Hi, Luke. > I have tried mapping AD Attribute "mail" to mail no luck This one should have worked. You need to know LDAP name of your source attribute and map it to LDAP name of some Gluu's internal attribute that is allowed to be present in user's entry by schema, that's all. mail -> mail should work, why do you think mapping isn't happening? How exactly did you check?

May I ask you to provide screenshots of all CR configuration pages with all your current settings? There is also your other ticket on some issue with CR, are you sure it's working at all?

I think now that I have it as a Source attribute I dont think I need it in the other field. We will see in the next sync

Email address appear to be staying after syncs. However when I try to use GLUU to change a AD user password it doesnt change the password and AD locks out the account? Why would that be?

> I think now that I have it as a Source attribute I dont think I need it in the other field. We will see in the next sync I believe in 2.4.4 especially you need to explicitly define all your mappings. So you need mapping like "mail -> mail" in your case. Try to monitor CR log in `/opt/tomcat/logs/`, if any problem exists it should have some clues. > However when I try to use GLUU to change a AD user password it doesnt change the password and AD locks out the account? Why would that be? You understand CR's purpose a bit wrong. It will pull all attributes you instruct it to pull, map them the way you set mappings, and optionally put them through your custom CR script if you need some complex transformations. But it never pulls in passwords (actually, in case of AD it isn't possible to do using LDAP interface, only using replication APIs). For actual authentication LDAP bind operation to your backend will always be used anyway (unless you'll use some custom auth script). You configure this part at the "Manage authentication page". The "Change password" button you probably tried to use only has sense for accounts created directly in Gluu's internal directory. Usually you must choose between authenticating against backend, or against internal directory. You may have both if you'll employ a custom auth script, but I doubt that what's you need.

We killed the old server and built a new one in AWS and AD sync is now working fine. Thanks for the help so far