|Applies To||RSA Access Manager Authorization Server 6.0|
Microsoft Windows 2003 Server
Global Catalog of Active Directory and ADAM
|Issue||Problems adding properties to users|
View user in the global catalog, can see all the attributes such as employeeID, userPrincipalName, etc. However, in RSA Access Manager can not add these properties to the user.
The message "PropertyDefinitions can only be created on existing LDAP attributes." when trying to define a new user property using the entitments GUI at http://<server:port>/admingui/ListUserProperties.jsp?create= (Manage Users > Properties > Add New)
sirrus.da.exception.OperationNotSupportedException: PropertyDefinitions can only be created on existing LDAP attributes.
"ObjectClassuser does not allow for this attribute: xxxxxx" in the eserver debug log (where xxxxx is the name of the attribute you are trying to add such as samAccountName)
This is the correct behaviour when using a Microsoft Global Catalog (GAL) in its default configuration. The attribute that has been selected (in this example samAccountName) is not published or exposed by the GAL and hence is not useable by RSA Access Manager.
If you view the schema on a standard Active Directory for User under the CN=User, CN=Schema, CN=Configuration,DC=domain, DC=com it shows these attributes as part of the user class. When you view the same schema in the GAL the systemMayContain showing these attributes is not exported or present. These attributes need to be replicated to the global catalog to allow the desired functionality.
The GAL configuration may be altered to allow the desired attributes to be published. The procedure is to go to the Active Directory schema master and run the Active Directory schema snap in and replicate the attribute to the Global Catalog. For full details of carrying out these operation please contact Microsoft support.
For further information on configuring the LDAP and Active Directory connections into RSA Access Manager 6.0 see the documentation on the product CD-ROM or view online:
|Workaround||An Active Directory Global Catalog is used as the user and group store, Microsoft ADAM as the policy and admin store.|
|Legacy Article ID||a32107|