[Fedora-directory-users] 'Account Disabled' Windows Sync - only sync passwords
Rich Megginson
rmeggins at redhat.com
Tue Dec 9 15:18:03 UTC 2008
lambam80 at hotmail.com wrote:
> Rich hello and thanks for your support.
>
> One last question for an former redhat colleague of yours:
>
> 'Do we know when this BUG will be fixed' ?
Soon.
>
> Thanks again, Dave
> ----------
>
> > Date: Mon, 8 Dec 2008 08:07:50 -0700
> > From: rmeggins at redhat.com
> > To: lambam80 at hotmail.com
> > CC: fedora-directory-users at redhat.com
> > Subject: Re: [Fedora-directory-users] 'Account Disabled' Windows
> Sync - only sync passwords
> >
> > lambam80 at hotmail.com wrote:
> > > Rich, hello again and thanks for all your help.
> > >
> > > This Email related to password VS account synchronization.
> > >
> > > We'll use my script to create/delete accounts thereby having an
> > > identical user base in
> > > both RedHat LDAP and Windows.
> > >
> > > Therefore, we'd like to use only the 'password' mechanism of 'Windows
> > > SYNC'.
> > >
> > > I can see, clearly on the RedHat LDAP server how to disable
> > > account/group SYNC on the windows side:
> > >
> > > - Launch console | Directory Server Configuration TAB | click on
> > > replication agreement | uncheck both
> > > New Windows Users Sync and
> > > New Windows Groups Sync
> > >
> > > And from the document I can read how to disable account/group SYNC on
> > > the LDAP side:
> > >
> > >
> _http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Using_Windows_Sync.html#Using_Windows_Sync-Synchronizing_Users_
> > >
> > > < Setting |ntUserCreateNewAccount| and |ntUserDeleteNewAccount| on
> > > Directory Server entries
> > > < allows the Directory Manager fine-grained control over which users
> > > within the
> > > < synchronized subtree will be synched on Active Directory
> > >
> > > Is that all I need to do to disable account/group sync but retain
> > > password sync ?
> > Yes, I believe so.
> > >
> > > Thanks again for your help, Dave
> > > ----------
> > >
> > > > Date: Wed, 3 Dec 2008 10:56:30 -0700
> > > > From: rmeggins at redhat.com
> > > > To: lambam80 at hotmail.com
> > > > CC: fedora-directory-users at redhat.com
> > > > Subject: Re: [Fedora-directory-users] 'Account Disabled' Windows
> > > Sync Directory Server red cross
> > > >
> > > > lambam80 at hotmail.com wrote:
> > > > > Rich, hello and thanks for the quick reply.
> > > > >
> > > > > You write:
> > > > >
> > > > > < Yes, this appears to be a bug in windows sync
> > > > >
> > > > > How might I get further information - is there a BUG
> number/report ?
> > > > > Should I try and log a BUG ? If so, where ?
> > > > https://bugzilla.redhat.com/show_bug.cgi?id=470224
> > > > >
> > > > > Sorry, I'm new to Fedora/Redhat/Linux (migrating off Sun
> Solaris, so
> > > > > to speak).
> > > > >
> > > > > Anyway, I have the following work-around:
> > > > > - use the password sync mechanism from Redhat - I've yet to
> test this
> > > > > - next on my list
> > > > > - Use a script to do the following:
> > > > > -- create Directory Server user account
> > > > > -- create Active Directory account using ldapmodify and LDAPS
> > > > > -- set the Active Directory unicodePwd:: using ldapmodify and
> LDAPS
> > > > > -- set the Active Directory userAccountControl: 512 using
> ldapmodify
> > > > > and LDAPS. '512', I believe, 'enables' the account.
> > > > Yes. See also http://support.microsoft.com/kb/305144
> > > >
> > > > But if you are using WinSync, you can configure it to automatically
> > > > create accounts in AD when added to DS, and vice versa. So you might
> > > > just use
> > > > DirSync or sequence number to look for new AD accounts that are
> > > > disabled, and enable them. See
> > > > http://msdn.microsoft.com/en-us/library/ms677626(VS.85).aspx and
> > > > http://support.microsoft.com/kb/891995
> > > > >
> > > > > Thanks again for your help,
> > > > >
> > > > > Dave (former employee of iPlanet :-)
> > > > My condolences :-)
> > > > > ------------
> > > > >
> > > > > > Date: Tue, 2 Dec 2008 08:51:08 -0700
> > > > > > From: rmeggins at redhat.com
> > > > > > To: fedora-directory-users at redhat.com
> > > > > > CC: lambam80 at hotmail.com
> > > > > > Subject: Re: [Fedora-directory-users] 'Account Disabled' Windows
> > > > > Sync Directory Server red cross
> > > > > >
> > > > > > lambam80 at hotmail.com wrote:
> > > > > > > Firstly, please accept my apologies for a white lie.
> > > > > > > I'm, in fact, using CentOS but a colleague of mine
> recommended
> > > that I
> > > > > > > use this forum/mailing-list.
> > > > > > >
> > > > > > > Let me know if this white-lie is a problem.
> > > > > > >
> > > > > > > cat /etc/redhat-release
> > > > > > > CentOS release 5.2 (Final)
> > > > > > >
> > > > > > > /usr/sbin/ns-slapd -v
> > > > > > > CentOS-Directory/8.0.4 B2008.288.1513
> > > > > > >
> > > > > > > Windows 2003 Server Standard Edition R2
> > > > > > >
> > > > > > > I've 'successfully' configured Windows Sync and it
> > > > > > > works in both directions.
> > > > > > >
> > > > > > > However, accounts that are synched from Centos Directory
> Server to
> > > > > > > Active Directory are
> > > > > > > created with the 'Account Disabled' checkbox selected.
> > > > > > >
> > > > > > > In the Windows account administration interface
> > > > > > > they also have the red cross next to them.
> > > > > > >
> > > > > > > Q1. Have other people seen this behavior with Windows Sync ?
> > > > > > Yes, this appears to be a bug in windows sync
> > > > > > >
> > > > > > > Q2. How can I change this behavior and have the
> > > > > > > windows-accounts enabled from the start ?
> > > > > > Not sure.
> > > > > > >
> > > > > > > Thanks for your time, cheers lambam80
> > > > > > > Active-Directory Active-Dir Active Dir Active Directory
> > > > > > > Edit/Delete Message
> > > > > > >
> <http://forums.fedoraforum.org/editpost.php?do=editpost&p=1122288>
> > > > > > >
> > > > > > >
> > > > >
> > >
> ------------------------------------------------------------------------
> > > > > > >
> > > > > > >
> > > > >
> > >
> ------------------------------------------------------------------------
> > > > > > >
> > > > > > >
> > > > >
> > >
> ------------------------------------------------------------------------
> > > > > > >
> > > > > > > --
> > > > > > > Fedora-directory-users mailing list
> > > > > > > Fedora-directory-users at redhat.com
> > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > >
> ------------------------------------------------------------------------
> > > > > Win a trip with your 3 best buddies. Enter today.
> > > > > <http://www.messengerbuddies.ca/?ocid=BUDDYOMATICENCA19>
> > > >
> > >
> > >
> > >
> ------------------------------------------------------------------------
> > > Visit messengerbuddies.ca to find out how you could win. Enter today.
> > > <http://www.messengerbuddies.ca/?ocid=BUDDYOMATICENCA20>
> >
>
>
> ------------------------------------------------------------------------
> Messenger wants to send you on a trip. Enter today.
> <http://www.messengerbuddies.ca/?ocid=BUDDYOMATICENCA21>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20081209/2608e67f/attachment.bin>
More information about the 389-users
mailing list