|Applies To||RSA Access Manager 6.0|
Active Directory Global Catalog
|Issue||How to configure the user.basedn when using Access Manger with a Global Catalog user store.|
When listing users in the Entitlements Manager, some users are listed twice.
|Cause||Access Manager will list users that are in the local domain as well as users visible in the domain forest via the Global Catalog bind. If the local domain is also a member of the domain forest, those users will be displayed twice.|
Access Manager requires that a user datastore be defined for the local domain as well as for the Global Catalog. The user datastore for the local domain is where local users would be created. It should be noted that when using the Global Catalog, the Entitlements Manger should not be used to manage users. Instead, domain users should be managed externally using Microsoft tools. The user.basedn for the local datastore must be defined, else an error message is generated. This configuration setting should point to a dummy location where no users reside. Users on the local domain will still be visible through the Forest view, provided by the Global Catalog.
For example, create a container in the local domain called CTUSERS.
Point the user datastore for the local datastore to this empty container.
cleartrust.data.ldap.user.basedn cn=CTUSERS, cn=Users,dc=domain,dc=com
|Workaround||Access Manager is configured to user Active Directory Global Catalog for the user datastore.|
|Notes||Also see solution a22204|
|Legacy Article ID||a41664|