000013736 - How to configure the user.basedn when using Access Manger with a Global Catalog user store.

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000013736
Applies ToRSA Access Manager 6.0
Active Directory Global Catalog
IssueHow to configure the user.basedn when using Access Manger with a Global Catalog user store.
When listing users in the Entitlements Manager, some users are listed twice.
CauseAccess Manager will list users that are in the local domain as well as users visible in the domain forest via the Global Catalog bind.  If the local domain is also a member of the domain forest, those users will be displayed twice.
Resolution

Access Manager requires that a user datastore be defined for the local domain as well as for the Global Catalog.  The user datastore for the local domain is where local users would be created. It should be noted that when using the Global Catalog, the Entitlements Manger should not be used to manage users.  Instead, domain users should be managed externally using Microsoft tools.  The user.basedn for the local datastore must be defined, else an error message is generated. This configuration setting should point to a dummy location where no users reside.  Users on the local domain will still be visible through the Forest view, provided by the Global Catalog.

For example, create a container in the local domain called CTUSERS.

Point the user datastore for the local datastore to this empty container.

cleartrust.data.ldap.user.basedn                  cn=CTUSERS, cn=Users,dc=domain,dc=com

WorkaroundAccess Manager is configured to user Active Directory Global Catalog for the user datastore.
NotesAlso see solution a22204 
Legacy Article IDa41664

Attachments

    Outcomes