[389-users] Synchronizing Account Inactivation with Account Disabling

Glenn glenn at mail.txwes.edu
Fri Oct 22 15:44:53 UTC 2010


We are still using Fedora Directory Server 1.0.4 and synchronizing with 
Active Directory.  Our procedure for removing accounts includes a waiting 
period when the AD account is disabled.  Disabling the AD account does not 
inactivate the corresponding FD account.  The folks that do account 
maintenance do not have access to the FD java console, so rather than 
inactivating the FD account, they delete it using DSGW.  Unfortunately, this 
also deletes the disabled AD account.

Is there a way to make sync inactivate the FD account when the AD account is 
disabled?

As an alternative, can we make account activation/inactivation available to 
our account people via DSGW?  Some particulars would be appreciated.

I know that setting the "ntuserdeleteaccount" attribute to "false" will 
prevent the AD account from being removed when the FD account is removed.  
But new accounts created in AD are duplicated by sync in FD with the 
attribute set to "true".  If anyone could suggest a way to make this default 
to "false," that would be an improvement.

Thanks.   -G.



More information about the 389-users mailing list