Created attachment 369802 [details]
Log of the 389DS server with replication logging turned on during a password change.

> Description of problem:

Servers: 
* AD 2008 64 bit, running on Windows Server 2007 SP2
* 389DS 1.2.4 running on CentOS 5.3

passsync 1.1.4 will successfully capture and replicate passwords from the 2008 AD server to the 389DS server.  However, winsync on the 389DS server is unable to replicate passwords to the AD server.

It appears that winsync binds to as the replication manager to the AD server, attempts to bind as the user to verify that the password needs to be changed, fails, and then stops.  Five minutes later, it attempts to change the password again and the log reports the following:

[16/Nov/2009:16:53:36 -0500] NSMMReplicationPlugin - agmt="cn=ita4windc2-user" (ita4windc2:636): AD already has the current password for CN=<CN> Not sending password modify to AD.

Replication is binding to AD over port 636/LDAPS, and all other changes continue to flow normally.  Winsync password changes appear to be the only issue.

The following functions correctly against the AD server when the password is set on the AD side, but not when the password is set on the 389DS side and replicated back:

/usr/lib64/mozldap/ldapsearch -Z -P /etc/dirsrv/slapd-<host>/cert8.db -h <AD SERVER> -p 636 -D "CN=<CN>" -w '<password>' -s base -b 'dc=corp,dc=itasoftware,dc=com' "objectclass=*"

> Version-Release number of selected component (if applicable):

389DS 1.2.4

> How reproducible:

We only have one environment.

> Additional info:

With regards to http://support.microsoft.com/kb/906305/en-us, the AD server has had the OldPasswordAllowedPeriod set to 0.  This did not affect the behaviour of the servers in the slightest.