David, That did the trick! Thank you for your help. <div>On 12/9/05, David Boreham <<a href="mailto:david_list@boreham.org">david_list@boreham.org</a>> wrote:<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> <div> Bryan Fransman wrote: <blockquote cite="http://mid4e8904490512090848l4e59bcd8w691eb872d4c8158d@mail.gmail.com" type="cite">I'm seeking a little guidance in regard to the Windows Sync configuration. I have the Windows Sync service speaking to the Fedora Directory Server (SSL enabled), but passwords are not updated on the FDS side. Environment is Windows 2000 server, Fedora Core 3 w/ FDS 1.0 w/ the latest PassSync.msi I have configured WinSync to use cn=replication manager,cn=config as the bind user. This user exists in FDS. I enabled logging for the password sync service, and found the following entry in the passsync.log log: 12/09/05 11:17:06: Attempting to sync password for username 12/09/05 11:17:06: Searching for (ntuserdomainid=username) 12/09/05 11:17:06: Ldap error in ModifyPassword 50: Insufficient access 12/09/05 11:17:06: Modify password failed for remote entry: uid=username,ou=People, dc=domain, dc=com 12/09/05 11:17:06: Deferring password change for username 12/09/05 11:17:06: Backing off for 32000ms So, there it is.. the third line of log entry "Insufficient access". I assume that its an ACI problem with the cn=replication manager,cn=config user. I attempted to create an ACI to resolve the issue, but no luck. (targetattr = "*") (target = "<a>ldap:///uid=*,ou=People,dc=domain,dc=com</a>") (version 3.0;acl "WinSync";allow (all,proxy)(userdn = "<a>ldap:///cn=replication manager,cn=config")</a>;) Some help would be greatly appreciated. </blockquote></div> I think you are on the general right track. However, when you used the replication manager DN to bind that probably led you astray. This is because that DN's special access rights are _only_ enforced on real replication sessions. The passsync app is not making a replication connection, just a regular LDAP connection. And so you will not get any of the magical powers of the replication manager DN. I suspect that your new ACI is not giving the desired result because another one that denies access is preempting it. So...quick and dirty way would be to use cn=Directory Manager for the bind DN. The good but longer solution would be to add another user for passsync to bind as and make sure that user has the necessary access rights to userPassword. -- Fedora-directory-users mailing list <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a> <a onclick="return top.js.OpenExtLink(window,event,this)" href="https://www.redhat.com/mailman/listinfo/fedora-directory-users" target="_blank"> https://www.redhat.com/mailman/listinfo/fedora-directory-users</a> </blockquote></div>