[Freeipa-devel] Please review: Bug 459729 - Windows sync support in IPA - account disable and force sync
Rich Megginson
rmeggins at redhat.com
Fri Sep 26 16:31:09 UTC 2008
https://bugzilla.redhat.com/show_bug.cgi?id=459729
Resolves: bug 459729
Bug Description: Windows sync support in IPA - account disable and force
sync
Reviewed by: ???
Files: see diff
Branch: HEAD
Fix Description: Add support for account disable sync and force sync
* Account disable sync - AD uses the userAccountControl attribute
ACCOUNTDISABLE value http://support.microsoft.com/kb/305144
We have to sync that with the nsAccountLock attribute used by DS. In
IPA, nsAccountLock is a virtual attribute generated by the membership of
the user or group in the cn=inactivated group (or enabled if in the
cn=activated group or not in any group - the account is enabled if
nsAccountLock is not present). The sync can be done in 1 of 4 ways,
with the config attribute ipaWinSyncAcctDisable:
* none - no account disable sync occurs
* to_ad - account disable is only synced from IPA to AD, not from AD
to IPA
* to_ds - account disable is only synced from AD to IPA, not from
IPA to AD
* both - account disable is synced in both directions
I added some code to let the plugin find the cn=inactivated and
cn=activated groups dynamically
* Force Sync - by default, the DS will only sync existing IPA users if
they have the ntUser objectclass, and the ntUserDomainID set to the
Windows user ID (e.g. the samAccountName). With the config attribute
ipaWinSyncForceSync set to "true", any IPA user that has a matching
account in Windows will be forced to be in sync - the IPA user will have
the ntUser objectclass added automatically, and the ntUserDomainID set
to the matching account samAccountName value. The existing winsync code
already handles adding ntUserDomainID, so the ipa winsync plugin just
has to add ntUser.
Platforms tested: Fedora 9
Flag Day: no
Doc impact: no
https://bugzilla.redhat.com/attachment.cgi?id=317807&action=diff
More information about the Freeipa-devel
mailing list