Glenn wrote:
> We are still using Fedora Directory Server 1.0.4 and synchronizing with
> Active Directory. Our procedure for removing accounts includes a waiting
> period when the AD account is disabled. Disabling the AD account does not
> inactivate the corresponding FD account. The folks that do account
> maintenance do not have access to the FD java console, so rather than
> inactivating the FD account, they delete it using DSGW. Unfortunately, this
> also deletes the disabled AD account.
>
> Is there a way to make sync inactivate the FD account when the AD account is
> disabled?
>
freeipa windows sync can do this, but it requires you set up freeipa
> As an alternative, can we make account activation/inactivation available to
> our account people via DSGW? Some particulars would be appreciated.
>
Not likely.
> I know that setting the "ntuserdeleteaccount" attribute to "false" will
> prevent the AD account from being removed when the FD account is removed.
> But new accounts created in AD are duplicated by sync in FD with the
> attribute set to "true". If anyone could suggest a way to make this default
> to "false," that would be an improvement.
>
I don't know of a way to do this.
> Thanks. -G.
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users