Fedora directory users - Dec 2008 - 'Account Disabled' Windows Sync Directory Server red cross

Firstly, please accept my apologies for a white lie.I''m, in fact, using
CentOS but a colleague of mine recommended that I use this
forum/mailing-list.Let me know if this white-lie is a problem.cat
/etc/redhat-releaseCentOS release 5.2 (Final)/usr/sbin/ns-slapd
-vCentOS-Directory/8.0.4 B2008.288.1513Windows 2003 Server Standard Edition
R2I''ve ''successfully'' configured Windows Sync and
itworks in both directions.However, accounts that are synched from Centos
Directory Server to Active Directory are created with the ''Account
Disabled'' checkbox selected.In the Windows account administration
interfacethey also have the red cross next to them.Q1. Have other people seen
this behavior with Windows Sync ?Q2. How can I change this behavior and have the
windows-accounts enabled from the start ?Thanks for your time, cheers
lambam80Active-Directory Active-Dir Active Dir Active Directory
 
_________________________________________________________________

lambam80@hotmail.com wrote:
> Firstly, please accept my apologies for a white lie.
> I''m, in fact, using CentOS but a colleague of mine recommended
that I
> use this forum/mailing-list.
>
> Let me know if this white-lie is a problem.
>
> cat /etc/redhat-release
> CentOS release 5.2 (Final)
>
> /usr/sbin/ns-slapd -v
> CentOS-Directory/8.0.4 B2008.288.1513
>
> Windows 2003 Server Standard Edition R2
>
> I''ve ''successfully'' configured Windows Sync and
it
> works in both directions.
>
> However, accounts that are synched from Centos Directory Server to 
> Active Directory are
> created with the ''Account Disabled'' checkbox selected.
>
> In the Windows account administration interface
> they also have the red cross next to them.
>
> Q1. Have other people seen this behavior with Windows Sync ?
Yes, this appears to be a bug in windows sync
>
> Q2. How can I change this behavior and have the
> windows-accounts enabled from the start ?
Not sure.
>
> Thanks for your time, cheers lambam80
> Active-Directory Active-Dir Active Dir Active Directory
> Edit/Delete Message 
>
<http://forums.fedoraforum.org/editpost.php?do=editpost&p=1122288>
>
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Rich, hello and thanks for the quick reply.
 
You write:
 
< Yes, this appears to be a bug in windows sync
 
How might I get further information - is there a BUG number/report ?
Should I try and log a BUG ? If so, where ? 
 
Sorry, I''m new to Fedora/Redhat/Linux (migrating off Sun Solaris, so to
speak).
 
Anyway, I have the following work-around:
- use the password sync mechanism from Redhat - I''ve yet to test this -
next on my list
- Use a script to do the following:
-- create Directory Server user account
-- create Active Directory account using ldapmodify and  LDAPS
-- set the Active Directory unicodePwd:: using ldapmodify and LDAPS
-- set the Active Directory userAccountControl: 512 using ldapmodify and LDAPS.
''512'', I believe, ''enables'' the account.
Thanks again for your help, 
 
Dave (former employee of iPlanet  :-)
------------> Date: Tue, 2 Dec 2008 08:51:08 -0700> From:
rmeggins@redhat.com> To: fedora-directory-users@redhat.com> CC:
lambam80@hotmail.com> Subject: Re: [Fedora-directory-users] ''Account
Disabled'' Windows Sync Directory Server red cross> >
lambam80@hotmail.com wrote:> > Firstly, please accept my apologies for a
white lie.> > I''m, in fact, using CentOS but a colleague of mine
recommended that I > > use this forum/mailing-list.> >> > Let
me know if this white-lie is a problem.> >> > cat
/etc/redhat-release> > CentOS release 5.2 (Final)> >> >
/usr/sbin/ns-slapd -v> > CentOS-Directory/8.0.4 B2008.288.1513>
>> > Windows 2003 Server Standard Edition R2> >> >
I''ve ''successfully'' configured Windows Sync and
it> > works in both directions.> >> > However, accounts that
are synched from Centos Directory Server to > > Active Directory are>
> created with the ''Account Disabled'' checkbox
selected.> >> > In the Windows account administration interface>
> they also have the red cross next to them.> >> > Q1. Have other
people seen this behavior with Windows Sync ?> Yes, this appears to be a bug
in windows sync> >> > Q2. How can I change this behavior and have
the> > windows-accounts enabled from the start ?> Not sure.>
>> > Thanks for your time, cheers lambam80> > Active-Directory
Active-Dir Active Dir Active Directory> > Edit/Delete Message > >
<http://forums.fedoraforum.org/editpost.php?do=editpost&p=1122288>>
>> >
------------------------------------------------------------------------>
>> >
------------------------------------------------------------------------>
>> >
------------------------------------------------------------------------>
>> > --> > Fedora-directory-users mailing list> >
Fedora-directory-users@redhat.com> >
https://www.redhat.com/mailman/listinfo/fedora-directory-users> > >
_________________________________________________________________

lambam80@hotmail.com wrote:
> Rich, hello and thanks for the quick reply.
>  
> You write:
>  
> < Yes, this appears to be a bug in windows sync
>  
> How might I get further information - is there a BUG number/report ?
> Should I try and log a BUG ? If so, where ?
https://bugzilla.redhat.com/show_bug.cgi?id=470224
>  
> Sorry, I''m new to Fedora/Redhat/Linux (migrating off Sun Solaris,
so
> to speak).
>  
> Anyway, I have the following work-around:
> - use the password sync mechanism from Redhat - I''ve yet to test
this
> - next on my list
> - Use a script to do the following:
> -- create Directory Server user account
> -- create Active Directory account using ldapmodify and  LDAPS
> -- set the Active Directory unicodePwd:: using ldapmodify and LDAPS
> -- set the Active Directory userAccountControl: 512 using ldapmodify 
> and LDAPS. ''512'', I believe, ''enables''
the account.
Yes.  See also http://support.microsoft.com/kb/305144

But if you are using WinSync, you can configure it to automatically 
create accounts in AD when added to DS, and vice versa.  So you might 
just use
DirSync or sequence number to look for new AD accounts that are 
disabled, and enable them.  See 
http://msdn.microsoft.com/en-us/library/ms677626(VS.85).aspx and 
http://support.microsoft.com/kb/891995
>
> Thanks again for your help,
>  
> Dave (former employee of iPlanet  :-)
My condolences :-)
> ------------
>
> > Date: Tue, 2 Dec 2008 08:51:08 -0700
> > From: rmeggins@redhat.com
> > To: fedora-directory-users@redhat.com
> > CC: lambam80@hotmail.com
> > Subject: Re: [Fedora-directory-users] ''Account
Disabled'' Windows
> Sync Directory Server red cross
> >
> > lambam80@hotmail.com wrote:
> > > Firstly, please accept my apologies for a white lie.
> > > I''m, in fact, using CentOS but a colleague of mine
recommended that I
> > > use this forum/mailing-list.
> > >
> > > Let me know if this white-lie is a problem.
> > >
> > > cat /etc/redhat-release
> > > CentOS release 5.2 (Final)
> > >
> > > /usr/sbin/ns-slapd -v
> > > CentOS-Directory/8.0.4 B2008.288.1513
> > >
> > > Windows 2003 Server Standard Edition R2
> > >
> > > I''ve ''successfully'' configured Windows
Sync and it
> > > works in both directions.
> > >
> > > However, accounts that are synched from Centos Directory Server
to
> > > Active Directory are
> > > created with the ''Account Disabled'' checkbox
selected.
> > >
> > > In the Windows account administration interface
> > > they also have the red cross next to them.
> > >
> > > Q1. Have other people seen this behavior with Windows Sync ?
> > Yes, this appears to be a bug in windows sync
> > >
> > > Q2. How can I change this behavior and have the
> > > windows-accounts enabled from the start ?
> > Not sure.
> > >
> > > Thanks for your time, cheers lambam80
> > > Active-Directory Active-Dir Active Dir Active Directory
> > > Edit/Delete Message
> > >
<http://forums.fedoraforum.org/editpost.php?do=editpost&p=1122288>
> > >
> > > 
> ------------------------------------------------------------------------
> > >
> > > 
> ------------------------------------------------------------------------
> > >
> > > 
> ------------------------------------------------------------------------
> > >
> > > --
> > > Fedora-directory-users mailing list
> > > Fedora-directory-users@redhat.com
> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > >
> >
>
>
> ------------------------------------------------------------------------
> Win a trip with your 3 best buddies. Enter today. 
> <http://www.messengerbuddies.ca/?ocid=BUDDYOMATICENCA19>

Rich, hello again and thanks for all your help.
 
This Email related to password VS account synchronization.
 
We''ll use my script to create/delete accounts thereby having an
identical user base in
both RedHat LDAP and Windows.
 
Therefore, we''d like to use only the ''password''
mechanism of ''Windows SYNC''.
 
I can see, clearly on the RedHat LDAP server how to disable account/group SYNC
on the windows side:
 
- Launch console | Directory Server Configuration TAB | click on replication
agreement | uncheck both
New Windows Users Sync and
New Windows Groups Sync
 
And from the document I can read how to disable account/group SYNC on the LDAP
side:
 
http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Using_Windows_Sync.html#Using_Windows_Sync-Synchronizing_Users
 
< Setting ntUserCreateNewAccount and ntUserDeleteNewAccount on Directory
Server entries
< allows the Directory Manager fine-grained control over which users within
the
< synchronized subtree will be synched on Active Directory
 
Is that all I need to do to disable account/group sync but retain password sync
?
 
Thanks again for your help, Dave
----------> Date: Wed, 3 Dec 2008 10:56:30 -0700> From:
rmeggins@redhat.com> To: lambam80@hotmail.com> CC:
fedora-directory-users@redhat.com> Subject: Re: [Fedora-directory-users]
''Account Disabled'' Windows Sync Directory Server red cross>
> lambam80@hotmail.com wrote:> > Rich, hello and thanks for the quick
reply.> > > > You write:> > > > < Yes, this appears
to be a bug in windows sync> > > > How might I get further
information - is there a BUG number/report ?> > Should I try and log a BUG
? If so, where ?> https://bugzilla.redhat.com/show_bug.cgi?id=470224> >
> > Sorry, I''m new to Fedora/Redhat/Linux (migrating off Sun
Solaris, so > > to speak).> > > > Anyway, I have the following
work-around:> > - use the password sync mechanism from Redhat -
I''ve yet to test this > > - next on my list> > - Use a
script to do the following:> > -- create Directory Server user account>
> -- create Active Directory account using ldapmodify and LDAPS> > --
set the Active Directory unicodePwd:: using ldapmodify and LDAPS> > -- set
the Active Directory userAccountControl: 512 using ldapmodify > > and
LDAPS. ''512'', I believe, ''enables'' the
account.> Yes. See also http://support.microsoft.com/kb/305144> > But
if you are using WinSync, you can configure it to automatically > create
accounts in AD when added to DS, and vice versa. So you might > just use>
DirSync or sequence number to look for new AD accounts that are > disabled,
and enable them. See >
http://msdn.microsoft.com/en-us/library/ms677626(VS.85).aspx and >
http://support.microsoft.com/kb/891995> >> > Thanks again for your
help,> > > > Dave (former employee of iPlanet :-)> My condolences
:-)> > ------------> >> > > Date: Tue, 2 Dec 2008 08:51:08
-0700> > > From: rmeggins@redhat.com> > > To:
fedora-directory-users@redhat.com> > > CC: lambam80@hotmail.com>
> > Subject: Re: [Fedora-directory-users] ''Account
Disabled'' Windows > > Sync Directory Server red cross> >
>> > > lambam80@hotmail.com wrote:> > > > Firstly,
please accept my apologies for a white lie.> > > > I''m, in
fact, using CentOS but a colleague of mine recommended that I> > > >
use this forum/mailing-list.> > > >> > > > Let me know
if this white-lie is a problem.> > > >> > > > cat
/etc/redhat-release> > > > CentOS release 5.2 (Final)> > >
>> > > > /usr/sbin/ns-slapd -v> > > >
CentOS-Directory/8.0.4 B2008.288.1513> > > >> > > >
Windows 2003 Server Standard Edition R2> > > >> > > >
I''ve ''successfully'' configured Windows Sync and
it> > > > works in both directions.> > > >> > >
> However, accounts that are synched from Centos Directory Server to> >
> > Active Directory are> > > > created with the
''Account Disabled'' checkbox selected.> > > >>
> > > In the Windows account administration interface> > >
> they also have the red cross next to them.> > > >> > >
> Q1. Have other people seen this behavior with Windows Sync ?> > >
Yes, this appears to be a bug in windows sync> > > >> > >
> Q2. How can I change this behavior and have the> > > >
windows-accounts enabled from the start ?> > > Not sure.> > >
>> > > > Thanks for your time, cheers lambam80> > > >
Active-Directory Active-Dir Active Dir Active Directory> > > >
Edit/Delete Message> > > >
<http://forums.fedoraforum.org/editpost.php?do=editpost&p=1122288>>
> > >> > > > > >
------------------------------------------------------------------------>
> > >> > > > > >
------------------------------------------------------------------------>
> > >> > > > > >
------------------------------------------------------------------------>
> > >> > > > --> > > > Fedora-directory-users
mailing list> > > > Fedora-directory-users@redhat.com> > >
> https://www.redhat.com/mailman/listinfo/fedora-directory-users> >
> >> > >> >> >> >
------------------------------------------------------------------------>
> Win a trip with your 3 best buddies. Enter today. > >
<http://www.messengerbuddies.ca/?ocid=BUDDYOMATICENCA19>>
_________________________________________________________________

lambam80@hotmail.com wrote:
> Rich, hello again and thanks for all your help.
>  
> This Email related to password VS account synchronization.
>  
> We''ll use my script to create/delete accounts thereby having an 
> identical user base in
> both RedHat LDAP and Windows.
>  
> Therefore, we''d like to use only the ''password''
mechanism of ''Windows
> SYNC''.
>  
> I can see, clearly on the RedHat LDAP server how to disable 
> account/group SYNC on the windows side:
>  
> - Launch console | Directory Server Configuration TAB | click on 
> replication agreement | uncheck both
> New Windows Users Sync and
> New Windows Groups Sync
>  
> And from the document I can read how to disable account/group SYNC on 
> the LDAP side:
>  
>
_http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Using_Windows_Sync.html#Using_Windows_Sync-Synchronizing_Users_
>  
> < Setting |ntUserCreateNewAccount| and |ntUserDeleteNewAccount| on 
> Directory Server entries
> < allows the Directory Manager fine-grained control over which users 
> within the
> < synchronized subtree will be synched on Active Directory
>  
> Is that all I need to do to disable account/group sync but retain 
> password sync ?
Yes, I believe so.
>  
> Thanks again for your help, Dave
> ----------
>
> > Date: Wed, 3 Dec 2008 10:56:30 -0700
> > From: rmeggins@redhat.com
> > To: lambam80@hotmail.com
> > CC: fedora-directory-users@redhat.com
> > Subject: Re: [Fedora-directory-users] ''Account
Disabled'' Windows
> Sync Directory Server red cross
> >
> > lambam80@hotmail.com wrote:
> > > Rich, hello and thanks for the quick reply.
> > >
> > > You write:
> > >
> > > < Yes, this appears to be a bug in windows sync
> > >
> > > How might I get further information - is there a BUG
number/report ?
> > > Should I try and log a BUG ? If so, where ?
> > https://bugzilla.redhat.com/show_bug.cgi?id=470224
> > >
> > > Sorry, I''m new to Fedora/Redhat/Linux (migrating off Sun
Solaris, so
> > > to speak).
> > >
> > > Anyway, I have the following work-around:
> > > - use the password sync mechanism from Redhat - I''ve yet
to test this
> > > - next on my list
> > > - Use a script to do the following:
> > > -- create Directory Server user account
> > > -- create Active Directory account using ldapmodify and LDAPS
> > > -- set the Active Directory unicodePwd:: using ldapmodify and
LDAPS
> > > -- set the Active Directory userAccountControl: 512 using
ldapmodify
> > > and LDAPS. ''512'', I believe,
''enables'' the account.
> > Yes. See also http://support.microsoft.com/kb/305144
> >
> > But if you are using WinSync, you can configure it to automatically
> > create accounts in AD when added to DS, and vice versa. So you might
> > just use
> > DirSync or sequence number to look for new AD accounts that are
> > disabled, and enable them. See
> > http://msdn.microsoft.com/en-us/library/ms677626(VS.85).aspx and
> > http://support.microsoft.com/kb/891995
> > >
> > > Thanks again for your help,
> > >
> > > Dave (former employee of iPlanet :-)
> > My condolences :-)
> > > ------------
> > >
> > > > Date: Tue, 2 Dec 2008 08:51:08 -0700
> > > > From: rmeggins@redhat.com
> > > > To: fedora-directory-users@redhat.com
> > > > CC: lambam80@hotmail.com
> > > > Subject: Re: [Fedora-directory-users] ''Account
Disabled'' Windows
> > > Sync Directory Server red cross
> > > >
> > > > lambam80@hotmail.com wrote:
> > > > > Firstly, please accept my apologies for a white lie.
> > > > > I''m, in fact, using CentOS but a colleague of
mine recommended
> that I
> > > > > use this forum/mailing-list.
> > > > >
> > > > > Let me know if this white-lie is a problem.
> > > > >
> > > > > cat /etc/redhat-release
> > > > > CentOS release 5.2 (Final)
> > > > >
> > > > > /usr/sbin/ns-slapd -v
> > > > > CentOS-Directory/8.0.4 B2008.288.1513
> > > > >
> > > > > Windows 2003 Server Standard Edition R2
> > > > >
> > > > > I''ve ''successfully''
configured Windows Sync and it
> > > > > works in both directions.
> > > > >
> > > > > However, accounts that are synched from Centos
Directory Server to
> > > > > Active Directory are
> > > > > created with the ''Account Disabled''
checkbox selected.
> > > > >
> > > > > In the Windows account administration interface
> > > > > they also have the red cross next to them.
> > > > >
> > > > > Q1. Have other people seen this behavior with Windows
Sync ?
> > > > Yes, this appears to be a bug in windows sync
> > > > >
> > > > > Q2. How can I change this behavior and have the
> > > > > windows-accounts enabled from the start ?
> > > > Not sure.
> > > > >
> > > > > Thanks for your time, cheers lambam80
> > > > > Active-Directory Active-Dir Active Dir Active Directory
> > > > > Edit/Delete Message
> > > > >
<http://forums.fedoraforum.org/editpost.php?do=editpost&p=1122288>
> > > > >
> > > > >
> > > 
> ------------------------------------------------------------------------
> > > > >
> > > > >
> > > 
> ------------------------------------------------------------------------
> > > > >
> > > > >
> > > 
> ------------------------------------------------------------------------
> > > > >
> > > > > --
> > > > > Fedora-directory-users mailing list
> > > > > Fedora-directory-users@redhat.com
> > > > >
https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > > > >
> > > >
> > >
> > >
> > > 
> ------------------------------------------------------------------------
> > > Win a trip with your 3 best buddies. Enter today.
> > > <http://www.messengerbuddies.ca/?ocid=BUDDYOMATICENCA19>
> >
>
>
> ------------------------------------------------------------------------
> Visit messengerbuddies.ca to find out how you could win. Enter today. 
> <http://www.messengerbuddies.ca/?ocid=BUDDYOMATICENCA20>

Rich hello and thanks for your support.
 
One last question for an former redhat colleague of yours:
 
''Do we know when this BUG will be fixed'' ?
 
Thanks again, Dave
----------> Date: Mon, 8 Dec 2008 08:07:50 -0700> From:
rmeggins@redhat.com> To: lambam80@hotmail.com> CC:
fedora-directory-users@redhat.com> Subject: Re: [Fedora-directory-users]
''Account Disabled'' Windows Sync - only sync passwords> >
lambam80@hotmail.com wrote:> > Rich, hello again and thanks for all your
help.> > > > This Email related to password VS account
synchronization.> > > > We''ll use my script to
create/delete accounts thereby having an > > identical user base in>
> both RedHat LDAP and Windows.> > > > Therefore, we''d
like to use only the ''password'' mechanism of ''Windows
> > SYNC''.> > > > I can see, clearly on the RedHat
LDAP server how to disable > > account/group SYNC on the windows side:>
> > > - Launch console | Directory Server Configuration TAB | click on
> > replication agreement | uncheck both> > New Windows Users Sync
and> > New Windows Groups Sync> > > > And from the document I
can read how to disable account/group SYNC on > > the LDAP side:> >
> >
_http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Using_Windows_Sync.html#Using_Windows_Sync-Synchronizing_Users_>
> > > < Setting |ntUserCreateNewAccount| and
|ntUserDeleteNewAccount| on > > Directory Server entries> > <
allows the Directory Manager fine-grained control over which users > >
within the> > < synchronized subtree will be synched on Active
Directory> > > > Is that all I need to do to disable account/group
sync but retain > > password sync ?> Yes, I believe so.> > >
> Thanks again for your help, Dave> > ----------> >> > >
Date: Wed, 3 Dec 2008 10:56:30 -0700> > > From: rmeggins@redhat.com>
> > To: lambam80@hotmail.com> > > CC:
fedora-directory-users@redhat.com> > > Subject: Re:
[Fedora-directory-users] ''Account Disabled'' Windows > >
Sync Directory Server red cross> > >> > > lambam80@hotmail.com
wrote:> > > > Rich, hello and thanks for the quick reply.> >
> >> > > > You write:> > > >> > > >
< Yes, this appears to be a bug in windows sync> > > >> >
> > How might I get further information - is there a BUG number/report
?> > > > Should I try and log a BUG ? If so, where ?> > >
https://bugzilla.redhat.com/show_bug.cgi?id=470224> > > >> >
> > Sorry, I''m new to Fedora/Redhat/Linux (migrating off Sun
Solaris, so> > > > to speak).> > > >> > > >
Anyway, I have the following work-around:> > > > - use the password
sync mechanism from Redhat - I''ve yet to test this> > > > -
next on my list> > > > - Use a script to do the following:> >
> > -- create Directory Server user account> > > > -- create
Active Directory account using ldapmodify and LDAPS> > > > -- set
the Active Directory unicodePwd:: using ldapmodify and LDAPS> > > >
-- set the Active Directory userAccountControl: 512 using ldapmodify> >
> > and LDAPS. ''512'', I believe,
''enables'' the account.> > > Yes. See also
http://support.microsoft.com/kb/305144> > >> > > But if you
are using WinSync, you can configure it to automatically> > > create
accounts in AD when added to DS, and vice versa. So you might> > > just
use> > > DirSync or sequence number to look for new AD accounts that
are> > > disabled, and enable them. See> > >
http://msdn.microsoft.com/en-us/library/ms677626(VS.85).aspx and> > >
http://support.microsoft.com/kb/891995> > > >> > > >
Thanks again for your help,> > > >> > > > Dave (former
employee of iPlanet :-)> > > My condolences :-)> > > >
------------> > > >> > > > > Date: Tue, 2 Dec 2008
08:51:08 -0700> > > > > From: rmeggins@redhat.com> > >
> > To: fedora-directory-users@redhat.com> > > > > CC:
lambam80@hotmail.com> > > > > Subject: Re:
[Fedora-directory-users] ''Account Disabled'' Windows> >
> > Sync Directory Server red cross> > > > >> > >
> > lambam80@hotmail.com wrote:> > > > > > Firstly,
please accept my apologies for a white lie.> > > > > >
I''m, in fact, using CentOS but a colleague of mine recommended >
> that I> > > > > > use this forum/mailing-list.> >
> > > >> > > > > > Let me know if this white-lie
is a problem.> > > > > >> > > > > > cat
/etc/redhat-release> > > > > > CentOS release 5.2 (Final)>
> > > > >> > > > > > /usr/sbin/ns-slapd -v>
> > > > > CentOS-Directory/8.0.4 B2008.288.1513> > >
> > >> > > > > > Windows 2003 Server Standard Edition
R2> > > > > >> > > > > > I''ve
''successfully'' configured Windows Sync and it> > >
> > > works in both directions.> > > > > >> >
> > > > However, accounts that are synched from Centos Directory
Server to> > > > > > Active Directory are> > > >
> > created with the ''Account Disabled'' checkbox
selected.> > > > > >> > > > > > In the
Windows account administration interface> > > > > > they also
have the red cross next to them.> > > > > >> > > >
> > Q1. Have other people seen this behavior with Windows Sync ?> >
> > > Yes, this appears to be a bug in windows sync> > > >
> >> > > > > > Q2. How can I change this behavior and
have the> > > > > > windows-accounts enabled from the start
?> > > > > Not sure.> > > > > >> > >
> > > Thanks for your time, cheers lambam80> > > > >
> Active-Directory Active-Dir Active Dir Active Directory> > > >
> > Edit/Delete Message> > > > > >
<http://forums.fedoraforum.org/editpost.php?do=editpost&p=1122288>>
> > > > >> > > > > >> > > > >
>
------------------------------------------------------------------------>
> > > > >> > > > > >> > > > >
>
------------------------------------------------------------------------>
> > > > >> > > > > >> > > > >
>
------------------------------------------------------------------------>
> > > > >> > > > > > --> > > > >
> Fedora-directory-users mailing list> > > > > >
Fedora-directory-users@redhat.com> > > > > >
https://www.redhat.com/mailman/listinfo/fedora-directory-users> > >
> > >> > > > >> > > >> > > >>
> > > > >
------------------------------------------------------------------------>
> > > Win a trip with your 3 best buddies. Enter today.> > >
> <http://www.messengerbuddies.ca/?ocid=BUDDYOMATICENCA19>> >
>> >> >> >
------------------------------------------------------------------------>
> Visit messengerbuddies.ca to find out how you could win. Enter today. >
> <http://www.messengerbuddies.ca/?ocid=BUDDYOMATICENCA20>>
_________________________________________________________________

lambam80@hotmail.com wrote:
> Rich hello and thanks for your support.
>  
> One last question for an former redhat colleague of yours:
>  
> ''Do we know when this BUG will be fixed'' ?
Soon.
>  
> Thanks again, Dave
> ----------
>
> > Date: Mon, 8 Dec 2008 08:07:50 -0700
> > From: rmeggins@redhat.com
> > To: lambam80@hotmail.com
> > CC: fedora-directory-users@redhat.com
> > Subject: Re: [Fedora-directory-users] ''Account
Disabled'' Windows
> Sync - only sync passwords
> >
> > lambam80@hotmail.com wrote:
> > > Rich, hello again and thanks for all your help.
> > >
> > > This Email related to password VS account synchronization.
> > >
> > > We''ll use my script to create/delete accounts thereby
having an
> > > identical user base in
> > > both RedHat LDAP and Windows.
> > >
> > > Therefore, we''d like to use only the
''password'' mechanism of ''Windows
> > > SYNC''.
> > >
> > > I can see, clearly on the RedHat LDAP server how to disable
> > > account/group SYNC on the windows side:
> > >
> > > - Launch console | Directory Server Configuration TAB | click on
> > > replication agreement | uncheck both
> > > New Windows Users Sync and
> > > New Windows Groups Sync
> > >
> > > And from the document I can read how to disable account/group
SYNC on
> > > the LDAP side:
> > >
> > > 
>
_http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Using_Windows_Sync.html#Using_Windows_Sync-Synchronizing_Users_
> > >
> > > < Setting |ntUserCreateNewAccount| and
|ntUserDeleteNewAccount| on
> > > Directory Server entries
> > > < allows the Directory Manager fine-grained control over which
users
> > > within the
> > > < synchronized subtree will be synched on Active Directory
> > >
> > > Is that all I need to do to disable account/group sync but retain
> > > password sync ?
> > Yes, I believe so.
> > >
> > > Thanks again for your help, Dave
> > > ----------
> > >
> > > > Date: Wed, 3 Dec 2008 10:56:30 -0700
> > > > From: rmeggins@redhat.com
> > > > To: lambam80@hotmail.com
> > > > CC: fedora-directory-users@redhat.com
> > > > Subject: Re: [Fedora-directory-users] ''Account
Disabled'' Windows
> > > Sync Directory Server red cross
> > > >
> > > > lambam80@hotmail.com wrote:
> > > > > Rich, hello and thanks for the quick reply.
> > > > >
> > > > > You write:
> > > > >
> > > > > < Yes, this appears to be a bug in windows sync
> > > > >
> > > > > How might I get further information - is there a BUG 
> number/report ?
> > > > > Should I try and log a BUG ? If so, where ?
> > > > https://bugzilla.redhat.com/show_bug.cgi?id=470224
> > > > >
> > > > > Sorry, I''m new to Fedora/Redhat/Linux
(migrating off Sun
> Solaris, so
> > > > > to speak).
> > > > >
> > > > > Anyway, I have the following work-around:
> > > > > - use the password sync mechanism from Redhat -
I''ve yet to
> test this
> > > > > - next on my list
> > > > > - Use a script to do the following:
> > > > > -- create Directory Server user account
> > > > > -- create Active Directory account using ldapmodify and
LDAPS
> > > > > -- set the Active Directory unicodePwd:: using
ldapmodify and
> LDAPS
> > > > > -- set the Active Directory userAccountControl: 512
using
> ldapmodify
> > > > > and LDAPS. ''512'', I believe,
''enables'' the account.
> > > > Yes. See also http://support.microsoft.com/kb/305144
> > > >
> > > > But if you are using WinSync, you can configure it to
automatically
> > > > create accounts in AD when added to DS, and vice versa. So
you might
> > > > just use
> > > > DirSync or sequence number to look for new AD accounts that
are
> > > > disabled, and enable them. See
> > > > http://msdn.microsoft.com/en-us/library/ms677626(VS.85).aspx
and
> > > > http://support.microsoft.com/kb/891995
> > > > >
> > > > > Thanks again for your help,
> > > > >
> > > > > Dave (former employee of iPlanet :-)
> > > > My condolences :-)
> > > > > ------------
> > > > >
> > > > > > Date: Tue, 2 Dec 2008 08:51:08 -0700
> > > > > > From: rmeggins@redhat.com
> > > > > > To: fedora-directory-users@redhat.com
> > > > > > CC: lambam80@hotmail.com
> > > > > > Subject: Re: [Fedora-directory-users]
''Account Disabled'' Windows
> > > > > Sync Directory Server red cross
> > > > > >
> > > > > > lambam80@hotmail.com wrote:
> > > > > > > Firstly, please accept my apologies for a
white lie.
> > > > > > > I''m, in fact, using CentOS but a
colleague of mine
> recommended
> > > that I
> > > > > > > use this forum/mailing-list.
> > > > > > >
> > > > > > > Let me know if this white-lie is a problem.
> > > > > > >
> > > > > > > cat /etc/redhat-release
> > > > > > > CentOS release 5.2 (Final)
> > > > > > >
> > > > > > > /usr/sbin/ns-slapd -v
> > > > > > > CentOS-Directory/8.0.4 B2008.288.1513
> > > > > > >
> > > > > > > Windows 2003 Server Standard Edition R2
> > > > > > >
> > > > > > > I''ve
''successfully'' configured Windows Sync and it
> > > > > > > works in both directions.
> > > > > > >
> > > > > > > However, accounts that are synched from
Centos Directory
> Server to
> > > > > > > Active Directory are
> > > > > > > created with the ''Account
Disabled'' checkbox selected.
> > > > > > >
> > > > > > > In the Windows account administration
interface
> > > > > > > they also have the red cross next to them.
> > > > > > >
> > > > > > > Q1. Have other people seen this behavior with
Windows Sync ?
> > > > > > Yes, this appears to be a bug in windows sync
> > > > > > >
> > > > > > > Q2. How can I change this behavior and have
the
> > > > > > > windows-accounts enabled from the start ?
> > > > > > Not sure.
> > > > > > >
> > > > > > > Thanks for your time, cheers lambam80
> > > > > > > Active-Directory Active-Dir Active Dir Active
Directory
> > > > > > > Edit/Delete Message
> > > > > > > 
>
<http://forums.fedoraforum.org/editpost.php?do=editpost&p=1122288>
> > > > > > >
> > > > > > >
> > > > >
> > > 
> ------------------------------------------------------------------------
> > > > > > >
> > > > > > >
> > > > >
> > > 
> ------------------------------------------------------------------------
> > > > > > >
> > > > > > >
> > > > >
> > > 
> ------------------------------------------------------------------------
> > > > > > >
> > > > > > > --
> > > > > > > Fedora-directory-users mailing list
> > > > > > > Fedora-directory-users@redhat.com
> > > > > > >
https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > 
> ------------------------------------------------------------------------
> > > > > Win a trip with your 3 best buddies. Enter today.
> > > > >
<http://www.messengerbuddies.ca/?ocid=BUDDYOMATICENCA19>
> > > >
> > >
> > >
> > > 
> ------------------------------------------------------------------------
> > > Visit messengerbuddies.ca to find out how you could win. Enter
today.
> > > <http://www.messengerbuddies.ca/?ocid=BUDDYOMATICENCA20>
> >
>
>
> ------------------------------------------------------------------------
> Messenger wants to send you on a trip. Enter today. 
> <http://www.messengerbuddies.ca/?ocid=BUDDYOMATICENCA21>