On 02.07.21 09:50, Ronald Wimmer via FreeIPA-users wrote:
Some external users have an AD user account that is allowed (HBAC) to
access IPA clients. These users are locked in AD when they are not
needed and only unlocked on demand.
Which tunables do we have on the IPA side to get the unlocked state
reflected immediately in IPA?
The terminology I used was incorrect. In our scenario users are disabled
by default and enabled on demand. And it seems that enabled users do not
work in IPA. At least not immediately.
Cheers,
Ronald