Glenn wrote:
We are still using Fedora Directory Server 1.0.4 and synchronizing
with
Active Directory. Our procedure for removing accounts includes a waiting
period when the AD account is disabled. Disabling the AD account does not
inactivate the corresponding FD account. The folks that do account
maintenance do not have access to the FD java console, so rather than
inactivating the FD account, they delete it using DSGW. Unfortunately, this
also deletes the disabled AD account.
Is there a way to make sync inactivate the FD account when the AD account is
disabled?
freeipa windows sync can do this, but it requires you set up freeipa
As an alternative, can we make account activation/inactivation
available to
our account people via DSGW? Some particulars would be appreciated.
Not likely.
I know that setting the "ntuserdeleteaccount" attribute to
"false" will
prevent the AD account from being removed when the FD account is removed.
But new accounts created in AD are duplicated by sync in FD with the
attribute set to "true". If anyone could suggest a way to make this default
to "false," that would be an improvement.
I don't know of a way to do this.
Thanks. -G.
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users