000020740 - Adding Cleartrust user property to Active Directory datastore.

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000020740
IssueHow to add ClearTrust user property to Active Directory datastore
Error: "00000057: LdapErr: DSID-0C0908EB, comment: Error in attribute conversion operation, data 0, v893 [No such attribute]"
CauseOnly certain types of OIDs in Active Directory are supported by ClearTrust
ResolutionTo successfully add any string user property (e.g. BloodType), please follow the guidelines below:

1. In the Active Directory box, verify that the ctscUserAuxClass is installed:

MMC --> Console Root --> Active Directory Schema --> Classes --> Person (Properties --> Relationship tag, check that ctscUserAux Class is there)

If it is not there, please read and follow page 44 of the RSA ClearTrust 5.0.1 Installation and Configuration Guide regarding how to install the ctscUserAuxClass to the Active Directory schema before proceeding with the steps below.

2. Console Root --> Active Directory Schema --> Attributes (Create New)

3. Common Name: BloodType
LDAP Display Name: BloodType
Unique X500 Object ID: <take any existing OID and>.<add any unique number you wish>
E.g.[existing OID= 1.3.6.1.4.1.8241.1.86] + [add 99.99.99.99.1] = 1.3.6.1.4.1.8241.1.86.99.99.99.99.1
Syntax: Case Insensitive String
Min: <leave blank>
Max: <leave blank>

4. Changes in the schema of Active Directory takes "x" number of minutes (x= determined by Microsoft, no one knows), but will take effect after rebooting

5. Use ADSI Edit (Active Directory Editor) to add the properties to a particular user:

ADSI Edit -Domain NC
 - DC= <your basedn>
        - CN=Users
           - testuser (Properties - BloodType should be visible now)

6. Now that it is defined in Active Directory, you can add properties in the ClearTrust GUI using the same name, e.g. BloodType. In the GUI, go to Manage Users --> Properties --> Add New (then use BloodType).

7. Then Edit the user, click on Properties, then add BloodType

8. The user-defined attribute BloodType has been successfully created in Active Directory and will be correctly reflected in ClearTrust
NotesSee this link for more information on creating classes and attributes in Active Directory http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/adschemasteps.asp
Legacy Article IDa18588

Attachments

    Outcomes