Description of problem: When you setup users and groups Sync, the syncronization fails with an "operation error". I sniffed the traffic between 389 DS and Windows (2003) and discovered that the first group is created but after that, there is an error on a modify operation. 389 DS is trying to add the userAccountControl attribute to the group and Windows replies with "object class violation". I've searched in the web and it looks like userAccountControl is only for users, not for groups. Looking at the Windows Sync code it looks like 389 DS always add that attribute for bot Version-Release number of selected component (if applicable): 1.2.8.rc4
Created attachment 490983 [details] Prevents userAccountControl modify for groups
Comment on attachment 490983 [details] Prevents userAccountControl modify for groups There is small bug in this patch, use the other one.
Created attachment 491013 [details] Prevents userAccountControl modify for groups (v2)
To ssh://git.fedorahosted.org/git/389/ds.git ff7be17..c2c82cb master -> master commit c2c82cb46417f033f5a8e1bb2cef58cfb29e82b6 Author: Rich Megginson <rmeggins> Date: Thu Apr 28 13:29:55 2011 -0600 Reviewed by: rmeggins (Author: diego.ar) Branch: master Fix Description: winsync was getting back an error 65 (object class violatio attempting to add the userAccountControl attribute to a group entry. Only do this for user entries. I modified the patch slightly to change the formatting, and to use "is_user" rather than "!is_group" to test whether or not to send the userAccountControl attribute. Platforms tested: RHEL6 x86_64, Windows 2008 r2 Flag Day: no Doc impact: no To ssh://git.fedorahosted.org/git/389/ds.git 96c7f67..3bb70c1 389-ds-base-1.2.8 -> 389-ds-base-1.2.8 commit 3bb70c18739f8f7a04a2382ae7ffcb7d7bc68ec9 Author: Rich Megginson <rmeggins> Date: Thu Apr 28 13:29:55 2011 -0600