The Access Manager 7.1 Identity Repository (IdRepo) LDAPv3 plug-in must be able to assign the service's object class name to the user's object class attribute, so it can tell if a user has been assigned a given service. The following procedure describes how to load the Access Manager schema files into Active Directory and then to configure Access Manager to enable the Access Manager services.
Make sure that Active Directory has “Windows Server 2003 forest functional level” enabled.
Edit the am_remote_ad_schema.ldif file by replacing @ROOT_SUFFIX@ with the actual root suffix of your Active Directory installation.
After you have installed Access Manager 7.1 patch 1, this file is available in the following directory, depending on your platform:
Solaris systems: /etc/opt/SUNWam/config/ldif
Linux systems: /etc/opt/sun/identity/config/ldif
Windows systems: C:\Program Files\Sun\JavaES5\identity\config\ldif
Using Active Directory tools (or another tool of your choice), load the am_remote_ad_schema.ldif file from the previous step into Active Directory.
In the Access Manager Administration Console:
Under Attribute Name Mapping, remove iplanet-am-user-alias-list=objectGUID and portalAddress=sAMAccountName.
In the datastore configuration page's LDAP User Attributes field, add the attribute names defined in the above LDIF files.
If you are writing your own service with dynamic user attributes, the service.ldif file for Active Directory must NOT have the following lines:
dn: CN=User,CN=Schema,CN=Configuration,ROOT_SUFFIX changetype: modify add: auxiliaryClass auxiliaryClass: yourClassname
Otherwise, Access Manager will not be able to assign the service's object class name to the user's object class attribute.