document how i unlocked irl (#40205)

5a4be1f7 · anarcat · 41945891 · 5a4be1f7
Unverified Commit 5a4be1f7 authored 3 years ago by anarcat
--- a/howto/retire-a-user.md
+++ b/howto/retire-a-user.md
@@ -23,6 +23,21 @@ they were before. You can only do this by restoring from the [howto/LDAP](howto/
 database. No, that is not fun at all. Be careful to avoid duplicate
 fields when you re-add them in ldapvi.

+If the user was just "locked", you might be able to re-enable it by
+doing the following:
+
+ * delete the `accountStatus`, `shadowExpire` fields
+ * add the `keyFingerprint` field matching the (trusted) fingerprint
+ * change the user's password to something that is not locked
+
+To set a password, you need to find a way to generate a salted UNIX
+hashed password, and there are many ways to do that, but if you have a
+copy of the userdir-ldap source code lying around, this could just do
+it:
+
+    >>> from userdir_ldap import HashPass, GenPass
+    >>> print("{crypt}" + HashPass(GenPass()))
+
 # How to disable a user

 This is done by removing all traces of the account: