Microsoft Windows 2003 Server
Global Catalog of Active Directory and ADAM
View user in the global catalog, can see all the attributes such as employeeID, userPrincipalName, etc. However, in RSA Access Manager can not add these properties to the user.
The message "PropertyDefinitions can only be created on existing LDAP attributes." when trying to define a new user property using the entitments GUI at http://<server:port>/admingui/ListUserProperties.jsp?create= (Manage Users > Properties > Add New)
sirrus.da.exception.OperationNotSupportedException: PropertyDefinitions can only be created on existing LDAP attributes.
at sirrus.da.ldap.admin.LDAPPropertyDefinition.persistToStore(LDAPPropertyDefinition.java:512)
at sirrus.da.admin.PersistentObject.save(PersistentObject.java:155)
at sirrus.api.command.write.CreateUserPropertyDefinitionCmd.execute(CreateUserPropertyDefinitionCmd.java:110)
at sirrus.api.command.APICmdStrategy.executeCmd(APICmdStrategy.java:209)
at sirrus.api.command.APICmdStrategy.executeOn(APICmdStrategy.java:89)
at sirrus.util.strategy.StrategyManager.executeStrategyFor(StrategyManager.java:141)
at sirrus.api.server.APIClientProxy.executeCmd(APIClientProxy.java:961)
at sirrus.api.server.APIClientProxy.run(APIClientProxy.java:701)
"ObjectClassuser does not allow for this attribute: xxxxxx" in the eserver debug log (where xxxxx is the name of the attribute you are trying to add such as samAccountName)
This is the correct behaviour when using a Microsoft Global Catalog (GAL) in its default configuration. The attribute that has been selected (in this example samAccountName) is not published or exposed by the GAL and hence is not useable by RSA Access Manager.
If you view the schema on a standard Active Directory for User under the CN=User, CN=Schema, CN=Configuration,DC=domain, DC=com it shows these attributes as part of the user class. When you view the same schema in the GAL the systemMayContain showing these attributes is not exported or present. These attributes need to be replicated to the global catalog to allow the desired functionality.
The GAL configuration may be altered to allow the desired attributes to be published. The procedure is to go to the Active Directory schema master and run the Active Directory schema snap in and replicate the attribute to the Global Catalog. For full details of carrying out these operation please contact Microsoft support.
For further information on configuring the LDAP and Active Directory connections into RSA Access Manager 6.0 see the documentation on the product CD-ROM or view online:
RSA Access Manager 6.0 Servers Installation and Configuration Guide
https://knowledge.rsasecurity.com/docs/rsa_cleartrust/access_manager/install_config.pdf
See also:
a17869 RSA ClearTrust Entitlements Server cannot find user-defined object classes in LDAP datastore
How to add custom properties in RSA ClearTrust How to add custom properties in RSA ClearTrust
Related Articles
How to minimize problems using MSIE when installing Sentry CA more than once? Number of Views KCA has problems publishing to Microsoft Exchange Server Number of Views RSA SureFile has problems opening a SureFile-zipped *.ZIP file Number of Views General problems with Scheduler in RSA Governance & Lifecycle Number of Views Generic REST Collector problems with Authentication (OAuth2, Bearer Token or Basic Authentication) in RSA Governance & Lif… Number of Views
Trending Articles
Downloading RSA Authentication Manager license files or RSA Software token seed records RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory Mandatory Certificate Upgrade Required by 6th October 2025 for RSA MFA Agent for PAM, RSA MFA Agent for Apache, and Third … RSA Authentication Manager 8.9 Release Notes (January 2026)
