000025418 - RSA Access Manager  using Global Catalog having problems adding properties to users

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000025418
Applies ToRSA Access Manager Authorization Server 6.0
Microsoft Windows 2003 Server
Global Catalog of Active Directory and ADAM
IssueProblems adding properties to users
View user in the global catalog,  can see all the attributes such as employeeID, userPrincipalName, etc. However, in RSA Access Manager can not add these properties to the user.
The message "PropertyDefinitions can only be created on existing LDAP attributes." when trying to define a new user property using the entitments GUI at http://<server:port>/admingui/ListUserProperties.jsp?create=  (Manage Users > Properties > Add New)
sirrus.da.exception.OperationNotSupportedException: PropertyDefinitions can only be created on existing LDAP attributes.
 at sirrus.da.ldap.admin.LDAPPropertyDefinition.persistToStore(LDAPPropertyDefinition.java:512)
 at sirrus.da.admin.PersistentObject.save(PersistentObject.java:155)
 at sirrus.api.command.write.CreateUserPropertyDefinitionCmd.execute(CreateUserPropertyDefinitionCmd.java:110)
 at sirrus.api.command.APICmdStrategy.executeCmd(APICmdStrategy.java:209)
 at sirrus.api.command.APICmdStrategy.executeOn(APICmdStrategy.java:89)
 at sirrus.util.strategy.StrategyManager.executeStrategyFor(StrategyManager.java:141)
 at sirrus.api.server.APIClientProxy.executeCmd(APIClientProxy.java:961)
 at sirrus.api.server.APIClientProxy.run(APIClientProxy.java:701)

"ObjectClassuser does not allow for this attribute: xxxxxx" in the eserver debug log (where xxxxx is the name of the attribute you are trying to add such as samAccountName)

This is the correct behaviour when using a Microsoft Global Catalog (GAL) in its default configuration.  The attribute that has been selected (in this example samAccountName) is not published or exposed by the GAL and hence is not useable by RSA Access Manager.

If you view the schema on a standard Active Directory for User under the CN=User, CN=Schema, CN=Configuration,DC=domain, DC=com it shows these attributes as part of the user class.    When you view the same schema in the GAL the systemMayContain showing these attributes is not exported or present. These attributes need to be replicated to the global catalog to allow the desired functionality.


The GAL configuration may be altered to allow the desired attributes to be published.  The procedure is to go to the Active Directory schema master and run the Active Directory schema snap in and replicate the attribute to the Global Catalog.  For full details of carrying out these operation please contact Microsoft support.

For further information on configuring the LDAP and Active Directory connections into RSA Access Manager 6.0 see the documentation on the product CD-ROM or view online:

RSA Access Manager 6.0 Servers Installation and Configuration Guide

See also:

     a17869     RSA ClearTrust Entitlements Server cannot find user-defined object classes in LDAP datastore
     How to add custom properties in RSA ClearTrust     How to add custom properties in RSA ClearTrust


WorkaroundAn Active Directory Global Catalog is used as the user and group store, Microsoft ADAM as the policy and admin store.
Legacy Article IDa32107