<html> <head> <style> .hmmessage P { margin:0px; padding:0px } body.hmmessage { font-size: 10pt; font-family:Verdana } </style> </head> <body class='hmmessage'> Rich, hello again and thanks for all your help. This Email related to password VS account synchronization. We'll use my script to create/delete accounts thereby having an identical user base in both RedHat LDAP and Windows. Therefore, we'd like to use only the 'password' mechanism of 'Windows SYNC'. I can see, clearly on the RedHat LDAP server how to disable account/group SYNC on the windows side: - Launch console | Directory Server Configuration TAB | click on replication agreement | uncheck both New Windows Users Sync and New Windows Groups Sync And from the document I can read how to disable account/group SYNC on the LDAP side: <A href="http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Using_Windows_Sync.html#Using_Windows_Sync-Synchronizing_Users">http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Using_Windows_Sync.html#Using_Windows_Sync-Synchronizing_Users</A><A href="http://directory.fedoraproject.org/wiki/Howto:WindowsSync"></A> < Setting <CODE class=command>ntUserCreateNewAccount</CODE> and <CODE class=command>ntUserDeleteNewAccount</CODE> on Directory Server entries < allows the Directory Manager fine-grained control over which users within the < synchronized subtree will be synched on Active Directory Is that all I need to do to disable account/group sync but retain password sync ? Thanks again for your help, Dave ---------- > Date: Wed, 3 Dec 2008 10:56:30 -0700 > From: rmeggins@redhat.com > To: lambam80@hotmail.com > CC: fedora-directory-users@redhat.com > Subject: Re: [Fedora-directory-users] 'Account Disabled' Windows Sync Directory Server red cross > > lambam80@hotmail.com wrote: > > Rich, hello and thanks for the quick reply. > > > > You write: > > > > < Yes, this appears to be a bug in windows sync > > > > How might I get further information - is there a BUG number/report ? > > Should I try and log a BUG ? If so, where ? > https://bugzilla.redhat.com/show_bug.cgi?id=470224 > > > > Sorry, I'm new to Fedora/Redhat/Linux (migrating off Sun Solaris, so > > to speak). > > > > Anyway, I have the following work-around: > > - use the password sync mechanism from Redhat - I've yet to test this > > - next on my list > > - Use a script to do the following: > > -- create Directory Server user account > > -- create Active Directory account using ldapmodify and LDAPS > > -- set the Active Directory unicodePwd:: using ldapmodify and LDAPS > > -- set the Active Directory userAccountControl: 512 using ldapmodify > > and LDAPS. '512', I believe, 'enables' the account. > Yes. See also http://support.microsoft.com/kb/305144 > > But if you are using WinSync, you can configure it to automatically > create accounts in AD when added to DS, and vice versa. So you might > just use > DirSync or sequence number to look for new AD accounts that are > disabled, and enable them. See > http://msdn.microsoft.com/en-us/library/ms677626(VS.85).aspx and > http://support.microsoft.com/kb/891995 > > > > Thanks again for your help, > > > > Dave (former employee of iPlanet :-) > My condolences :-) > > ------------ > > > > > Date: Tue, 2 Dec 2008 08:51:08 -0700 > > > From: rmeggins@redhat.com > > > To: fedora-directory-users@redhat.com > > > CC: lambam80@hotmail.com > > > Subject: Re: [Fedora-directory-users] 'Account Disabled' Windows > > Sync Directory Server red cross > > > > > > lambam80@hotmail.com wrote: > > > > Firstly, please accept my apologies for a white lie. > > > > I'm, in fact, using CentOS but a colleague of mine recommended that I > > > > use this forum/mailing-list. > > > > > > > > Let me know if this white-lie is a problem. > > > > > > > > cat /etc/redhat-release > > > > CentOS release 5.2 (Final) > > > > > > > > /usr/sbin/ns-slapd -v > > > > CentOS-Directory/8.0.4 B2008.288.1513 > > > > > > > > Windows 2003 Server Standard Edition R2 > > > > > > > > I've 'successfully' configured Windows Sync and it > > > > works in both directions. > > > > > > > > However, accounts that are synched from Centos Directory Server to > > > > Active Directory are > > > > created with the 'Account Disabled' checkbox selected. > > > > > > > > In the Windows account administration interface > > > > they also have the red cross next to them. > > > > > > > > Q1. Have other people seen this behavior with Windows Sync ? > > > Yes, this appears to be a bug in windows sync > > > > > > > > Q2. How can I change this behavior and have the > > > > windows-accounts enabled from the start ? > > > Not sure. > > > > > > > > Thanks for your time, cheers lambam80 > > > > Active-Directory Active-Dir Active Dir Active Directory > > > > Edit/Delete Message > > > > <http://forums.fedoraforum.org/editpost.php?do=editpost&p=1122288> > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > -- > > > > Fedora-directory-users mailing list > > > > Fedora-directory-users@redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > ------------------------------------------------------------------------ > > Win a trip with your 3 best buddies. Enter today. > > <http://www.messengerbuddies.ca/?ocid=BUDDYOMATICENCA19> > <hr />Visit messengerbuddies.ca to find out how you could win. <a href='http://www.messengerbuddies.ca/?ocid=BUDDYOMATICENCA20' target='_new'>Enter today.</a></body> </html>