Symptom:
After configuring directory synchronization with an Active Directory user store, deleting an account in Active Directory does not delete the corresponding CA CloudMinder account.
Adding or updating user information in Active Directory does update CA CloudMinder successfully.
Solution:
By default, the Active Directory mail attribute, searchFlags, is set to 0x00000001. This setting allows the mail attribute to be indexed for Active Directory searches but it prevents Active Directory from saving it in a tombstone object.
To enable account deletion in CA CloudMinder, use the AdFind or AdMod commands to set the third bit number of the search flag to a 1 (0x00001001). Setting the third number to 1 enables the attribute to be saved in the tombstone object. Once mail is saved in the tombstone object, it is included in the change notification that Active Directory sends to the on-premise CA IAM Connector Server.
|
Copyright © 2013 CA.
All rights reserved.
|
|