Rich, hello again and thanks for all your help. This Email related to password VS account synchronization. We'll use my script to create/delete accounts thereby having an identical user base in both RedHat LDAP and Windows. Therefore, we'd like to use only the 'password' mechanism of 'Windows SYNC'. I can see, clearly on the RedHat LDAP server how to disable account/group SYNC on the windows side: - Launch console | Directory Server Configuration TAB | click on replication agreement | uncheck both New Windows Users Sync and New Windows Groups Sync And from the document I can read how to disable account/group SYNC on the LDAP side: http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Using_Windows_Sync.html#Using_Windows_Sync-Synchronizing_Users < Setting ntUserCreateNewAccount and ntUserDeleteNewAccount on Directory Server entries < allows the Directory Manager fine-grained control over which users within the < synchronized subtree will be synched on Active Directory Is that all I need to do to disable account/group sync but retain password sync ? Thanks again for your help, Dave ----------> Date: Wed, 3 Dec 2008 10:56:30 -0700> From: [EMAIL PROTECTED]> To: [EMAIL PROTECTED]> CC: [email protected]> Subject: Re: [Fedora-directory-users] 'Account Disabled' Windows Sync Directory Server red cross> > [EMAIL PROTECTED] wrote:> > Rich, hello and thanks for the quick reply.> > > > You write:> > > > < Yes, this appears to be a bug in windows sync> > > > How might I get further information - is there a BUG number/report ?> > Should I try and log a BUG ? If so, where ?> https://bugzilla.redhat.com/show_bug.cgi?id=470224> > > > Sorry, I'm new to Fedora/Redhat/Linux (migrating off Sun Solaris, so > > to speak).> > > > Anyway, I have the following work-around:> > - use the password sync mechanism from Redhat - I've yet to test this > > - next on my list> > - Use a script to do the following:> > -- create Directory Server user account> > -- create Active Directory account using ldapmodify and LDAPS> > -- set the Active Directory unicodePwd:: using ldapmodify and LDAPS> > -- set the Active Directory userAccountControl: 512 using ldapmodify > > and LDAPS. '512', I believe, 'enables' the account.> Yes. See also http://support.microsoft.com/kb/305144> > But if you are using WinSync, you can configure it to automatically > create accounts in AD when added to DS, and vice versa. So you might > just use> DirSync or sequence number to look for new AD accounts that are > disabled, and enable them. See > http://msdn.microsoft.com/en-us/library/ms677626(VS.85).aspx and > http://support.microsoft.com/kb/891995> >> > Thanks again for your help,> > > > Dave (former employee of iPlanet :-)> My condolences :-)> > ------------> >> > > Date: Tue, 2 Dec 2008 08:51:08 -0700> > > From: [EMAIL PROTECTED]> > > To: [email protected]> > > CC: [EMAIL PROTECTED]> > > Subject: Re: [Fedora-directory-users] 'Account Disabled' Windows > > Sync Directory Server red cross> > >> > > [EMAIL PROTECTED] wrote:> > > > Firstly, please accept my apologies for a white lie.> > > > I'm, in fact, using CentOS but a colleague of mine recommended that I> > > > use this forum/mailing-list.> > > >> > > > Let me know if this white-lie is a problem.> > > >> > > > cat /etc/redhat-release> > > > CentOS release 5.2 (Final)> > > >> > > > /usr/sbin/ns-slapd -v> > > > CentOS-Directory/8.0.4 B2008.288.1513> > > >> > > > Windows 2003 Server Standard Edition R2> > > >> > > > I've 'successfully' configured Windows Sync and it> > > > works in both directions.> > > >> > > > However, accounts that are synched from Centos Directory Server to> > > > Active Directory are> > > > created with the 'Account Disabled' checkbox selected.> > > >> > > > In the Windows account administration interface> > > > they also have the red cross next to them.> > > >> > > > Q1. Have other people seen this behavior with Windows Sync ?> > > Yes, this appears to be a bug in windows sync> > > >> > > > Q2. How can I change this behavior and have the> > > > windows-accounts enabled from the start ?> > > Not sure.> > > >> > > > Thanks for your time, cheers lambam80> > > > Active-Directory Active-Dir Active Dir Active Directory> > > > Edit/Delete Message> > > > <http://forums.fedoraforum.org/editpost.php?do=editpost&p=1122288>> > > >> > > > > > ------------------------------------------------------------------------> > > >> > > > > > ------------------------------------------------------------------------> > > >> > > > > > ------------------------------------------------------------------------> > > >> > > > --> > > > Fedora-directory-users mailing list> > > > [email protected]> > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users> > > >> > >> >> >> > ------------------------------------------------------------------------> > Win a trip with your 3 best buddies. Enter today. > > <http://www.messengerbuddies.ca/?ocid=BUDDYOMATICENCA19>> _________________________________________________________________
-- Fedora-directory-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-directory-users
