Case 2

In Case 2, the LDAP store is in a state of waiting. Specifically, the system is waiting for an opportunity to capture the current, correct password for the LDAP store. In this case, a properly configured Identity Synchronization for Windows system marks the corresponding entry in the LDAP store as outdated or stale.

When an Identity Synchronization for Windows - enhanced Directory Server system gets a bind against a stale user, Identity Synchronization for Windows replays the given bind credentials to the configured Windows Active Directory to see if the user-supplied password is acceptable. If Active Directory authenticates the password, Identity Synchronization for Windows modifies the LDAP store so that it now possesses the password. Directory Server may eventually hash the value as part of its password policy and clears the stale status.

This process is known as on-demand synchronization, which results in both systems becoming synchronized with regard to the given entry after a successful bind occurs against the LDAP store.