User Profile Synchronization with eDirectory doesn’t require Write Permissions

In the Plan permissions section of Plan for profile synchronization (SharePoint Server 2010) it is claimed that to synchronize user profiles in SharePoint 2010 with Novell eDirectory it is required to have Write access: “Read, Write, and Compare rights in the All attributes rights property for the specified tree are also required.”

My own experience is that this is not required! We recently configured SharePoint 2010 User Profile Synchronization against Novell eDirectory 8.8 SP6 without having write permissions, see security settings for the account below.

This non-compliance was discovered during installation of a new test environment when we had problems synchronizing user profiles. I asked for validation of permissions and the eDirectory team came back with the picture above, along with the information that this is how it looked in both QA and Prod. When I later identified the real reason for the synchronization problem everything worked fine, even though we do not have Write permissions.

I have no idea if the same applies for Active Directory or the SunOne directory. But from a least privilege perspective it may be worth testing if you get the chance!