"Retiring" a user can actually mean two things:

  • "retired", which disables their access to Tor hosts but keeps email working and then automatically stops after 186 days

  • "disabled", which immediately disables everything

How to retire a user

This is done by "locking" the account in ldap, so it should simply be:

ssh alberti.torproject.org ud-lock account

How to disable a user

This is done by removing all traces of the account:

  1. Login to alberti.torproject.org and lock the LDAP account using ud-info -u
  2. Login as admin to trac.torproject.org and disable the user account.
  3. Login to eugeni.torproject.org.
    • edit /etc/postfix/virtual and remove the account alias.
    • run sudo postmap virtual to rebuild the virtual users table.
    • run sudo remove_members <list names> <email address>
  4. make sure they don't have keys and accounts in Puppet
  5. remove the key from acccount-keyring.git