I am setting up a new eDir to eDir driver on IDM 3.6.1. Both drivers are on Windows 2008. I am able to synchronize users and change attributes, but passwords are not synchronizing in either direction. Universal Password is enabled in both trees and has the same settings. For testing purposes I disabled password policy enforcement but that didn't help. I set "Application accepts passwords from Identity Manager", "Identity Manager accepts passwords from applications", and "Publish passwords to Distribution Password" to true, and set "Publish passwords to NDS password" to false.

According to the trace, the password is coming across, as this is in the final document on the publisher channel when the user object is being created:

<add-attr attr-name="nspmDistributionPassword" enforce-password-policy="false"><!-- content suppressed -->
The object is created in the second tree but there is no Public Key attribute, and I am unable to login with either the password from the first tree or with no password.

Less than a second later I get a document on the subscriber channel that sets the DirXML-PasswordSyncStatus:

<modify-attr attr-name="DirXML-PasswordSyncStatus">
          <value timestamp="1345243554#1" type="string">C4987CAB2D1B5F408C9E87C77500EF7620120817224554010000000000001Code(-8016) Operation vetoed by object matching policy.</value>
Huh? The only object matching policy I have is the standard "Match based on name and placement", and it isn't matching since it doesn't exist in the destination tree - it's creating, and succeeding at that operation.

Any ideas where I should look?