Hi!
I use Keycloak with a user federation linked to an Active Directory. The UF is in ‘WRITABLE’ mode and has a periodic full sync. We use the MSAD user account control mapper and also a user attribute ldap mapper to set manually the userAccountControl value.
With Keycloak 23.0.6, we were able to disable an account on the AD by setting the attribute userAccountControl on the Keycloak user (eg. 514) and keep the user enabled on Keycloak server (as long as the user wasn’t able to log into Keycloak after the userAccountControl attribute update).
With Keycloak 24.0.4, when the account is disabled on the AD, it’s also disabled on Keycloak. I tried to uncheck the Always Read Enabled Value From LDAP or reenable the Keycloak user after disabling it on the AD, but it always get disabled on Keycloak if it’s disabled on the AD.
Maybe I was taking advantage of an issue in v23.0.6 which was fixed in 24.0.4.
Is it possible in v24.x to have a user which is disabled on the AD and enabled on Keycloak ? I thought about using a custom mapper but I don’t know if it’s the best solution.
Thanks in advance for your help!