coldfront icon indicating copy to clipboard operation
coldfront copied to clipboard
verified publisher icon ubccr

Sync coldfront user status with FreeIPA account lock

Open aebruno opened this issue 6 years ago • 1 comments

process should be: when removed from all active allocations, change ColdFront status to inactive. When CF status=inactive, change FreeIPA status to locked. When FreeIPA status is locked for > 12 months, delete

aebruno avatar Sep 05 '19 18:09 aebruno

I assume we can't or shouldn't delete accounts from Coldfront for record keeping purposes but we should ensure a PI can't add an inactive coldfront account to an allocation, if that's not already done.

dsajdak avatar Sep 09 '19 14:09 dsajdak

I recommend we close this one. We know we can't add users to a CF project if they are not active in CF. Our current process for account deactivation is: once or twice a year we run the coldfront freeipa_expire_users script. This gives us a list of all users who have not been on an active allocation in at least 365 days. We take that list and use it for manual deactivation of accounts in FreeIPA. This is not something we want to automate at this point. Once the account is deactivated in FreeIPA, ColdFront syncs that status and it becomes deactivated in CF too.

dsajdak avatar Feb 10 '23 20:02 dsajdak