CA IdentityMinder searches the user store to check if the user exists or not when you create a user. This search is limited to users who have the objectclasses specified in the user object definition in the directory configuration file (directory.xml). If no existing user is found in those objectclasses, CA IdentityMinder tries to create the user.
If a user exists with the same unique identifier (user ID) but a different objectclass, the LDAP server fails to create the user. The error is reported in the LDAP server, but CA IdentityMinder does not recognize the error. CA IdentityMinder appears to create the user successfully.
To prevent this issue, you can configure a SEARCH_ACROSS_CLASSES property that causes CA IdentityMinder to search users across all objectclass definitions when checking for existing users.
Note: This property affects only searches for duplicate users when performing tasks such as creating a user. For all other searches, objectclass constraints apply.
Follow these steps:
<PropertyDict name="SEARCH_ACROSS_CLASSES" description="allowing checking an attribute across classes "> <Property name="ENABLE">true</Property> </PropertyDict>
Note: The PropertyDict element must be the last element in the ImsManagedObject element, as in the following example:
<ImsManagedObject name="User" description="My Users" objectclass="top,person,organizationalperson,inetorgperson,customClass" objecttype="USER"> <ImsManagedObjectAttr physicalname="departmentnumber" displayname="Department" description="Department" valuetype="String" required="true" multivalued="false" maxlength="0" /> . . . <PropertyDict name="SEARCH_ACROSS_CLASSES" description="allow checking an attribute across classes "> <Property name="ENABLE">true</Property> </PropertyDict>
|
Copyright © 2013 CA.
All rights reserved.
|
|