[New auth] - User status (blocked/deleted/live) #1371

New issue

Open

opened 2026-04-05 06:49:45 +02:00 by muppeth · 1 comment

muppeth commented

2026-04-05 06:49:45 +02:00

Owner

We need to be able to switch between username status as we have currently on LDAP. Since we don't recycle usernames we need to be able to keep used up usernames but with purged data and information about the user (just a ghosted username). When blocking user account we should be able to disable access for the user to login but have the possibility to regain access.
Currently we implent this by creating multiple ou's and assigning users to them. This works a bit different in keycloak and so we should find better way to handle this.

We need to be able to switch between username status as we have currently on LDAP. Since we don't recycle usernames we need to be able to keep used up usernames but with purged data and information about the user (just a ghosted username). When blocking user account we should be able to disable access for the user to login but have the possibility to regain access. Currently we implent this by creating multiple ou's and assigning users to them. This works a bit different in keycloak and so we should find better way to handle this.

muppeth added the

🤔️ Investigate

New Auth

labels

2026-04-05 06:49:45 +02:00

muppeth self-assigned this

2026-04-05 06:49:45 +02:00

muppeth added this to the New authentication project

2026-04-05 06:49:46 +02:00

muppeth commented

2026-04-05 07:25:39 +02:00

Author

Owner

Modify LDAP attributes for all usersnames (in all ou's)
Modify all auth config files for all services to check against this attribute upon login
Adjust scripts used for user deletion, blocking to switch the value of the attribute rather then moving to ou
Adjust documentation.

One of the ideas I have is rather change LDAP setup to reflect the Keycloak. Since all live users are in one realm (moving to other realms does not prevent the usernames to be re-used), we should just use attributes instead. Just like we handle legacy auth attributes, we could have both keycloak and ldap check against attribute like`userstatus`. Depending on the value the user account could be `live`, `blocked` or deleted. This means we would need to change the following on current setup prior the switch: - Modify LDAP attributes for all usersnames (in all ou's) - Modify all auth config files for all services to check against this attribute upon login - Adjust scripts used for user deletion, blocking to switch the value of the attribute rather then moving to ou - Adjust documentation.