I have 389 DS working with Window Sync against
Windows 2003. It works fine, including the password
replication. Anyway I found that (obviusly) the
password replication from 389 to AD works only if the
client changes the password using "Password Modify
(RFC 3062) extended operation". This works with the
Python module or the ldappasswd utility.
The problem is the Admin Console. When you changes
the user's password from the console, I see a MOD
operation in the log file, and obviusly the password
is not replicated to AD.
As long as the new password sent to the server is clear
text, it should not matter if you use a regular LDAP modify
or the password change extop.
Shall I file a bug report or Am I missing
something?
Ok. I haven't looked at the code of the console because I don't
program in Java. I couldn't see the traffic because I use TLS/SSL.
If the replication doesn't work when I change the password
from the 389 Admin Console, I think that the password is not in
clear text on the modify operation.
Either that, or the console is doing a modify delete followed by a
modify add. This type of userPassword operation is not replicated.
This bug is fixed in 1.2.8.3 now in testing.
