Dmitry Krasov via FreeIPA-users wrote:

Thanks for answering Florence. But how can I setup auto disable\remove inactive users (after in about 2 mounths last login)?

This is a known limitation in IPA. If the data is collection then it will significantly reduce performance. If it is no then identifying inactivate users is difficult.

Off the top of my head, not endorsing any of these ideas, you can:

1. Enable saving, but not replicating, krblastsuccessful auth and then collect the data on each server and consolidate it into one in a database. Using the database you can search on expired users. There will be a performance hit but not as bad as also replicating, depending on how authentication is generally used. The more frequently users authenticate to Kerberos or LDAP the worse it will be.

2. More difficult but you can also do this by collecting logs from all the servers. The authentications can all be found there. Something like Elasticsearch would help.

We have tossed around ideas in the past to limit the effect of writing the lastsuccessfulauth attribute. The most promising idea is to write only when the time has exceeded some threshold. So for example, only update it once a week. With perhaps tuning for customization.

Any feedback on how fine-grained you'd need would be helpful to know.

A final note. There are some very large IPA deployments. If yours is small, say a homelab, then enabling saving the attribute and probably even replicating it is probably not going to be visible. When you have tens of thousands of users you'll definitely feel it. Where in that spectrum one sees the difference is unknown but it is more than just the number of users but also how IPA is used for authentication.

rob

On Аўт, 30 вер 2025, Dmitry Krasov via FreeIPA-users wrote:

Hello. made script that disables users last login more than 90 days ago. But I have 2 questions:

1. I using ipa user-find command to get users list, but how to get users which have "Account disabled: False" only?

Does 'ipa user-find --disabled=false' return what you need?

Dmitry Krasov via FreeIPA-users wrote:

ipa: error: no such option: --disabled

The --disabled option has been part of IPA since v4.5.0 in 2017. What version are you running?

rob

Dmitry Krasov via FreeIPA-users wrote:

Hi Rob. I have old version probably. I tryed to migrate it but encountered an error. I created a ticked 8 mounths ago, but they still didn't fixed it yet. https://pagure.io/freeipa/issue/9736

A patch was provided for you to try to see if it would resolve your issue. Did you try it?

---

And what about the second question? Could you recommend how to store kinit's password in script safely? Because it needed before other ipa commands in script

You should get a keytab for the user you want to run the script as an execute it like:

KRB5_CLIENT_KTNAME=/path/to/user.keytab ipa <command>

Using a keytab will automatically obtain a new TGT when needed so you don't need to put a secret inside a script.

rob