11.4. Enabling and Disabling User Accounts
The administrator can disable and enable active user accounts. Disabling a user account deactivates the account. Disabled user accounts cannot be used to authenticate. A user whose account has been disabled cannot log into IdM and cannot use IdM services, such as Kerberos, or perform any tasks.
Disabled user accounts still exist within IdM and all of the associated information remains unchanged. Unlike preserved user accounts, disabled user accounts remain in the
active
state. Therefore, they are displayed in the output of the ipa user-find command. For example:
$ ipa user-find
...
User login: user
First name: User
Last name: User
Home directory: /home/user
Login shell: /bin/sh
UID: 1453200009
GID: 1453200009
Account disabled: True
Password: False
Kerberos keys available: False
...
Any disabled user account can be enabled again.
Note
After disabling a user account, existing connections remain valid until the user's Kerberos TGT and other tickets expire. After the ticket expires, the user will not be able renew it.
Enabling and Disabling User Accounts in the Web UI
- Select the
tab. - From the Active users list, select the required user or users, and then click or .
Figure 11.12. Disabling or Enabling a User Account
Disabling and Enabling User Accounts from the Command Line
To disable a user account, use the ipa user-disable command.
$ ipa user-disable user_login ---------------------------- Disabled user account "user_login" ----------------------------
To enable a user account, use the ipa user-enable command.
$ ipa user-enable user_login ---------------------------- Enabled user account "user_login" ----------------------------