I have an ADAM (2003 R2 SP2) instance that I have setup with a fairly minimal set of attributes that are being required by an application that we are going to be authenticating against the ADAM instance. The ADAM install is going fine, the synch works perfectly, users and groups are all coming over as expected, with the attributes that I want displayed. My problem, which I'm not even sure is really a problem, is when I attempt to logon to ldp.exe with a user account that has been synchronized from Active Directory.
Scenario:
User is synchronized based on a filter within my sync file based on membership in a security group in AD.
User account successfully synchronized, attributes are all listed when verifying with ldp.exe as an Admin
Security group is also synchronized and stored in ADAM as part of the import successfully
Security group has been added to the "Readers" role
Attempt to logon to ldp.exe (native or ADAM version) with the synchronized account, connect to the instance and bind successfully
So the problem is that when I attempt to view the tree, I get the "No Children" message instead of being able to view my directory structure. If I add the group to the Administators role, I can see everything, so I believe the membership in the group is propogating correctly and the user is being authenticated properly. When a user is just in the "Reader" role, is this the expected behavior or do I need to set permissions elsewhere in the structure to be able to view other objects lower in the directory structure?
My end requirement is the ability for a user to be able to log on to this application, using their synchronized AD account and be able to find the other objects within the directory structure. Essentially, I'm not sure if this is what should be expected when using ldp.exe or if it is going to be a problem