000022783 - How to stop RSA ClearTrust from changing the case of a user's LDAP objectclass

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022783
Applies ToSun ONE Directory Server 5.2
RSA ClearTrust 5.5.3
IssueHow to stop RSA ClearTrust from changing the case of a user's LDAP objectclass
How to integrate a 3rd-party application that is case sensitive with respect to LDAP objectclasses
The case of the LDAP user attribute ctscUserAuxClass gets changed to all lowercase
Certain 3rd-party applications are case-sensitive when handling objectclasses. Although case-sensitivity is not part of the LDAP RFC specification, there is nothing explicitly prohibiting it, so these 3rd-party applications may break when interacting with RSA ClearTrust-administered users.
CauseWhen the user is updated in the RSA ClearTrust Entitlements Manager (Admin GUI), ClearTrust does not maintain the original case of the objectclasses, even though these are created by ClearTrust when a user is created in the Entitlements Manager
ResolutionChange the RSA ClearTrust configuration so that ClearTrust will not update the objectclass when a user is saved or updated. To do so, open ClearTrust's ldap.conf file and set the following:

    cleartrust.data.ldap.user.update_objectclass_on_modify  :false

NOTE: If there is a pre-existing user missing the ctscUserAuxClass attributes (because the user was created in an external, non-ClearTrust, user administration tool), the auxiliary ClearTrust attributes that control password policy and the like in the Entitlements Manager (Admin GUI) will not be writable, and a transport error/object class violation will be thrown when trying to save a user. If all users were created in ClearTrust, this will not be an issue, since the ctscUserAuxClass is included as one of the object classes added on user creation (defined in ldap.conf at cleartrust.data.ldap.user.objectclass). It is possible to add ctscUserAuxClass manually, but instructions to do so are beyond the scope of this solution.
WorkaroundIn the RSA ClearTrust Entitlements Manager (Admin GUI), when the user profile is saved with or without modification, the case of the auxiliary LDAP objectclasses (i.e. ctscUserAuxClass, etc) added by ClearTrust is changed to lower-case
Legacy Article IDa30295