[389-users] Synchronizing Account Inactivation with Account Disabling
glenn at mail.txwes.edu
Fri Oct 22 15:44:53 UTC 2010
We are still using Fedora Directory Server 1.0.4 and synchronizing with
Active Directory. Our procedure for removing accounts includes a waiting
period when the AD account is disabled. Disabling the AD account does not
inactivate the corresponding FD account. The folks that do account
maintenance do not have access to the FD java console, so rather than
inactivating the FD account, they delete it using DSGW. Unfortunately, this
also deletes the disabled AD account.
Is there a way to make sync inactivate the FD account when the AD account is
As an alternative, can we make account activation/inactivation available to
our account people via DSGW? Some particulars would be appreciated.
I know that setting the "ntuserdeleteaccount" attribute to "false" will
prevent the AD account from being removed when the FD account is removed.
But new accounts created in AD are duplicated by sync in FD with the
attribute set to "true". If anyone could suggest a way to make this default
to "false," that would be an improvement.
More information about the 389-users