lambam80 at hotmail.com wrote: > Rich, hello again and thanks for all your help. > > This Email related to password VS account synchronization. > > We'll use my script to create/delete accounts thereby having an > identical user base in > both RedHat LDAP and Windows. > > Therefore, we'd like to use only the 'password' mechanism of 'Windows > SYNC'. > > I can see, clearly on the RedHat LDAP server how to disable > account/group SYNC on the windows side: > > - Launch console | Directory Server Configuration TAB | click on > replication agreement | uncheck both > New Windows Users Sync and > New Windows Groups Sync > > And from the document I can read how to disable account/group SYNC on > the LDAP side: > > _http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Using_Windows_Sync.html#Using_Windows_Sync-Synchronizing_Users_ > > < Setting |ntUserCreateNewAccount| and |ntUserDeleteNewAccount| on > Directory Server entries > < allows the Directory Manager fine-grained control over which users > within the > < synchronized subtree will be synched on Active Directory > > Is that all I need to do to disable account/group sync but retain > password sync ? Yes, I believe so. > > Thanks again for your help, Dave > ---------- > > > Date: Wed, 3 Dec 2008 10:56:30 -0700 > > From: rmeggins at redhat.com > > To: lambam80 at hotmail.com > > CC: fedora-directory-users at redhat.com > > Subject: Re: 'Account Disabled' Windows > Sync Directory Server red cross > > > > lambam80 at hotmail.com wrote: > > > Rich, hello and thanks for the quick reply. > > > > > > You write: > > > > > > < Yes, this appears to be a bug in windows sync > > > > > > How might I get further information - is there a BUG number/report ? > > > Should I try and log a BUG ? If so, where ? > > https://bugzilla.redhat.com/show_bug.cgi?id=470224 > > > > > > Sorry, I'm new to Fedora/Redhat/Linux (migrating off Sun Solaris, so > > > to speak). > > > > > > Anyway, I have the following work-around: > > > - use the password sync mechanism from Redhat - I've yet to test this > > > - next on my list > > > - Use a script to do the following: > > > -- create Directory Server user account > > > -- create Active Directory account using ldapmodify and LDAPS > > > -- set the Active Directory unicodePwd:: using ldapmodify and LDAPS > > > -- set the Active Directory userAccountControl: 512 using ldapmodify > > > and LDAPS. '512', I believe, 'enables' the account. > > Yes. See also http://support.microsoft.com/kb/305144 > > > > But if you are using WinSync, you can configure it to automatically > > create accounts in AD when added to DS, and vice versa. So you might > > just use > > DirSync or sequence number to look for new AD accounts that are > > disabled, and enable them. See > > http://msdn.microsoft.com/en-us/library/ms677626(VS.85).aspx and > > http://support.microsoft.com/kb/891995 > > > > > > Thanks again for your help, > > > > > > Dave (former employee of iPlanet :-) > > My condolences :-) > > > ------------ > > > > > > > Date: Tue, 2 Dec 2008 08:51:08 -0700 > > > > From: rmeggins at redhat.com > > > > To: fedora-directory-users at redhat.com > > > > CC: lambam80 at hotmail.com > > > > Subject: Re: 'Account Disabled' Windows > > > Sync Directory Server red cross > > > > > > > > lambam80 at hotmail.com wrote: > > > > > Firstly, please accept my apologies for a white lie. > > > > > I'm, in fact, using CentOS but a colleague of mine recommended > that I > > > > > use this forum/mailing-list. > > > > > > > > > > Let me know if this white-lie is a problem. > > > > > > > > > > cat /etc/redhat-release > > > > > CentOS release 5.2 (Final) > > > > > > > > > > /usr/sbin/ns-slapd -v > > > > > CentOS-Directory/8.0.4 B2008.288.1513 > > > > > > > > > > Windows 2003 Server Standard Edition R2 > > > > > > > > > > I've 'successfully' configured Windows Sync and it > > > > > works in both directions. > > > > > > > > > > However, accounts that are synched from Centos Directory Server to > > > > > Active Directory are > > > > > created with the 'Account Disabled' checkbox selected. > > > > > > > > > > In the Windows account administration interface > > > > > they also have the red cross next to them. > > > > > > > > > > Q1. Have other people seen this behavior with Windows Sync ? > > > > Yes, this appears to be a bug in windows sync > > > > > > > > > > Q2. How can I change this behavior and have the > > > > > windows-accounts enabled from the start ? > > > > Not sure. > > > > > > > > > > Thanks for your time, cheers lambam80 > > > > > Active-Directory Active-Dir Active Dir Active Directory > > > > > Edit/Delete Message > > > > > <http://forums.fedoraforum.org/editpost.php?do=editpost&p=1122288> > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > -- > > > > > Fedora-directory-users mailing list > > > > > Fedora-directory-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > Win a trip with your 3 best buddies. Enter today. > > > <http://www.messengerbuddies.ca/?ocid=BUDDYOMATICENCA19> > > > > > ------------------------------------------------------------------------ > Visit messengerbuddies.ca to find out how you could win. Enter today. > <http://www.messengerbuddies.ca/?ocid=BUDDYOMATICENCA20> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20081208/ac2c89e3/attachment.bin
