You should create an Identity Manager service account to connect to LDAP, rather than using the administrator account CN=Directory Manager. Use your LDAP Directory Server management tool to set permissions by an ACI (access control instructions) at each base context.
Set the permissions in the ACI based on the source. If the adapter is connecting to an authoritative source, then set read, search, and possibly compare permissions only. If the adapter is used to write back, then you will need to set write and possibly delete permissions.
If the account will be used for the monitoring the changelog, an ACI should also be created on cn=changelog. The permissions should be set to read and search only, because you cannot write or delete changelog entries.
The LDAP adapter can manage aliases. However, when a getUser call is performed, the alias is dereferenced and the adapter returns the referenced object. As a result, the adapter will not find attributes on the alias object itself.
This occurs because JNDI defaults to the following setting:
java.naming.ldap.derefAliases=always
You can change this property globally by creating a jndi.properties file that contains the following line:
java.naming.ldap.derefAliases=never
The jndi.properties file must be placed in the Java library path, such as $WSHOME/WEB-INF/classes. You must restart the application server for the change to take effect.
When editing synchronization policy, be sure to specify a value for the Filter Changes By field. The standard value is the administrator name used by this adapter. Entering an administrator name will prevent infinite loops from occurring. Entries should be of the format cn=Directory Manager.