Our company recently implemented freeipa to replace a cent5 kerberos infrastructure. We set it up with a Winsync agreement with an AD domain, and is working pretty well. Our user disposition workflow in AD is this: user account is disabled, and moved to a "terminated users" OU in AD. The account disable sync was working fine to IPA, but yesterday I decided to "clean up" the Active Users list in IPA, by deleting (with --preserve) all the disabled accounts (there were many). This looked fine from the IPA side: the accounts got moved into the Preserved users area (in the gui). However, much to my dismay I later discovered that all of the termed accounts in AD are gone. WHAT!!!??? This is bad (for historical/compliance), and came as a shock to me, because the docs say: "While modifications are bi-directional (going both from Active Directory to IdM and from IdM to Active Directory), creating or adding accounts are only uni-directional, from Active Directory to Identity Management". So WHY ON EARTH would a delete be bi-directional? I'm suspecting (hoping) that the accounts weren't actually deleted, that they are just hidden somewhere in AD that I can't see. PLEASE, if anyone can point me in the right direction here as to what happened I would appreciate it.
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
