11.4. Enabling and Disabling User Accounts

The administrator can disable and enable active user accounts. Disabling a user account deactivates the account. Disabled user accounts cannot be used to authenticate. A user whose account has been disabled cannot log into IdM and cannot use IdM services, such as Kerberos, or perform any tasks.
Disabled user accounts still exist within IdM and all of the associated information remains unchanged. Unlike preserved user accounts, disabled user accounts remain in the active state. Therefore, they are displayed in the output of the ipa user-find command. For example:
$ ipa user-find
...
  User login: user
  First name: User
  Last name: User
  Home directory: /home/user
  Login shell: /bin/sh
  UID: 1453200009
  GID: 1453200009
  Account disabled: True
  Password: False
  Kerberos keys available: False
...
Any disabled user account can be enabled again.

Note

After disabling a user account, existing connections remain valid until the user's Kerberos TGT and other tickets expire. After the ticket expires, the user will not be able renew it.

Enabling and Disabling User Accounts in the Web UI

  1. Select the IdentityUsers tab.
  2. From the Active users list, select the required user or users, and then click Disable or Enable.
    Disabling or Enabling a User Account

    Figure 11.12. Disabling or Enabling a User Account

Disabling and Enabling User Accounts from the Command Line

To disable a user account, use the ipa user-disable command.
$ ipa user-disable user_login
----------------------------
Disabled user account "user_login"
----------------------------
To enable a user account, use the ipa user-enable command.
$ ipa user-enable user_login
----------------------------
Enabled user account "user_login"
----------------------------