On 7/26/2012 4:46 AM, rajeshemailto wrote:
> Dear Specialists,
> We are integrating AD with IDM 4.0.2 using "*-Three Server
> Configuration-*" as per mentioned in ad.pdf, Section 2.2.4. A per same
> document's Section 2.4, *Administrative Account* must have following
> permission:
> 1. Must be a member of the *Administrative* group
> 2. Read access at the root of the domain
> 3. Replicating Directory Change rights at the root of the domain
> Above (2) & (3) are acceptable by client's organization policy but for
> (1) we need to clarify what do we mean by *Administrative* group. I
> believe, its is one of

#1 is meant to provide access to read and write attributes in AD. It
does not (I believe) HAVE To be a Domain Admin. But whatever rights you
give it instead, are basically what it can do. So if it cannot delete
groups, then sending a delete event for a group, will not work.

So figure out what your driver is allowed to do and give it just those
rights instead of Domain Admin.

> - Domain Administrator
> - Local Administrator Group of Application Server
> Also, AD is not having any LDAP SSL enabled. Can we configure password
> sync without SSL communication between AD server & Remote Loader
> server?

No. As I understand it, the AD API's won't let you send the password in
clear text. (Or maybe Novell enforced it, it was never clear), but this
will fail without SSL enabled on AD.

> Looking forward for your valuable response.