I am setting up a new eDir to eDir driver on IDM 3.6.1. Both drivers are
on Windows 2008. I am able to synchronize users and change attributes,
but passwords are not synchronizing in either direction. Universal
Password is enabled in both trees and has the same settings. For testing
purposes I disabled password policy enforcement but that didn't help. I
set "Application accepts passwords from Identity Manager", "Identity
Manager accepts passwords from applications", and "Publish passwords to
Distribution Password" to true, and set "Publish passwords to NDS
password" to false.

According to the trace, the password is coming across, as this is in
the final document on the publisher channel when the user object is
being created:

<add-attr attr-name="nspmDistributionPassword" enforce-password-policy="false"><!-- content suppressed -->

The object is created in the second tree but there is no Public Key
attribute, and I am unable to login with either the password from the
first tree or with no password.

Less than a second later I get a document on the subscriber channel
that sets the DirXML-PasswordSyncStatus:

<modify-attr attr-name="DirXML-PasswordSyncStatus">
<value timestamp="1345243554#1" type="string">C4987CAB2D1B5F408C9E87C77500EF762012 0817224554010000000000001Code(-8016) Operation vetoed by object matching policy.</value>

Huh? The only object matching policy I have is the standard "Match
based on name and placement", and it isn't matching since it doesn't
exist in the destination tree - it's creating, and succeeding at that

Any ideas where I should look?

ambradley's Profile: https://forums.netiq.com/member.php?userid=177
View this thread: https://forums.netiq.com/showthread.php?t=2365