Microsoft Windows 2003 Server
Global Catalog of Active Directory and ADAM
View user in the global catalog, can see all the attributes such as employeeID, userPrincipalName, etc. However, in RSA Access Manager can not add these properties to the user.
The message "PropertyDefinitions can only be created on existing LDAP attributes." when trying to define a new user property using the entitments GUI at http://<server:port>/admingui/ListUserProperties.jsp?create= (Manage Users > Properties > Add New)
sirrus.da.exception.OperationNotSupportedException: PropertyDefinitions can only be created on existing LDAP attributes.
at sirrus.da.ldap.admin.LDAPPropertyDefinition.persistToStore(LDAPPropertyDefinition.java:512)
at sirrus.da.admin.PersistentObject.save(PersistentObject.java:155)
at sirrus.api.command.write.CreateUserPropertyDefinitionCmd.execute(CreateUserPropertyDefinitionCmd.java:110)
at sirrus.api.command.APICmdStrategy.executeCmd(APICmdStrategy.java:209)
at sirrus.api.command.APICmdStrategy.executeOn(APICmdStrategy.java:89)
at sirrus.util.strategy.StrategyManager.executeStrategyFor(StrategyManager.java:141)
at sirrus.api.server.APIClientProxy.executeCmd(APIClientProxy.java:961)
at sirrus.api.server.APIClientProxy.run(APIClientProxy.java:701)
"ObjectClassuser does not allow for this attribute: xxxxxx" in the eserver debug log (where xxxxx is the name of the attribute you are trying to add such as samAccountName)
This is the correct behaviour when using a Microsoft Global Catalog (GAL) in its default configuration. The attribute that has been selected (in this example samAccountName) is not published or exposed by the GAL and hence is not useable by RSA Access Manager.
If you view the schema on a standard Active Directory for User under the CN=User, CN=Schema, CN=Configuration,DC=domain, DC=com it shows these attributes as part of the user class. When you view the same schema in the GAL the systemMayContain showing these attributes is not exported or present. These attributes need to be replicated to the global catalog to allow the desired functionality.
The GAL configuration may be altered to allow the desired attributes to be published. The procedure is to go to the Active Directory schema master and run the Active Directory schema snap in and replicate the attribute to the Global Catalog. For full details of carrying out these operation please contact Microsoft support.
For further information on configuring the LDAP and Active Directory connections into RSA Access Manager 6.0 see the documentation on the product CD-ROM or view online:
RSA Access Manager 6.0 Servers Installation and Configuration Guide
https://knowledge.rsasecurity.com/docs/rsa_cleartrust/access_manager/install_config.pdf
See also:
a17869 RSA ClearTrust Entitlements Server cannot find user-defined object classes in LDAP datastore
How to add custom properties in RSA ClearTrust How to add custom properties in RSA ClearTrust
Related Articles
When configuring LDAP or LDAPS in RSA Authentication Manager with a global catalog the connection fails Number of Views Adding a Global Catalog to RSA Authentication Manager 8.x Number of Views Unable to link Global Catalog (runtime identity source) to RSA Authentication Manager 8.x Number of Views Unable to unlink or edit a missing/dead identity source that authenticates to global catalog (GC) from a realm in RSA Auth… Number of Views How to configure the user.basedn when using Access Manger with a Global Catalog user store. Number of Views
Trending Articles
RSA MFA Agent 2.5 for Microsoft Windows Installation and Administration Guide RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory Unable to find valid certification path error when logging on to Help Desk Admin Portal (HDAP) and Self-Service Portal (SS… RSA Authentication Manager 8.9 Release Notes (January 2026)
