Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • tpa-rfc-80-merge-tor-and-tails-support-policies
  • puppet-merge-costs
  • rfc-77-improv
  • tails-merge-admin-mailing-lists
  • mkdocs
  • new-blog-doc
7 results
Blame Permalink
retire-a-user.md 1.86 KiB

"Retiring" a user can actually mean two things:

  • "retired", which disables their access to Tor hosts but keeps email working and then automatically stops after 186 days

  • "disabled", which immediately disables everything

How to retire a user

This is done by "locking" the account in howto/ldap, so it should simply be:

ssh alberti.torproject.org ud-lock account

Note that it's unclear if we should add an email alias in the virtual file when the account expires, see ticket #32558 for details.

How to un-retire a user

To reverse the above, you need to restore those LDAP fields the way they were before. You can only do this by restoring from the howto/LDAP database. No, that is not fun at all. Be careful to avoid duplicate fields when you re-add them in ldapvi.

How to disable a user

This is done by removing all traces of the account:

  1. Login to alberti.torproject.org and lock the LDAP account using ud-info -u
  2. Login as admin to gitlab.torproject.org and disable the user account.
  3. Login to eugeni.torproject.org.
    • edit /etc/postfix/virtual and remove the account alias.
    • run sudo postmap virtual to rebuild the virtual users table.
    • run sudo remove_members <list names> <email address>
  4. make sure they don't have keys and accounts in Puppet
  5. remove the key from acccount-keyring.git

There are other manual accounts that are not handled by LDAP. Make sure you check:

  • Nextcloud
  • Trac
  • Gitolite
  • Gitlab - remove the user from the config, as a cleanup (disabled users already do not have access to gitolite)

TODO: list is incomplete, need to audit the service list and see which services are in LDAP and which aren't. See ticket #32519.