[Fedora-directory-users] 'Account Disabled' Windows Sync - only sync passwords

Mon Dec 8 15:07:50 UTC 2008

lambam80 at hotmail.com wrote:
> Rich, hello again and thanks for all your help.
>  
> This Email related to password VS account synchronization.
>  
> We'll use my script to create/delete accounts thereby having an 
> identical user base in
> both RedHat LDAP and Windows.
>  
> Therefore, we'd like to use only the 'password' mechanism of 'Windows 
> SYNC'.
>  
> I can see, clearly on the RedHat LDAP server how to disable 
> account/group SYNC on the windows side:
>  
> - Launch console | Directory Server Configuration TAB | click on 
> replication agreement | uncheck both
> New Windows Users Sync and
> New Windows Groups Sync
>  
> And from the document I can read how to disable account/group SYNC on 
> the LDAP side:
>  
> _http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Using_Windows_Sync.html#Using_Windows_Sync-Synchronizing_Users_
>  
> < Setting |ntUserCreateNewAccount| and |ntUserDeleteNewAccount| on 
> Directory Server entries
> < allows the Directory Manager fine-grained control over which users 
> within the
> < synchronized subtree will be synched on Active Directory
>  
> Is that all I need to do to disable account/group sync but retain 
> password sync ?
Yes, I believe so.
>  
> Thanks again for your help, Dave
> ----------
>
> > Date: Wed, 3 Dec 2008 10:56:30 -0700
> > From: rmeggins at redhat.com
> > To: lambam80 at hotmail.com
> > CC: fedora-directory-users at redhat.com
> > Subject: Re: [Fedora-directory-users] 'Account Disabled' Windows 
> Sync Directory Server red cross
> >
> > lambam80 at hotmail.com wrote:
> > > Rich, hello and thanks for the quick reply.
> > >
> > > You write:
> > >
> > > < Yes, this appears to be a bug in windows sync
> > >
> > > How might I get further information - is there a BUG number/report ?
> > > Should I try and log a BUG ? If so, where ?
> > https://bugzilla.redhat.com/show_bug.cgi?id=470224
> > >
> > > Sorry, I'm new to Fedora/Redhat/Linux (migrating off Sun Solaris, so
> > > to speak).
> > >
> > > Anyway, I have the following work-around:
> > > - use the password sync mechanism from Redhat - I've yet to test this
> > > - next on my list
> > > - Use a script to do the following:
> > > -- create Directory Server user account
> > > -- create Active Directory account using ldapmodify and LDAPS
> > > -- set the Active Directory unicodePwd:: using ldapmodify and LDAPS
> > > -- set the Active Directory userAccountControl: 512 using ldapmodify
> > > and LDAPS. '512', I believe, 'enables' the account.
> > Yes. See also http://support.microsoft.com/kb/305144
> >
> > But if you are using WinSync, you can configure it to automatically
> > create accounts in AD when added to DS, and vice versa. So you might
> > just use
> > DirSync or sequence number to look for new AD accounts that are
> > disabled, and enable them. See
> > http://msdn.microsoft.com/en-us/library/ms677626(VS.85).aspx and
> > http://support.microsoft.com/kb/891995
> > >
> > > Thanks again for your help,
> > >
> > > Dave (former employee of iPlanet :-)
> > My condolences :-)
> > > ------------
> > >
> > > > Date: Tue, 2 Dec 2008 08:51:08 -0700
> > > > From: rmeggins at redhat.com
> > > > To: fedora-directory-users at redhat.com
> > > > CC: lambam80 at hotmail.com
> > > > Subject: Re: [Fedora-directory-users] 'Account Disabled' Windows
> > > Sync Directory Server red cross
> > > >
> > > > lambam80 at hotmail.com wrote:
> > > > > Firstly, please accept my apologies for a white lie.
> > > > > I'm, in fact, using CentOS but a colleague of mine recommended 
> that I
> > > > > use this forum/mailing-list.
> > > > >
> > > > > Let me know if this white-lie is a problem.
> > > > >
> > > > > cat /etc/redhat-release
> > > > > CentOS release 5.2 (Final)
> > > > >
> > > > > /usr/sbin/ns-slapd -v
> > > > > CentOS-Directory/8.0.4 B2008.288.1513
> > > > >
> > > > > Windows 2003 Server Standard Edition R2
> > > > >
> > > > > I've 'successfully' configured Windows Sync and it
> > > > > works in both directions.
> > > > >
> > > > > However, accounts that are synched from Centos Directory Server to
> > > > > Active Directory are
> > > > > created with the 'Account Disabled' checkbox selected.
> > > > >
> > > > > In the Windows account administration interface
> > > > > they also have the red cross next to them.
> > > > >
> > > > > Q1. Have other people seen this behavior with Windows Sync ?
> > > > Yes, this appears to be a bug in windows sync
> > > > >
> > > > > Q2. How can I change this behavior and have the
> > > > > windows-accounts enabled from the start ?
> > > > Not sure.
> > > > >
> > > > > Thanks for your time, cheers lambam80
> > > > > Active-Directory Active-Dir Active Dir Active Directory
> > > > > Edit/Delete Message
> > > > > <http://forums.fedoraforum.org/editpost.php?do=editpost&p=1122288>
> > > > >
> > > > >
> > > 
> ------------------------------------------------------------------------
> > > > >
> > > > >
> > > 
> ------------------------------------------------------------------------
> > > > >
> > > > >
> > > 
> ------------------------------------------------------------------------
> > > > >
> > > > > --
> > > > > Fedora-directory-users mailing list
> > > > > Fedora-directory-users at redhat.com
> > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > > > >
> > > >
> > >
> > >
> > > 
> ------------------------------------------------------------------------
> > > Win a trip with your 3 best buddies. Enter today.
> > > <http://www.messengerbuddies.ca/?ocid=BUDDYOMATICENCA19>
> >
>
>
> ------------------------------------------------------------------------
> Visit messengerbuddies.ca to find out how you could win. Enter today. 
> <http://www.messengerbuddies.ca/?ocid=BUDDYOMATICENCA20>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20081208/ac2c89e3/attachment.bin>