000021525 - How to install RSA ClearTrust schema files on Microsoft Active Directory Application Mode (ADAM)

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021525
Applies ToMicrosoft Active Directory Application Mode (ADAM)
RSA ClearTrust 5.5
Microsoft Windows Server 2003
IssueHow to install RSA ClearTrust schema files on Microsoft Active Directory Application Mode (ADAM)
When completing one of the following two instructions as listed in the RSA ClearTrust Ready Implementation Guide for directory server products (page 5):

ldifde -i -f adschema.ldif -s localhost:50000 -k -j . -c "CN=Schema,CN=Configuration,DC=X" #schemaNamingContext

ldifde -i -f adschema.ldif -s localhost:50000 -k -j . -c "CN=Schema,CN=Configuration,DC=Your_Domain,DC=com"

the resulting error message appears:

Connecting to "localhost:50000"
Logging in as current user using SSPI
Importing directory from file "adschema.ldif"
Loading entries..................................................................................................
Add error on line 1864: No Such Attribute
The server side error is: 0x57 The parameter is incorrect.
The extended server error is:
00000057: LdapErr: DSID-0C090AB7, comment: Error in attribute conversion operation, data 0, vece
1 entry modified successfully.
An error has occurred in the program
CauseThe immediate cause of the error message is a failure to convert a parameter to a 'mayContain' attribute of an object starting on line 1864 in adschema.ldif. The parameter is for an object declared earlier in the ldif file that failed to import. The cause of the import failure is that the Schema DN is incorrect: ldifde can't find the Schema object where it's specified in the ldif file, and so can't import objects into the Schema.
The instruction given in the RSA ClearTrust Ready Implementation Guide is incorrect in versions earlier than the October 14th version. In the first version (dated November 2003), the argument to the -c flag must be modified so that DC="X" reads as the application partition's base DN (e.g. "DC=rsasecurity,DC=com"). In the second version (dated September 2004), the second argument to the -c flag, "#schemaNamingContext", has been incorrectly omitted. Because the instruction is incorrect, ldifde doesn't correctly substitute the ADAM application partition's DN for the Schema (by substituting with the value of #schemaNamingContext) for the existing DN, causing a failure to resolve the Schema object in the directory at import time.
ResolutionThe correct command is as follows:

ldifde -i -f <filename> -s <servername>:<port> -k -j . -c <DN to match> #schemaNamingContext

where <filename> is the name of the ldif to import, <servername>:<port> is the name and port of the ADAM server, and <DN to match> is the exact literal string to match in the ldif, of the form "CN=Schema,CN=Configuration,DC=[domain],DC=[Domain]". "#schemaNamingContext" must also be exact so that ldifde can correctly substitute the DN of the Schema object in the ADAM directory.

This command must be executed for all four ClearTrust ldif files: adschema.ldif, install-activedirectory.ldif, mod-entry1.ldif, and mod-entry2.ldif.

NOTE: The -c flag to ldifde carries out a simple text substitution after evaluating arguments like #schemaNamingContext; therefore, it's crucial to get the string literal to be matched correct. Specifically, if there are spaces in the DN in the ldif file (e.g., "dc=rsasecurity, dc=com"), those spaces must be present in the string literal passed to the -c flag.
Legacy Article IDa23412