[389-users] Issues with 389 <-> AD sync and user creation

[Orion Poplawski]

We're trying to modify our already heavily modified version of fdstools to add 
ntUser attributes to users.  When we use it to create a new user (or add 
ntUser attributes to and existing user) we end up with two new users in AD and 
the cn: attribute of the user in 389 is modified to have CNF:<guid> added 
which indicates a conflict in the database.

If we check the Enable NT User Attributes and create New NT Account in 
389-console everything seems to work.  We're not able to see what we're doing 
differently.  Except that perhaps 389-console is setting ntUniqueId, but I 
didn't think it was supposed to do that, that the AD sync was supposed to 
handle it.

In fdstools we're setting ntUserDomainId, ntUserCreateNewAccount, and 
ntUserDeleteAccount.  Which seems to be all we need to do according to 
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html#ftn.id4791561

389-ds-1.2.1-1.el5
389-ds-base-1.2.9.9-1.el5


Ideas?

TIA,

  Orion

-- 
Orion Poplawski
Technical Manager                     303-415-9701 x222
NWRA, Boulder Office                  FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                   http://www.nwra.com