000015058 - How to make reserved user attributes RSA Access Manager User Properties

Document created by RSA Customer Support Employee on Mar 22, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000015058
Applies ToRSA Product Set:  Access Manager Servers
RSA Version/Condition: 6.X
IssueHow make reserved user attributes Access Manager User Properties

Error in Entitlements Manager (AdminGUI)


This property already exists.


 

Error in eserver standard output:


sirrus.da.exception.DuplicateEntryException: Cannot create attributes with reserved name.
        at sirrus.da.ldap.admin.LDAPPropertyDefinition.persistToStore(LDAPPropertyDefinition.java:553)
 
Attempted to make one of the following reserved attributges an Access Manager User Property:
uid
postalcode
sn
userpassword
mail
dn
userPrincipalName
description
ctscFailedLoginCount
ctscUserKeywords
ctscUserKeywords
ctscUserKeywords
ctscPasswordHistory
ctscPasswordCreationDate
cn
uniquemember
description
ctscAdministrativeGroupName
uniquemember
ctscPrivateMemberList
ctscPublicMemberList
dlmDescription
CauseBy default Access Manager prevents you from using reserved user attributes as user properties.  Reserved attributes are any attributes that are defined in the ldap.conf file with an attribute map.  These attributes are intended to be used internally by Access Manger and not editable through the Entitlements Manager. 
Resolution

In some instances customers may want to define the reserved user attributes as user properties for export in the http headers. The following work around describes a method of bypassing this restrictions. Customers should ensure that when creating user properties based on reserved attributes that the user properties are always defined as read only. Under no circumstances should these user properties be edited in the entitlements managers. Doing so may cause datastore corruption.


Identify the ldap.conf file setting for the attribute map corresponding to the user attribute you wish to add. For example to add givenName as a user property.


cleartrust.data.ldap.user.attributemap.firstname :givenname


Modyif the ldap.conf file setting and temporarily assign it to a dummy attribute that is not on the reserved attribute list.


cleartrust.data.ldap.user.attributemap.firstname :postalcode


Restart the eserver.  (Ensure that no other administration is being done at the same time.)


Create your custom user property based on the reserved attribute givenName.


Revert the changes in your ldap.conf file back to the original


cleartrust.data.ldap.user.attributemap.firstname :givenName


Restart the eserver. 

NotesSee also Operation not supported message when trying to create an Access Manager user property.Operation not supported message when trying to create an Access Manager user property. 
Legacy Article IDa48259

Attachments

    Outcomes