16.3. Synchronizing Passwords

Password changes in a Directory Server entry can be synchronized to password attributes in Active Directory entries by using the Password Sync utility.
When passwords are synchronized, password policies are enforced on each sync peer locally. The syntax or minimum length requirements on the Directory Server apply when the password is changed in the Directory Server. When the changed password is synchronized over to the Windows server, the Windows password policy is enforced.


The password policies themselves are not synchronized.
Configuration information is kept locally and cannot be synchronized, including the password change history and the account lockout counters.
When configuring a password policy for synchronization, consider the following points:
  • The Password Sync utility must be installed locally on the Windows machine that will be synchronized with a Directory Server.
  • Password Sync can only link the Windows machine to a single Directory Server; to sync changes with multiple Directory Server instances, configure the Directory Server for multi-supplier replication.
  • Password expiration warnings and times, failed bind attempts, and other password-related information is enforced locally per server and is not synchronized between sync peer servers.
  • On the Directory Server instance that has the replication agreement with the Windows server configured, set the nsslapd-unhashed-pw-switch parameter in the cn=config entry to on.
  • The same bind behavior should occur on all servers. Make sure to create the same or similar password policies on both Directory Server and Active Directory servers.
  • Entries that are created for synchronization (for example, the server identities) need to have passwords that never expire. To make sure that these special users have passwords that do not expire, add the passwordExpirationTime attribute to the Directory Server entry, and give it a value of 20380119031407Z (the top of the valid range).