longer 
eviction intervals) or more accurate state in Keycloak (caching disabled 
or set with shorter intervals).

You can try to tweak Cache policy setting of LDAP provider and 
temporarily set it to "NEVER" to see if disable caching will turn to 
expected behaviour.

Long term, you may need to do some compromise in the cache settings. 
Maybe the possibility is that always when you do bulk update of LDAP 
users in your LDAP, you will manually trigger SYNC in Keycloak to update 
the state or manually clear the user cache in Keycloak admin console. 
This requires that you do all the LDAP changes "at once" instead of 
doing the changes continuously during whole day.

Marek
>
> Regards
>
> Mark
>
> Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for 
> Windows 10
>
> ------------------------------------------------------------------------
> *From:* Marek Posolda <mposolda at redhat.com>
> *Sent:* Thursday, August 9, 2018 8:57:33 AM
> *To:* Mark Hunt; keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] LDAP Authentication - Extended Errors
> On 07/08/18 22:47, Mark Hunt wrote:
> > Hi,
> >
> > I have been doing some development with Keycloak and specifically 
> OpenID Connect, Password Grant and an LDAP user federation with Active 
> Directory. Overall everything is working great but I am a little 
> surprised that on a token refresh I get told that the user account is 
> disabled but on a login I do not. The exception to this would be if I 
> try to login with a disabled account after a user federation sync has 
> occurred.
> >
> > Is this a configuration issue or do you need to implement LDAP 
> diagnostic messages for login?
> Not sure I understand. If you go to the admin console, are you seeing
> the user is enabled or disabled here? Is user enabled or disabled in MSAD?
>
> One thing to note is, that if you disabled the user directly in MSAD
> after it was already synced to Keycloak, the user may be cached in the
> Keycloak. So there may be some time needed until the latest information
> about enabled/disabled state is propagated from MSAD to the Keycloak
> side. You can try to clear the cache to check if it's the case. For long
> term, you can tweak caching policy configuration of LDAP provider.
>
> Marek
> >
> > Thanks for developing a fantastic product!!
> >
> > Regards
> >
> > Mark
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

More information about the keycloak-user mailing list