We are currently sync'ing accounts from eDir 8.8.2 to AD 2003. We can
do it all just fine if we give the driver admin rights to the part of
the tree that we wish to replicate. We are trying to get the eDir
account privileges down to the bare minimum. When we limit the
connector to Browse/Compare all Entry and Attrs the objects flow to AD
just fine (we have given the connector in AD Admin privileges to the ou
where the objects are being placed). The problem though is that each
operation gives a "generateKeyPair -672 ERR_NO_ACCESS" error on the
Publisher channel. I wish that I could share the trace with all of
you, but it is on a private network and the removal of data is
prohibited (always makes troubleshooting fun!) We do want the
connector to be able to set passwords in the other direction, from AD
to eDir, but again we want limited rights. We know that we could give
the connector admin to the ou which is being replicated, but that in
turn gives the connector more rights than it should have. We have
tried to add private/public key to the trustee list, but only public
key is listed in the selection box. We are attempting to add the
connector user to an account management role to see if that will do it,
but I am not hopeful.

I know this may sound like we are going overboard to some folks, but we
are trying to limit the overall exposure of each account. We know that
we are protected by the driver filter to keep other operations out and
by disabling the account it can't be hijacked. We are just a paranoid
group of people


--
swallac2
------------------------------------------------------------------------
swallac2's Profile: http://forums.novell.com/member.php?userid=12391
View this thread: http://forums.novell.com/showthread.php?t=322109