000021551 - How to import RSA ClearTrust schema into Microsoft Active Directory Application Mode (ADAM)

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021551
Applies ToMicrosoft Active Directory Application Mode (ADAM)
Microsoft Windows Server 2003
RSA ClearTrust 5.5
IssueHow to import RSA ClearTrust schema into Microsoft Active Directory Application Mode (ADAM)
Error: "The attribute cannot be modified because it is owned by the system" in RSA ClearTrust
Resolution

Following are the steps listed in the RSA ClearTrust Ready ADAM Implementation Guide. Annotations to these instructions are inserted in the text in italics; these annotations include extra information and corrections where applicable.

  1. Log into the machine ADAM as Administrator.
     
  2. Open the ADAM ADSI Edit utility and create a cn=Users container in your application context.
  3. Next, create a cn=Administrator account in the Users container with a valid password.

    Using the "reset password" option on the context menu of the Administrator user will set the password, but the fields unicodePwd and userPassword will still show as <not set> in the properties dialogue for the object.

    This account will be used to bootstrap the RSA ClearTrust Servers.  This user should also be made a member of the Administrators role in order to have the appropriate permissions on the ADAM server. 

    To add the Administrator user to the Administrators role, navigate to the Administrators role in the tree and select Properties from the context menu.  Select the property member and click on the button marked Edit below.  This brings up a specialized dialogue for adding members to the role.  Click on the button marked Add ADAM Account, and enter the DN for the Administrator user.  Attempting to add the Administrator user to the Administrator's role by modifying the memberOf property of the Administrator user will fail with the error message "The attribute cannot be modified because it is owned by the system."

    If you do not perform this step you will need to manually assign the appropriate permissions with the dsacls command.  For more information on ADAM roles, authorization, and manually assigning permissions, consult the ADAM online help.

    ! Note: If you are unable to bind to ADAM as this administrative user, ensure that the msDS-UserAccountDisabled attribute for this account is set to False.
  4. Copy the Active Directory schema files from:

    %ClearTrust Install Directory%\data_adapters\ldap\activedirectory

    to the ADAM installation directory (C:\WINDOWS\ADAM by default).  It is not necessary to copy the batch files.
     
  5. Click Start, point ot All Programs, point to ADAM, and then click ADAM Tools Command Prompt.
     
  6. Open the adschema.ldif file and edit it to reflect your DN structure.

    All instances of dc=rsasecurity, dc=com (the default in the file when first installed) should be replaced by the DN of your application (e.g., dc=rsasecurity, dc=com becomes dc=your_domain, dc=com).  It's important that you remember the exact textual format of the DN that you use to replace the prior DN for the next step.
     
  7. At the ADAM command prompt, type the following command, and then press ENTER:

    ! Important: The ADAM command listed here is only provided as an example.  This example may or may not work for your environment.  RSA Security Customer Support cannot assist with proper ldifde (or any) ADAM command syntax.  Please consult the ADAM online help or Microsoft Technical Support if you require assistance with this command.

    ldifde -i -f adschema.ldif -s servername:portnumber -k -j . -c "CN=Schema,CN=Configuration,DC=your_domain, DC=com" #schemaNamingContext

    ... where servername:portnumber represents the computer name and LDAP communication port of your ADAM instance, and your_domain is the DN of the naming context you have created.  Because the ADAM instance is running on your local computer, you can also use localhost as the computer name.

    This command is different from the normal use of ldifde with Active Directory because, in ADAM, the schema and configuration directories are not located within the domain context; the part of the ldifde command reading '-c "CN=Schema,CN=Configuration,DC=your_domain, DC=com" #schemaNamingContext' overcomes this difference by using #schemaNamingContext to substitute the unrooted Schema branch used in ADAM for the full DN that would be used in Active Directory.

    If the command has completed successfully, you should see the following message:

         175 entries modified successfully.

         The command has completed successfully.

    ! Note: By default, there is a space in the adschema.ldif file in the DN component (e.g., dc=rsasecurity,dc=com).  If you do a global find and replace, the ldifde command must also have the space in the resulting DN.  That is, the DN issued in the ldifde command must exactly match the DN in the edited adschema.ldif file.

    ! Note: Be sure to use the copy of ldidfe.exe that came with tldifhe ADAM release, rather than a copy that came with an earlier ADAM release or with Windows support tools.

    If you're unsure which copy of ldifde you're invoking, you can rename ldifde.exe in the ADAM directory to ldifde2.exe and invoke it as ldifde2 -i -f ...
  8. Open the install-activedirectory.ldif file, and ensure that the entries all have the same base DN as application context you created during the ADAM installation (DC=rsasecurity, DC=com for example).  Perform this same step for the mod-entry1.ldif and mod-entry2.ldif files.
     
  9. At the ADAM command prompt, type the following command, and press ENTER:

    ldifde -i -f install-activedirectory.ldif -s servername:portnumber -k -j .

    If this completes successfully, you should see the following message:

         12 entries modified successfully.

         The command has completed successfully.
  10. Repeat step 9 for the mod-entry1.ldif and mod-entry2.ldif files.

    As each of these complete successfully, you should receive the following message:

         1 entry modified successfully.

         The command has completed successfully.
Legacy Article IDa23538

Attachments

    Outcomes