[389-users] Synchronizing Account Inactivation with Account Disabling

Rich Megginson rmeggins at redhat.com
Fri Oct 22 15:58:02 UTC 2010

Glenn wrote:
> We are still using Fedora Directory Server 1.0.4 and synchronizing with 
> Active Directory.  Our procedure for removing accounts includes a waiting 
> period when the AD account is disabled.  Disabling the AD account does not 
> inactivate the corresponding FD account.  The folks that do account 
> maintenance do not have access to the FD java console, so rather than 
> inactivating the FD account, they delete it using DSGW.  Unfortunately, this 
> also deletes the disabled AD account.
> Is there a way to make sync inactivate the FD account when the AD account is 
> disabled?
freeipa windows sync can do this, but it requires you set up freeipa
> As an alternative, can we make account activation/inactivation available to 
> our account people via DSGW?  Some particulars would be appreciated.
Not likely.
> I know that setting the "ntuserdeleteaccount" attribute to "false" will 
> prevent the AD account from being removed when the FD account is removed.  
> But new accounts created in AD are duplicated by sync in FD with the 
> attribute set to "true".  If anyone could suggest a way to make this default 
> to "false," that would be an improvement.
I don't know of a way to do this.
> Thanks.   -G.
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

More information about the 389-users mailing list