Password sync to AD 2003
We are currently sync'ing accounts from eDir 8.8.2 to AD 2003. We can do it all just fine if we give the driver admin rights to the part of the tree that we wish to replicate. We are trying to get the eDir account privileges down to the bare minimum. When we limit the connector to Browse/Compare all Entry and Attrs the objects flow to AD just fine (we have given the connector in AD Admin privileges to the ou where the objects are being placed). The problem though is that each operation gives a "generateKeyPair -672 ERR_NO_ACCESS" error on the Publisher channel. I wish that I could share the trace with all of you, but it is on a private network and the removal of data is prohibited (always makes troubleshooting fun!) We do want the connector to be able to set passwords in the other direction, from AD to eDir, but again we want limited rights. We know that we could give the connector admin to the ou which is being replicated, but that in turn gives the connector more rights than it should have. We have tried to add private/public key to the trustee list, but only public key is listed in the selection box. We are attempting to add the connector user to an account management role to see if that will do it, but I am not hopeful.
I know this may sound like we are going overboard to some folks, but we are trying to limit the overall exposure of each account. We know that we are protected by the driver filter to keep other operations out and by disabling the account it can't be hijacked. We are just a paranoid group of people :)
|
Threaded Mode
