Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
ldap
Describe the bug
We only update the status of the user, if enabled or disabled, if the pwdLastSet attribute is set to its corresponding LDAP entry in AD.
As a consequence, we do not show a proper error message when trying to update the user to indicate that the account cannot be updated due to the password not yet set.
I'm not sure why we have this constraint so the proposal is to ignore the pwdLastSet attribute when updating the user and create the user as enabled just like when using vendors other than AD.
From a security perspective, the account is effectively not able to authenticate because no credential is set and AD user controls like password_expired will still work to force a password reset.
See #31456 (comment).
Version
26.0.0
Regression
- The issue is a regression
Expected behavior
When creating the user in AD, the user should be created just line any other user where the account is enabled by default.
Actual behavior
When creating the user in AD, the user is disabled and you are forced to first set a password and then enable the user.
How to Reproduce?
- Create an user in AD. The user is created as disabled.
- Try to enable the user
Anything else?
No response