Rich hello and thanks for your support. One last question for an former redhat colleague of yours: 'Do we know when this BUG will be fixed' ? Thanks again, Dave ----------> Date: Mon, 8 Dec 2008 08:07:50 -0700> From: [EMAIL PROTECTED]> To: [EMAIL PROTECTED]> CC: [email protected]> Subject: Re: [Fedora-directory-users] 'Account Disabled' Windows Sync - only sync passwords> > [EMAIL PROTECTED] wrote:> > Rich, hello again and thanks for all your help.> > > > This Email related to password VS account synchronization.> > > > We'll use my script to create/delete accounts thereby having an > > identical user base in> > both RedHat LDAP and Windows.> > > > Therefore, we'd like to use only the 'password' mechanism of 'Windows > > SYNC'.> > > > I can see, clearly on the RedHat LDAP server how to disable > > account/group SYNC on the windows side:> > > > - Launch console | Directory Server Configuration TAB | click on > > replication agreement | uncheck both> > New Windows Users Sync and> > New Windows Groups Sync> > > > And from the document I can read how to disable account/group SYNC on > > the LDAP side:> > > > _http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Using_Windows_Sync.html#Using_Windows_Sync-Synchronizing_Users_> > > > < Setting |ntUserCreateNewAccount| and |ntUserDeleteNewAccount| on > > Directory Server entries> > < allows the Directory Manager fine-grained control over which users > > within the> > < synchronized subtree will be synched on Active Directory> > > > Is that all I need to do to disable account/group sync but retain > > password sync ?> Yes, I believe so.> > > > Thanks again for your help, Dave> > ----------> >> > > Date: Wed, 3 Dec 2008 10:56:30 -0700> > > From: [EMAIL PROTECTED]> > > To: [EMAIL PROTECTED]> > > CC: [email protected]> > > Subject: Re: [Fedora-directory-users] 'Account Disabled' Windows > > Sync Directory Server red cross> > >> > > [EMAIL PROTECTED] wrote:> > > > Rich, hello and thanks for the quick reply.> > > >> > > > You write:> > > >> > > > < Yes, this appears to be a bug in windows sync> > > >> > > > How might I get further information - is there a BUG number/report ?> > > > Should I try and log a BUG ? If so, where ?> > > https://bugzilla.redhat.com/show_bug.cgi?id=470224> > > >> > > > Sorry, I'm new to Fedora/Redhat/Linux (migrating off Sun Solaris, so> > > > to speak).> > > >> > > > Anyway, I have the following work-around:> > > > - use the password sync mechanism from Redhat - I've yet to test this> > > > - next on my list> > > > - Use a script to do the following:> > > > -- create Directory Server user account> > > > -- create Active Directory account using ldapmodify and LDAPS> > > > -- set the Active Directory unicodePwd:: using ldapmodify and LDAPS> > > > -- set the Active Directory userAccountControl: 512 using ldapmodify> > > > and LDAPS. '512', I believe, 'enables' the account.> > > Yes. See also http://support.microsoft.com/kb/305144> > >> > > But if you are using WinSync, you can configure it to automatically> > > create accounts in AD when added to DS, and vice versa. So you might> > > just use> > > DirSync or sequence number to look for new AD accounts that are> > > disabled, and enable them. See> > > http://msdn.microsoft.com/en-us/library/ms677626(VS.85).aspx and> > > http://support.microsoft.com/kb/891995> > > >> > > > Thanks again for your help,> > > >> > > > Dave (former employee of iPlanet :-)> > > My condolences :-)> > > > ------------> > > >> > > > > Date: Tue, 2 Dec 2008 08:51:08 -0700> > > > > From: [EMAIL PROTECTED]> > > > > To: [email protected]> > > > > CC: [EMAIL PROTECTED]> > > > > Subject: Re: [Fedora-directory-users] 'Account Disabled' Windows> > > > Sync Directory Server red cross> > > > >> > > > > [EMAIL PROTECTED] wrote:> > > > > > Firstly, please accept my apologies for a white lie.> > > > > > I'm, in fact, using CentOS but a colleague of mine recommended > > that I> > > > > > use this forum/mailing-list.> > > > > >> > > > > > Let me know if this white-lie is a problem.> > > > > >> > > > > > cat /etc/redhat-release> > > > > > CentOS release 5.2 (Final)> > > > > >> > > > > > /usr/sbin/ns-slapd -v> > > > > > CentOS-Directory/8.0.4 B2008.288.1513> > > > > >> > > > > > Windows 2003 Server Standard Edition R2> > > > > >> > > > > > I've 'successfully' configured Windows Sync and it> > > > > > works in both directions.> > > > > >> > > > > > However, accounts that are synched from Centos Directory Server to> > > > > > Active Directory are> > > > > > created with the 'Account Disabled' checkbox selected.> > > > > >> > > > > > In the Windows account administration interface> > > > > > they also have the red cross next to them.> > > > > >> > > > > > Q1. Have other people seen this behavior with Windows Sync ?> > > > > Yes, this appears to be a bug in windows sync> > > > > >> > > > > > Q2. How can I change this behavior and have the> > > > > > windows-accounts enabled from the start ?> > > > > Not sure.> > > > > >> > > > > > Thanks for your time, cheers lambam80> > > > > > Active-Directory Active-Dir Active Dir Active Directory> > > > > > Edit/Delete Message> > > > > > <http://forums.fedoraforum.org/editpost.php?do=editpost&p=1122288>> > > > > >> > > > > >> > > > > > ------------------------------------------------------------------------> > > > > >> > > > > >> > > > > > ------------------------------------------------------------------------> > > > > >> > > > > >> > > > > > ------------------------------------------------------------------------> > > > > >> > > > > > --> > > > > > Fedora-directory-users mailing list> > > > > > [email protected]> > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users> > > > > >> > > > >> > > >> > > >> > > > > > ------------------------------------------------------------------------> > > > Win a trip with your 3 best buddies. Enter today.> > > > <http://www.messengerbuddies.ca/?ocid=BUDDYOMATICENCA19>> > >> >> >> > ------------------------------------------------------------------------> > Visit messengerbuddies.ca to find out how you could win. Enter today. > > <http://www.messengerbuddies.ca/?ocid=BUDDYOMATICENCA20>> _________________________________________________________________
-- Fedora-directory-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-directory-users
