I have a site that I'm in the process of upgrading to eDir 9.0.4 (can't go to 9.1 yet due to IdM). They are mostly on 8.8 SP8 FTF 11. There are 10 servers in the tree and I've upgraded two of them to eDir 9.0.4. Everything seems fine, but a really odd problem was noticed.

They have IdM so they noticed that when new users were created, they were not getting sync'd to AD. I discovered that the reason was there was no password. However, I quickly determined by doing some tests that the new users were getting passwords, but it appears the distribution password was not being set.

So I did a whole bunch of poking around. The password policies being used have been in place for many years. The main policy being used is assigned to the ou=users container, which is where all the users get created. I double checked the settings and sure enough, it is configured to set the Distribution Password.

Next I tried creating some dummy users using a really simple LDIF, just the name and password. The user's create fine, but low and behold, no distribution password! So I used the old getpass tool to double check (it works against eDir 9 if you disable FIPS mode). And sure enough, no distribution password!

But here is where it gets even stranger. If I just do a simple LDAP bind with one of the users I created and then check again, the distribution password is there! I'm totally baffled.

I even tried creating dummy users using iManager and I experienced the same behavior. I also tried explicitly setting the password policy in my LDIF too, directly assigning it to the user. Still, NO DP on new user creation!!!

Has anyone ever seen this? It is causing me tons of grief. The policy isn't anything special, it is using Microsoft Windows 2008 syntax.