I played around with this a little bit more and I think the upstream settings <allow_any>auth_admin_keep</allow_any> <allow_inactive>auth_admin_keep</allow_inactive> <allow_active>yes</allow_active> are to lax. I'll set it to auth_admin_keep for all users. This should be a rather rare operation, so I don't expect that users are inconvenienced