Bug 478656 - rhds accounts are disabled in ad after full sync
Summary: rhds accounts are disabled in ad after full sync
Alias: None
Product: Red Hat Directory Server
Classification: Red Hat
Component: winsync
Version: 8.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Rich Megginson
QA Contact: Chandrasekar Kannan
: 470224 (view as bug list)
Depends On:
Blocks: 249650 FDS1.2.0
TreeView+ depends on / blocked
Reported: 2009-01-02 22:47 UTC by Thorsten Scherf
Modified: 2015-01-04 23:35 UTC (History)
6 users (show)

Fixed In Version: 8.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-04-29 23:09:01 UTC
Target Upstream Version:

Attachments (Terms of Use)
diffs (4.39 KB, patch)
2009-01-07 21:30 UTC, Rich Megginson
no flags Details | Diff
cvs commit log (242 bytes, text/plain)
2009-01-07 21:46 UTC, Rich Megginson
no flags Details

Description Thorsten Scherf 2009-01-02 22:47:57 UTC
Description of problem:
When I setup a new user in RHDS with ntUser object class, the user is synced correctly to AD. When I setup the user without ntUser attributes and edit the account afterwards to pass the necessary attributes to the account in order to get it synced to AD, the account is available in AD but it's disabled.

These are the values of userAccountControl attribute 

when the account is active: 
userAccountControl: 544

when it's disabled:
userAccountControl: 546

Version-Release number of selected component (if applicable):

How reproducible:
create a user in rhds, don't assign ntUser attributes to the account
assign the attributes later
initialize a full sync
account in AD is disabled

create a user in rhds
assign ntUser attributes to the account
run a regular update sync
account is available and activated in AD

Steps to Reproduce:
1. see above
Actual results:
account is disabled 

Expected results:
account is enabled after I passed ntUser attributes to the account

Additional info:

Comment 1 Rich Megginson 2009-01-07 21:30:23 UTC
Created attachment 328417 [details]

Comment 2 Rich Megginson 2009-01-07 21:36:27 UTC
*** Bug 470224 has been marked as a duplicate of this bug. ***

Comment 3 Rich Megginson 2009-01-07 21:46:22 UTC
Created attachment 328420 [details]
cvs commit log

Reviewed by: nkinder (Thanks!)
Fix Description: The incremental sync code calls send_accountcontrol_modify after adding an entry, but the total update code does not.  I modified the code to do that.  I also changed the send_accountcontrol_modify to force the account to be enabled if adding it.  I tried just adding userAccountContro:512 to the default user add template, but AD does not like this - gives operations error.  So you have to modify userAccountControl after adding the entry.  I also cleaned up a couple of minor memory leaks.
Platforms tested: RHEL5
Flag Day: no
Doc impact: Yes - we need to document the fact that new accounts will now be created in AD enabled

Comment 6 Jenny Severance 2009-04-08 14:53:41 UTC
fix verified passsync 1.1.0 - DS 8.1 - RHEL 4

Comment 7 Chandrasekar Kannan 2009-04-29 23:09:01 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.