Select Git revision
retire-a-user.mdwn
anarcat authored
Code owners
Assign users and groups as approvers for specific file changes. Learn more.
retire-a-user.mdwn 1.72 KiB
"Retiring" a user can actually mean two things:
* "retired", which disables their access to Tor hosts but keeps
email working and then automatically stops after 186 days
* "disabled", which immediately disables everything
# How to retire a user
This is done by "locking" the account in [[ldap]], so it should simply
be:
ssh alberti.torproject.org ud-lock account
Note that it's unclear if we should add an email alias in the
`virtual` file when the account expires, see [ticket #32558](https://bugs.torproject.org/32558) for
details.
# How to un-retire a user
To reverse the above, you need to restore those LDAP fields the way
they were before. You can only do this by restoring from the [[LDAP]]
database. No, that is not fun at all. Be careful to avoid duplicate
fields when you re-add them in ldapvi.
# How to disable a user
This is done by removing all traces of the account:
1. Login to alberti.torproject.org and lock the LDAP account using `ud-info -u`
2. Login as admin to trac.torproject.org and disable the user account.
3. Login to eugeni.torproject.org.
- edit `/etc/postfix/virtual` and remove the account alias.
- run `sudo postmap virtual` to rebuild the virtual users table.
- run `sudo remove_members <list names> <email address>`
4. make sure they don't have keys and accounts in Puppet
5. remove the key from `acccount-keyring.git`
There are other manual accounts that are *not* handled by LDAP. Make
sure you check:
* Nextcloud
* Trac
TODO: list is incomplete, need to audit [the service list](https://trac.torproject.org/projects/tor/wiki/org/operations/services) and see
which services are in LDAP and which aren't. See [ticket #32519](https://trac.torproject.org/projects/tor/ticket/32519).