Microsoft Windows 2003 Server
Global Catalog of Active Directory and ADAM
View user in the global catalog, can see all the attributes such as employeeID, userPrincipalName, etc. However, in RSA Access Manager can not add these properties to the user.
The message "PropertyDefinitions can only be created on existing LDAP attributes." when trying to define a new user property using the entitments GUI at http://<server:port>/admingui/ListUserProperties.jsp?create= (Manage Users > Properties > Add New)
sirrus.da.exception.OperationNotSupportedException: PropertyDefinitions can only be created on existing LDAP attributes.
at sirrus.da.ldap.admin.LDAPPropertyDefinition.persistToStore(LDAPPropertyDefinition.java:512)
at sirrus.da.admin.PersistentObject.save(PersistentObject.java:155)
at sirrus.api.command.write.CreateUserPropertyDefinitionCmd.execute(CreateUserPropertyDefinitionCmd.java:110)
at sirrus.api.command.APICmdStrategy.executeCmd(APICmdStrategy.java:209)
at sirrus.api.command.APICmdStrategy.executeOn(APICmdStrategy.java:89)
at sirrus.util.strategy.StrategyManager.executeStrategyFor(StrategyManager.java:141)
at sirrus.api.server.APIClientProxy.executeCmd(APIClientProxy.java:961)
at sirrus.api.server.APIClientProxy.run(APIClientProxy.java:701)
"ObjectClassuser does not allow for this attribute: xxxxxx" in the eserver debug log (where xxxxx is the name of the attribute you are trying to add such as samAccountName)
This is the correct behaviour when using a Microsoft Global Catalog (GAL) in its default configuration. The attribute that has been selected (in this example samAccountName) is not published or exposed by the GAL and hence is not useable by RSA Access Manager.
If you view the schema on a standard Active Directory for User under the CN=User, CN=Schema, CN=Configuration,DC=domain, DC=com it shows these attributes as part of the user class. When you view the same schema in the GAL the systemMayContain showing these attributes is not exported or present. These attributes need to be replicated to the global catalog to allow the desired functionality.
The GAL configuration may be altered to allow the desired attributes to be published. The procedure is to go to the Active Directory schema master and run the Active Directory schema snap in and replicate the attribute to the Global Catalog. For full details of carrying out these operation please contact Microsoft support.
For further information on configuring the LDAP and Active Directory connections into RSA Access Manager 6.0 see the documentation on the product CD-ROM or view online:
RSA Access Manager 6.0 Servers Installation and Configuration Guide
https://knowledge.rsasecurity.com/docs/rsa_cleartrust/access_manager/install_config.pdf
See also:
a17869 RSA ClearTrust Entitlements Server cannot find user-defined object classes in LDAP datastore
How to add custom properties in RSA ClearTrust How to add custom properties in RSA ClearTrust
Related Articles
KCA has problems publishing to Microsoft Exchange Server Number of Views Memory/battery problems were detected error and boot process is stuck during boot of Dell-based or Intel-based RSA SecurID… Number of Views General problems with Scheduler in RSA Governance & Lifecycle Number of Views Generic REST Collector problems with Authentication (OAuth2, Bearer Token or Basic Authentication) in RSA Governance & Lif… Number of Views Problems with Aveksa Application Roles and Entitlements managed in the RSA Identity Governance & Lifecycle Aveksa Applicat… Number of Views
Trending Articles
Troubleshooting RSA SecurID Access Identity Router to RSA Authentication Manager test connection failures RSA SecurID Software Token 5.0.2 Downloads for Microsoft Windows RSA Authentication Manager 8.9 Release Notes (January 2026) Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory RSA Authentication Manager 8.8 Setup and Configuration Guide
