Previous Topic: Enable Nested Security

Next Topic: Cache Management

Enable Enhanced Active Directory Integration

Active Directory 2000 and Active Directory 2003 have several user and domain attributes that are specific to the Windows network operating system (NOS) and are not required by the LDAP standard. These attributes are:

If you configure the Policy Server to use Active Directory as a user store, enable Enhanced Active Directory Integration from the Policy Server Global Tools task available from the Administrative UI. This option improves the integration between the Policy Server's user management feature and Password Services with Active Directory by synchronizing Active Directory user attributes with SiteMinder mapped user attributes.

Note: The feature is not supported with ADAM.

To enable enhanced Active Directory integration

  1. Log into the Administrative UI.
  2. Click Administration, Policy Server, Global Tools.

    The Global Tools pane opens.

  3. Select Enhance Active Directory Integration. By default this feature is disabled.

    Note: After enabling this feature, you must have administrator credentials to modify the AD user store and have privileges to update AD attributes. If you do not have these credentials and privileges, the Policy Server returns an error message.

  4. Click Submit.

    The Policy Server enables enhanced Active Directory integration.

  5. Navigate to the User Directory dialog on the Infrastructure tab.
  6. Open the Active Directory object for editing.
  7. In the Root field, enter the default Windows domain's DN as the user directory root. For example:
    dc=WindowsDomain,dc=com
    

    Note: AD-specific features may not work in the Root field is set to another value.

  8. Click Submit.

Note: A password policy that disables an account after exceeding an inactivity period does not work properly if the Enhance Active Directory Integration feature is enabled with AD 2000. As a result, user account inactivity integration is not supported for AD 2000; use AD 2003 instead.


Copyright © 2010 CA. All rights reserved. Email CA about this topic