On 09/17/2012 04:55 PM, Steven Jones wrote:
Winsyc plugin used in IPA comes originally from DS. In the context of IPA it can be only one way so changing this configuration is not something we expect or would work in IPA. In the DS context you can have two way sync of users and groups.
AFAIK (Rich please correct me) we do not replicate the enabled/disabled status from IPA to AD.
Conceptually we think of the AD as authoritative source for the information. Allowing user to be disabled by IPA admin and then replicate this status back violates this model and would sound really dangerous for AD side. Are you sure that even if that would have been allowed your AD admins would actually permit you to do that?
Anyways so far it is one of the limitations of the current product. You can definitely explain the use case in a bit more details and file an RFE. If the use case is compelling we will consider it for the later release.
-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/