Sun Java System Access Manager 7.1 Postinstallation Guide

Overview of Using Active Directory as the User Data Store

By default, Access Manager 7.1 defines a set of object classes and attributes. These object classes and attributes are required in your Active Directory server if you want Access Manager to manage your Active Directory server.

The Access Manager Console provides user management functionality based on the Access Manager's predefined set of object classes and attributes, as specified through the Access Manager XML files. If the Active Directory server you are trying to access does not have these required object classes or the attributes defined, access involving the missing object class or attributes will fail, unless you change the user XML files to match the attributes defined for your Active Directory server.

For example, when you create a user via the Access Manager Console, the Console writes out to the Active Directory server the predefined set of Access Manager object classes and attributes for the user. If the Active Directory server is not configured with the same set of user object classes and attributes, the user create operation will fail. When you use the Console's user information page to edit a user's information, unless the Active Directory server has the same set of attributes and/or object classes defined for the user as Access Manager does, the operation will fail.

The Access Manager 7.1 Identity Repository (IdRepo) LDAPv3 plug-in provides attribute name mapping. You can refer to an attribute name as one name in Access Manager and a different name in your Active Directory server. As a result, you need not have all Access Manager attributes defined in Active Directory if you use attribute name mapping. However, if Access Manager has more attributes than you have in your Active Directory server, you cannot do one-to-one mapping, and some Access Manager read or write operations will fail due to missing attributes in the Active Directory server.