Environment
Novell Identity Manager 3.0
Novell Identity Manager 3.5.1
Novell Identity Manager - Remote Loader
Novell Identity Manager Driver - Active Directory
Microsoft Windows Server 2003 Enterprise Edition
Novell Identity Manager 3.5.1
Novell Identity Manager - Remote Loader
Novell Identity Manager Driver - Active Directory
Microsoft Windows Server 2003 Enterprise Edition
Situation
After upgrading Novell Identity Manager Engine and Remote Loader to 3.5.1 from 3.0.1 it was observed that only passwords were synchronizing between eDirectory and Active Directory. Logs from both the Remote Loader and the IDM Engine show only password changes. No User Creation or Data Modification in Active Directory were showing up in the Remote Loader trace files.
Resolution
The AD User Account used for Synchronization had only Domain User Administrator rights. These rights appeared to be sufficient when running the 3.0.1 Remote Loader but insufficient when running the 3.5.1 Remote Loader.
Increasing the rights of the Active Directory User account defined in Authentication ID field of the Identity Manager AD Driver Object to a Domain Administrator resolved this issue. See additional information for specific rights required for the Active Directory User account
Increasing the rights of the Active Directory User account defined in Authentication ID field of the Identity Manager AD Driver Object to a Domain Administrator resolved this issue. See additional information for specific rights required for the Active Directory User account
Additional Information
Troubleshooting:
Remote Loader trace file showing the issue has these 2 lines:
DirXML: [08/16/08 19:43:44.44]: ADDriver: Publisher Poll
DirXML: [08/16/08 19:43:44.44]: ADDriver: get object changes - 0x0032
Remote Loader trace file working correctly has these lines:
DirXML: [08/16/08 19:46:44.44]: ADDriver: Publisher Poll
DirXML: [08/16/08 19:46:44.44]: ADDriver: get object changes - 0x0000
DirXML: [08/16/08 19:47:44.44]: ADDriver: object changes complete
The key here is the code 0x0032. This code signifies a return code form the dirsync ldap search. This code error code is documented as"LDAP_INSUFFICIENT_RIGHTS 0x32 The user has insufficient access rights."
Documents defining rights required:
The correct rights for creating a non-standard Active Directory user for synchronization is defined in the Novell Identity Manager Drivers documentation for the Active Directory Driver in Section 2.4 Creating an Administrative Account.
Furthermore, for Active Directory in a Windows 2003 Environment there are additional rights that are needed. This information can be found in the Novell Identity Manager Drivers documentation for the Active Directory Driver in Section A.0 Changing Permissions on the CN=Deleted Objects Container.
Remote Loader trace file showing the issue has these 2 lines:
DirXML: [08/16/08 19:43:44.44]: ADDriver: Publisher Poll
DirXML: [08/16/08 19:43:44.44]: ADDriver: get object changes - 0x0032
Remote Loader trace file working correctly has these lines:
DirXML: [08/16/08 19:46:44.44]: ADDriver: Publisher Poll
DirXML: [08/16/08 19:46:44.44]: ADDriver: get object changes - 0x0000
DirXML: [08/16/08 19:47:44.44]: ADDriver: object changes complete
The key here is the code 0x0032. This code signifies a return code form the dirsync ldap search. This code error code is documented as"LDAP_INSUFFICIENT_RIGHTS 0x32 The user has insufficient access rights."
Documents defining rights required:
The correct rights for creating a non-standard Active Directory user for synchronization is defined in the Novell Identity Manager Drivers documentation for the Active Directory Driver in Section 2.4 Creating an Administrative Account.
Furthermore, for Active Directory in a Windows 2003 Environment there are additional rights that are needed. This information can be found in the Novell Identity Manager Drivers documentation for the Active Directory Driver in Section A.0 Changing Permissions on the CN=Deleted Objects Container.