Mapping ldap 'nsaccountlock=true' to disable a user

[Andrew Elwell]

Hi folks, 

I'm testing keycloak against our 389ds LDAP backend ("Red Hat Directory Server" profile) but I can't work out how to map disabled users in LDAP (ie, where we've set 'nsaccoutlock=true' in the ldap record) to enabled=False in keycloak

My attempts using a 'user-attribute-ldap-mapper' aren't working as I can't work out the syntax needed for reversing true (if nsaccoutlock is present) -> False for the user.enabled entry - can someone offer suggestions or another workaround?

We're using https://www.port389.org/docs/389ds/howto/howto-account-inactivation.html as our method for locking/disabling users in LDAP which is our primary source of truth for account status, and I want this to be replicated into keycloak.

Many thanks

Andrew