The Driver is to be "effectively" read-only to the eDirectory IV.

Users (with passwords), Groups and OUs are being sync'd to an LDAP

As a best practice, it is the intention to create a user that the driver
runs as in the IV.

The desire is to only assign the rights necessary to the appropriate
containers and for the attributes that the driver must have rights.

What does the driver require to be able to run in these conditions.?

Currently, the driver has to the container where the users are located
in the IV:
DirXML-Associations Compare Read Write
[All Attributes Rights] Compare Read
[Entry Rights] Browse

When syncing a user from IV to LDAP, a error shows as:
15:59:16 6767F1A0 Drvrs: Unable to get nspm password(2) failed, -1659
(0xfffff985), subject OID-LDAP.DriverSet.DIRXML.SERVICES.NWN, tree
DEVIV, object AATestUserAccount.ISS.USERS.NWN
15:59:16 6767F1A0 Drvrs: OID ST:
DirXML Log Event -------------------
Channel: Subscriber
Status: Error
Message: Code(-9065) Unable to determine value of attribute
nspmDistributionPassword for object

Any ideas?