This article describes how to synchronize the Active Directory password to 389 Directory Server using the PassSync utility.

Configuring the User Permission

The 389 Directory Server sync user account should be given permission to update the password field. In our example, it is uid=SMaster,cn=config. You can create a sync user account using this article.

389 Management Console2. Click the + sign corresponding to your server. Next, click the + sign corresponding to Server Group and click Directory Server. Finally, click the Open button in the Directory Server page.
Access Permission3. Click the Directory tab and click the folder corresponding to your domain. Next, right click that same folder and click Set Access Permissions.
Manage Access Control4. In the Manage Access Control window, click New.
Edit ACI5. In the Edit ACI window, click Edit Manually.
Edit ACI Manual
6. Change the value of the ACI to the one below. Click Ok when you are done.
(targetattr = "*") 
(version 3.0;
acl "PassSync";
allow (all)
(userdn = "ldap:///uid=SMaster,cn=config")
userdn should correspond to your sync user account.
Manage Access Control7. Finally, click Ok.

Installing PassSync

PassSync should be installed in every Windows domain controller in your domain. You can download the PassSync installer here.

PassSync Welcome1. Launch the PassSync installer and click Next.
PassSync Setup
2. Fill up the Password Synchronization Information page and click Next. Below are the description of the fields. Specify in Cert Token the password you plan to assign to the certificate database when you create it later. The password should be at least 8 characters long, and should contain at least one non-alphabetic character.
Host Name
389 Directory Server host name
Port Number
389 Directory Server SSL port number
User Name
User account in 389 Directory Server
Password of user account
Cert Token
Certificate database password
Search Base
389 Directory Server base DN

NoteThe settings above will be stored in the registry located in the HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync path.
PassSync Ready3. Click Next in the Ready to Install page.
PassSync Finish4. Finally, click Finish.

Creating the Certificate Database

pk12util1. Export the 389 Directory Server certificate using the command below. Execute the command in the /etc/dirsrv/slapd-xxx directory where xxx corresponds to your directory server identifier. Copy the output file servercert.p12 to your target Windows Server.
pk12util -d . -o servercert.p12 -n Server-Cert -k pwdfile.txt
pwdfile.txt contains the certificate database password created by the script. Use -K password to provide your own password if you manually configured SSL in 389 Directory Server.
2. In the Windows Server, create the certificate database and load the 389 Directory Server certificate into it using the commands below. Before executing the commands below, change the Command Prompt’s current directory to the installation directory of PassSync, usually at “C:\Program Files\Red Hat Directory Password Synchronization”.
certutil -d . -N
pk12util -d . -i servercert.p12
certutil -d . -M -n Server-Cert -t "P,P,P"

Testing PassSync

Password Synchronization service1. Restart the Password Synchronization service.
Reset user password2. Reset a user password and check if it synchronizes with 389 Directory Server.
NoteIf you encounter any problems, check the log file at C:\Program Files\Red Hat Directory Password Synchronization\passsync.log

Visit the forum to ask for help or to give a comment.

Posted on 2/10/2009 and last updated on 11/6/2009
Filed under 389 Directory Server , Active Directory