Glenn wrote: > We are still using Fedora Directory Server 1.0.4 and synchronizing with > Active Directory. Our procedure for removing accounts includes a waiting > period when the AD account is disabled. Disabling the AD account does not > inactivate the corresponding FD account. The folks that do account > maintenance do not have access to the FD java console, so rather than > inactivating the FD account, they delete it using DSGW. Unfortunately, this > also deletes the disabled AD account. > > Is there a way to make sync inactivate the FD account when the AD account is > disabled? > freeipa windows sync can do this, but it requires you set up freeipa > As an alternative, can we make account activation/inactivation available to > our account people via DSGW? Some particulars would be appreciated. > Not likely. > I know that setting the "ntuserdeleteaccount" attribute to "false" will > prevent the AD account from being removed when the FD account is removed. > But new accounts created in AD are duplicated by sync in FD with the > attribute set to "true". If anyone could suggest a way to make this default > to "false," that would be an improvement. > I don't know of a way to do this. > Thanks. -G. > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/389-users > -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
