9.5. Enabling and Disabling User Accounts
User accounts can be deactivated or disabled. A disabled user cannot log into IdM or its related services (like Kerberos) and he cannot perform any tasks. However, the user account still exists within Identity Management and all of the associated information remains unchanged.
Note
Any existing connections remain valid until the Kerberos TGT and other tickets expire. Once the ticket expires, the user cannot renew the ticket.
9.5.1. From the Web UI
Multiple users can be disabled from the full users list by selecting the checkboxes by the desired users and then clicking the Disable link at the top of the list.
Figure 9.2. Disable/Enable Options at the Top of the Users List
A user account can also be disabled from the user's individual entry page.
- Open the Identity tab, and select the Users subtab.
- Click the name of the user to deactivate or activate.
- In the actions drop-down menu, select the Disable item.
- Click the Accept button.
When a user account is disabled, it is signified by a minus (-) icon for the user status in the user list and by the username on the entry page. Additionally, the text for the user is gray (to show it is inactive) instead of black.
Figure 9.3. Disable Icon for User Status
9.5.2. From the Command Line
Users are enabled and disabled using
user-enable and user-disable commands. All that is required is the user login. For example:
[bjensen@server ~]$ ipa user-disable jsmith
