The bidirectional eDirectory driver requires appropriate read/write rights in the container on which it operates. The eDirectory servers where you install the driver must hold master or read/write replicas of the objects you want synchronized between eDirectory and Identity Vault. The following permissions are required for synchronizing changes with the connected system and the Identity Vault:
Rights Required on the Connected System: For receiving events from the connected system, the driver’s Authentication DN must have the following rights in the connected system (eDirectory):
Entry Rights: Browse permission.
Attributes Rights: Read permission.
For synchronizing the NDS password, ensure that the driver’s Authentication DN has Read and Write permissions on the ACLs of the objects.
For synchronizing changes to the connected system, ensure that the driver’s Authentication DN has the following rights in the connected system (eDirectory).
Entry Rights: The rights to create entries in the connected system. Supervisor rights on the objects for synchronizing NDS passwords.
Attributes Rights: The rights to modify the attributes in the connected system.
For modifying the write-managed attributes, the driver’s Authentication DN must have the management rights on the objects whose DN is being modified.
Rights Required on the Identity Vault: To synchronize changes to the Identity Vault, ensure that the driver’s Security Equals DN has the following rights in the Identity Vault:
Entry Rights: The rights to create entries in the Identity Vault.
Attributes Rights: The rights to modify the attributes in the Identity Vault.
For modifying the write-managed attributes, the driver’s Security Equals DN must have management rights on the objects whose DN is being modified.
For receiving events from the Identity Vault, the driver’s Security Equals DN must have the following rights in the Identity Vault.
Entry Rights: Browse permission.
Attributes Rights: Read permission.
The change-log file contains information about events on the connected eDirectory servers and passwords. It is encrypted, but it should be protected against access by unauthorized users. The change-log file is located in the DIB directory of eDirectory. The name of the change-log file is based on the GUID of the driver and has a .TAO extension. The change-log file can only be accessed by the owner of the eDirectory instance.
Sensitive data like passwords and encrypted attributes is encrypted before writing it to the change-log cache file.