Configuring Active Directory With Access Manager Schema Files

The Access Manager 7.1 Identity Repository (IdRepo) LDAPv3 plug-in must be able to assign the service's object class name to the user's object class attribute, so it can tell if a user has been assigned a given service. The following procedure describes how to load the Access Manager schema files into Active Directory and then to configure Access Manager to enable the Access Manager services.

To Configure Active Directory with Access Manager Schema Files

Make sure that Active Directory has “Windows Server 2003 forest functional level” enabled.

Edit the am_remote_ad_schema.ldif file by replacing @ROOT_SUFFIX@ with the actual root suffix of your Active Directory installation.

After you have installed Access Manager 7.1 patch 1, this file is available in the following directory, depending on your platform:
- Solaris systems: /etc/opt/SUNWam/config/ldif
- Linux systems: /etc/opt/sun/identity/config/ldif
- Windows systems: C:\Program Files\Sun\JavaES5\identity\config\ldif

Using Active Directory tools (or another tool of your choice), load the am_remote_ad_schema.ldif file from the previous step into Active Directory.

In the Access Manager Administration Console:
- Under Attribute Name Mapping, remove iplanet-am-user-alias-list=objectGUID and portalAddress=sAMAccountName.
- In the datastore configuration page's LDAP User Attributes field, add the attribute names defined in the above LDIF files.

If you are writing your own service with dynamic user attributes, the service.ldif file for Active Directory must NOT have the following lines:
```
dn: CN=User,CN=Schema,CN=Configuration,ROOT_SUFFIX
changetype: modify
add: auxiliaryClass
auxiliaryClass: yourClassname
```
Otherwise, Access Manager will not be able to assign the service's object class name to the user's object class attribute.