Bug 478656

Summary: rhds accounts are disabled in ad after full sync
Product: Red Hat Directory Server Reporter: Thorsten Scherf <tscherf>
Component: winsyncAssignee: Rich Megginson <rmeggins>
Status: CLOSED CURRENTRELEASE QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: low    
Version: 8.0CC: benl, dlackey, jad, jfenal, jgalipea, nkinder
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 8.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-04-29 23:09:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 249650, 493682    
Attachments:
Description Flags
diffs
none
cvs commit log none

Description Thorsten Scherf 2009-01-02 22:47:57 UTC 
Description of problem:
When I setup a new user in RHDS with ntUser object class, the user is synced correctly to AD. When I setup the user without ntUser attributes and edit the account afterwards to pass the necessary attributes to the account in order to get it synced to AD, the account is available in AD but it's disabled.

These are the values of userAccountControl attribute 

when the account is active: 
userAccountControl: 544

when it's disabled:
userAccountControl: 546




Version-Release number of selected component (if applicable):
redhat-ds-8.0.0-1.4.el5dsrv

How reproducible:
create a user in rhds, don't assign ntUser attributes to the account
assign the attributes later
initialize a full sync
account in AD is disabled

create a user in rhds
assign ntUser attributes to the account
run a regular update sync
account is available and activated in AD


Steps to Reproduce:
1. see above
2.
3.
  
Actual results:
account is disabled 

Expected results:
account is enabled after I passed ntUser attributes to the account

Additional info:
Comment 1 Rich Megginson 2009-01-07 21:30:23 UTC 
Created attachment 328417 [details]
diffs
Comment 2 Rich Megginson 2009-01-07 21:36:27 UTC 
*** Bug 470224 has been marked as a duplicate of this bug. ***
Comment 3 Rich Megginson 2009-01-07 21:46:22 UTC 
Created attachment 328420 [details]
cvs commit log

Reviewed by: nkinder (Thanks!)
Fix Description: The incremental sync code calls send_accountcontrol_modify after adding an entry, but the total update code does not.  I modified the code to do that.  I also changed the send_accountcontrol_modify to force the account to be enabled if adding it.  I tried just adding userAccountContro:512 to the default user add template, but AD does not like this - gives operations error.  So you have to modify userAccountControl after adding the entry.  I also cleaned up a couple of minor memory leaks.
Platforms tested: RHEL5
Flag Day: no
Doc impact: Yes - we need to document the fact that new accounts will now be created in AD enabled
Comment 6 Jenny Severance 2009-04-08 14:53:41 UTC 
fix verified passsync 1.1.0 - DS 8.1 - RHEL 4
Comment 7 Chandrasekar Kannan 2009-04-29 23:09:01 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-0455.html