|
|
|
When you create a user, CA Identity Manager searches the user store to verify that the user does not already exist. This search is limited to users who have the objectclasses specified in the user object definition in the directory configuration file (directory.xml). If no existing user is found in those objectclasses, CA Identity Manager tries to create the user.
When a user exists that has the same unique identifier (user ID) but a different objectclass, the LDAP server fails to create the user. The error is reported in the LDAP server, but CA Identity Manager does not recognize the error. CA Identity Manager appears to create the user successfully.
To prevent this issue, you can configure a SEARCH_ACROSS_CLASSES property that causes CA Identity Manager to search users across all objectclass definitions when checking for existing users.
Note: This property affects only searches for duplicate users when performing tasks such as creating a user. For all other searches, objectclass constraints apply.
To search across objectclasses
<PropertyDict name="SEARCH_ACROSS_CLASSES" description="allowing checking an attribute across classes "> <Property name="ENABLE">true</Property> </PropertyDict>
Note: The PropertyDict element must be the last element in the ImsManagedObject element, as in the following example:
<ImsManagedObject name="User" description="My Users" objectclass="top,person,organizationalperson,inetorgperson,customClass" objecttype="USER"> <ImsManagedObjectAttr physicalname="departmentnumber" displayname="Department" description="Department" valuetype="String" required="true" multivalued="false" maxlength="0" /> . . . <PropertyDict name="SEARCH_ACROSS_CLASSES" description="allow checking an attribute across classes "> <Property name="ENABLE">true</Property> </PropertyDict>
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |