From a4eec8c41213fcd90c28e8aac2113edd2f4de2d5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
Date: Mon, 6 Jun 2022 12:56:50 -0400
Subject: [PATCH] clarify what happens on lock vs email

I tested this by locking `aguestuser`'s account (tpo/tpa/team#40772),
and running ud-generate on alberti. The user was still present on
alberti in: `/var/cache/userdir-ldap/hosts/forward-alias`.
---
 howto/retire-a-user.md | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/howto/retire-a-user.md b/howto/retire-a-user.md
index be06e7a6..d59036c0 100644
--- a/howto/retire-a-user.md
+++ b/howto/retire-a-user.md
@@ -34,9 +34,8 @@ Note that this only keeps the user from accessing servers, it does
 the `passwd` database on servers. This is because the user might still
 own files and we do not want to have files un-owned.
 
-Note that it's unclear if we should add an email alias in the
-`virtual` file when the account expires, see [ticket #32558](https://bugs.torproject.org/32558) for
-details.
+It also does *not* remove the email alias (the `emailForward` field in
+[LDAP](howto/ldap)), for that you need to delete the account altogether.
 
 ## Deleting an account
 
@@ -45,6 +44,10 @@ to come back again. For this, the actual LDAP entries for the user
 must be removed with `ldapvi`, but only after the files for that user
 have been destroyed or given to another user.
 
+Note that it's unclear if we should add an email alias in the
+`virtual` file when the account expires, see [ticket #32558](https://bugs.torproject.org/32558) for
+details.
+
 ## Retiring from other services
 
 Then you need to go through the [service list](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/service) and pay close
-- 
GitLab