Multi-master replication + AD password synchronisation
I have the following situation:
- ds1 running 1.2.6.a3
- ds2 running 1.2.5.rc3 (yes, I will get around to bringing them up to
the same version soon)
- Multi-master replication agreements between both hosts
- A synchronisation agreement to a Windows 2008 AD on ds1
Although I am sure I have tested password changes on ds2 synchronising
to ds1 then to the AD I have recently put ds2 in production and found
that this is not working. To be more specific:
- Password changes on Windows work fine, as the Password Sync service
picks them up, pushes them to ds1, which then replicates the change
- Password changes on ds1 work fine, are replicated to ds2 and are
synchronised to AD
- Password changes on ds2 replicate to ds1, and while there are
entries in the Replication log on ds1 for a modification to the AD,
the Windows password is not changed
Looking at the documentation at
there are no caveats mentioned regarding multi-master replication and AD
password sync, in fact their provided architecture diagram (lower part
of the page) seems to indicate it should work in this situation.
Furthermore, the text backs this up with:
"The Directory Server relies on the Multi-Master Replication Plug-in to
synchronize user and group entries. The same changelog that is used for
multi-master replication is also used to send updates from the Directory
Server to Active Directory as LDAP operations."
"Directory Server passwords are synchronized along with other entry
attributes because plain-text passwords are retained in the Directory
I did search the mailing list and turned up
but I was hoping there is a different answer 6 months on. It seems to me
that if 389 is storing password changes in the clear in the changelog
that it should be able to push this cleartext password to AD when ds1
gets the replication?
Alternatively if this is absolutely just not a supported feature, would
it be possible to setup a second AD synchronisation agreement on ds2 to
the AD but specify ONLY to sync userPassword attribute changes?
(disabling the create/delete new user/group options in the sync
agreement of course to try and not cause loops or other problems).
The same documentation references above specifically says NOT to have
different DS's syncing to the same AD domain, but does that still apply
if it's a very limited attribute synchronisation?
Any help appreciated.
389 users mailing list