How to enable user_namespaces in the kernel? (For unprivileged `unshare`.)

My Linux kernel must have been configured with [user_namespaces](http://man7.org/linux/man-pages/man7/user_namespaces.7.html) when built, but their use is restricted after boot and has to be explicitly enabled. Which sysctl should I use? (If this was turned on, this would allow to run an isolation command like unshare --user --map-root-user --mount-proc --pid --fork, and then perform [chroot without being root](https://unix.stackexchange.com/q/72696/4319)--a much anticipated feature of Linux.)