<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 09/17/2012 04:55 PM, Steven Jones wrote:
<blockquote
cite="mid:833D8E48405E064EBC54C84EC6B36E4053CA5428@STAWINCOX10MBX1.staff.vuw.ac.nz"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<style id="owaParaStyle" type="text/css">
<!--
p
{margin-top:0;
margin-bottom:0}
-->
P {margin-top:0;margin-bottom:0;}</style>
<div style="direction: ltr; font-family: Tahoma; color: rgb(0, 0,
0); font-size: 10pt;">In section 8.4.5 it talks about making an
agreement one way...which is mostly what I want, so everything
incl password changes from AD to IPA. except I want account
disabled / enabled to flow both ways.<br>
<br>
So if I do a <br>
<br>
ldapmodify -x -D "cn=directory manager" -w password -p 389 -h<br>
ipaserver.example.com<br>
dn: cn=ipa-winsync,cn=plugins,cn=config<br>
changetype: modify<br>
add: oneWaySync<br>
oneWaySync: fromWindows<br>
<br>
<div>Does this effect bi-directional disabling? I assume it
does.......<br>
<br>
So then I have to do a,<br>
<br>
ldapmodify -x -D "cn=directory manager" -w password -p 389 -h<br>
ipaserver.example.com<br>
dn: cn=ipa-winsync,cn=plugins,cn=config<br>
changetype: modify<br>
ipaWinSyncAcctDisable: both<br>
<br>
is that syntax right?<br>
<br>
</div>
</div>
</blockquote>
<br>
Winsyc plugin used in IPA comes originally from DS. In the context
of IPA it can be only one way so changing this configuration is not
something we expect or would work in IPA. In the DS context you can
have two way sync of users and groups.<br>
<br>
AFAIK (Rich please correct me) we do not replicate the
enabled/disabled status from IPA to AD.<br>
Conceptually we think of the AD as authoritative source for the
information. Allowing user to be disabled by IPA admin and then
replicate this status back violates this model and would sound
really dangerous for AD side. Are you sure that even if that would
have been allowed your AD admins would actually permit you to do
that?<br>
<br>
Anyways so far it is one of the limitations of the current product.
You can definitely explain the use case in a bit more details and
file an RFE. If the use case is compelling we will consider it for
the later release.<br>
<br>
<blockquote
cite="mid:833D8E48405E064EBC54C84EC6B36E4053CA5428@STAWINCOX10MBX1.staff.vuw.ac.nz"
type="cite">
<div style="direction: ltr;font-family: Tahoma;color:
#000000;font-size: 10pt;">
<div>
<br>
<div style="font-family: Tahoma; font-size: 13px;">
<p>regards</p>
<p>Steven Jones</p>
<p>Technical Specialist - Linux RHCE</p>
<p>Victoria University, Wellington, NZ</p>
<p>0064 4 463 6272</p>
</div>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>