Hi community,

Since I spent hours to find out how to make it work, and to actually make it work, here is a summary about:
- exporting password to AD
- exporting user status (disabled/enabled) to AD

Tested with 6.2m3.

1. configure AD with SSL to enable LDAPS
2. import the certificate into your Tomcat (or any webapp server) JVM
3. Map Liferay password attribute to "unicodePwd", which encoding is correctly handled by Liferay
4. Set ldap password encryption to empty (ie. keep the property in portal-ext.properties without any value)
5. Create your own UserModelListener. Force ldap export when password is changed, e.g onAfterCreate
if (model.getPassword() != null) {
try {
model.setPasswordModified(true);
PortalLDAPExporterUtil.exportToLDAP(model, null);
} catch (Exception e) {
e.printStackTrace();
}
}

For exporting the "userAccountControl" to reflect the user status in AD:
1. Override DefaultPortalToLDAPConverter
2. Add the following in getLDAPUserModifications
addModificationItem("userAccountControl", user.isActive()?"544":"546", modifications);
3. In your UserModelListener, onAfterUpdate
PortalLDAPExporterUtil.exportToLDAP(model, null);
(you can analyse the thread's stack to avoid multiple LDAP export and do it only on actual statusUpdate)

Good luck, and thank you to all those who posted information.

Regards
Hervé