478656 – rhds accounts are disabled in ad after full sync

Bug 478656 - rhds accounts are disabled in ad after full sync

Summary: rhds accounts are disabled in ad after full sync

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Directory Server
Classification:	Red Hat
Component:	winsync
Sub Component:
Version:	8.0
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Rich Megginson
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	470224 (view as bug list)
Depends On:
Blocks:	249650 FDS1.2.0
TreeView+	depends on / blocked

Reported:	2009-01-02 22:47 UTC by Thorsten Scherf
Modified:	2015-01-04 23:35 UTC (History)
CC List:	6 users (show)
Fixed In Version:	8.1
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-04-29 23:09:01 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
diffs (4.39 KB, patch) 2009-01-07 21:30 UTC, Rich Megginson	no flags	Details \| Diff
cvs commit log (242 bytes, text/plain) 2009-01-07 21:46 UTC, Rich Megginson	no flags	Details
View All

Description Thorsten Scherf 2009-01-02 22:47:57 UTC

Description of problem:
When I setup a new user in RHDS with ntUser object class, the user is synced correctly to AD. When I setup the user without ntUser attributes and edit the account afterwards to pass the necessary attributes to the account in order to get it synced to AD, the account is available in AD but it's disabled.

These are the values of userAccountControl attribute 

when the account is active: 
userAccountControl: 544

when it's disabled:
userAccountControl: 546




Version-Release number of selected component (if applicable):
redhat-ds-8.0.0-1.4.el5dsrv

How reproducible:
create a user in rhds, don't assign ntUser attributes to the account
assign the attributes later
initialize a full sync
account in AD is disabled

create a user in rhds
assign ntUser attributes to the account
run a regular update sync
account is available and activated in AD


Steps to Reproduce:
1. see above
2.
3.
  
Actual results:
account is disabled 

Expected results:
account is enabled after I passed ntUser attributes to the account

Additional info:

Comment 1 Rich Megginson 2009-01-07 21:30:23 UTC

Created attachment 328417 [details]
diffs

Comment 2 Rich Megginson 2009-01-07 21:36:27 UTC

*** Bug 470224 has been marked as a duplicate of this bug. ***

Comment 3 Rich Megginson 2009-01-07 21:46:22 UTC

Created attachment 328420 [details]
cvs commit log

Reviewed by: nkinder (Thanks!)
Fix Description: The incremental sync code calls send_accountcontrol_modify after adding an entry, but the total update code does not.  I modified the code to do that.  I also changed the send_accountcontrol_modify to force the account to be enabled if adding it.  I tried just adding userAccountContro:512 to the default user add template, but AD does not like this - gives operations error.  So you have to modify userAccountControl after adding the entry.  I also cleaned up a couple of minor memory leaks.
Platforms tested: RHEL5
Flag Day: no
Doc impact: Yes - we need to document the fact that new accounts will now be created in AD enabled

Comment 6 Jenny Severance 2009-04-08 14:53:41 UTC

fix verified passsync 1.1.0 - DS 8.1 - RHEL 4

Comment 7 Chandrasekar Kannan 2009-04-29 23:09:01 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-0455.html

Note You need to log in before you can comment on or make changes to this bug.