16.3. Synchronizing Passwords
- The Password Sync utility must be installed locally on the Windows machine that will be synchronized with a Directory Server.
- Password Sync can only link the Windows machine to a single Directory Server; to sync changes with multiple Directory Server instances, configure the Directory Server for multi-master replication.
- Password expiration warnings and times, failed bind attempts, and other password-related information is enforced locally per server and is not synchronized between sync peer servers.
- On the Directory Server instance that has the replication agreement with the Windows server configured, set the
nsslapd-unhashed-pw-switchparameter in the
- The same bind behavior should occur on all servers. Make sure to create the same or similar password policies on both Directory Server and Active Directory servers.
- Entries that are created for synchronization (for example, the server identities) need to have passwords that never expire. To make sure that these special users have passwords that do not expire, add the
passwordExpirationTimeattribute to the Directory Server entry, and give it a value of
20380119031407Z(the top of the valid range).