Disabled user accounts

This section describes how to ensure that disabled user accounts no longer have access to Conjur.

Overview

User accounts that are disabled in the LDAP Directory cannot establish new connections to Conjur. The LDAP server rejects attempts to bind from disabled accounts.

There are situations, however, when a user that was previously authenticated may still have access to Conjur after the account is disabled. Specifically, consider the scenario when a user authenticates to Conjur using valid LDAP credentials, and then those credentials are disabled in the LDAP source while the user is still logged in to Conjur. In this case, the user can continue to access Conjur. This topic describes how to interrupt and stop this access.

When a user authenticates to Conjur (through either the UI or the CLI), Conjur returns an API key. This API key is used for subsequent requests to Conjur during the current UI or CLI session. Authenticated users may continue to use Conjur even after their LDAP account is disabled as long as they have a valid API key. Continued usage is possible until the user's API key is rotated, after which the disabled user account can no longer interact with Conjur.

Disable with API key rotation

If a user's API key is rotated (reset) during an active session, the user is forced to reauthenticate. The reauthentication does not work if the user's account was disabled in the LDAP source.

A Conjur administrator with appropriate privileges can rotate an API key in the CLI. The command syntax is: 

$ conjur user rotate-api-key -i

$ conjur host rotate-api-key -i my_apps/my_VM