Extend the Active Directory Schema by Adding Custom Attributes

This section applies to CA Identity Manager and CA Secure Cloud. The information here is not relevant to CA Identity Governance.
imgc
This section applies only to CA Identity Manager.
The Active Directory connector lets you manage additional attributes, including an extended Active Directory schema.
The mapping extended Active Directory attributes mechanism has limited functionality and is not intended to support the full functionality of built-in Active Directory attributes. The mechanism assumes that all of the following conditions are true:
  • Extended attributes that are defined in the attribute map must be set for all managed accounts.
  • The values of the extended attributes that are defined in the attribute map must have a fixed length.
  • The connector applies your extensions to the entire enterprise.
The Active Directory connector cannot manage some sensitive attributes that are protected by Active Directory.
 
Follow these steps:
 
  1. Create the 
    schema.ext
     file at the following location:
    <ProvisioningServer_HOME>\data\ADS
    If C++ Connector Server (CCS) is located on a separate machine, ensure that you create the 
    schema.ext
     file on CCS too at the following location:
    <ConnectorServer_HOME>\ccs\data\ads
    After creating the
    schema.ext
    file, restart CCS.
  2. In the text file, list the display name of each attribute on a single line by itself. Include the following attributes:
    • Any custom ADS account attributes that have been added to the ADS schema
    • Any ADS account attributes that do not actually exist in the ADS schema but are used in ADSExitUsrPreAdd.txt and ADSExitUsrPostAdd.txt.
    For example, if the LDAP display name of the attribute on the target system is extendedAttribute, the attribute name in the schema.ext file must be extendedAttribute. The LDAP display name can be found under the Name column of the Active Directory Schema\Attributes or the attribute name when you use the JXplorer to connect to the Active Directory and browse a user account.
  3. Restart the Provisioning Server.
    The Provisioning Manager now displays a new property page named Custom, for both account templates and accounts. This new page lists the extended attributes and their values.
    You can now map the extended Active Directory attributes to a global user's attributes and custom fields by using rule strings in Active Directory account templates.
Note: 
If you delete attributes from the schema.ext file, the following steps happen in the Provisioning Manager:
  • Attributes are removed from the list of extended attributes on the Custom tab on the ADS Account property sheet.
  • Attributes are marked as invalid (N) in the Valid column on the ADS Account Template property sheet. You can then remove the attributes and delete them from the provisioning repository.
Example: Correlate Active Directory Extended Attributes
 
Extended Active Directory schema attributes that are set for a particular account are stored together with their values in the account's attribute called 'eTADSpayload' (user-friendly name 'payload') in the following format:
<extendedAttributeName1>:<reservedValue>:<valueLength>=<value>;<extendedAttributeName2>:<valueN>
<reservedValue> is a value reserved for future use. It is currently always set to 01.
Attribute mapping can be set from the managed Active Directory endpoint by specifying a mapping function substring with an offset and length. For more detailed information, see the section "Explore and Correlate Parameters" in the 
Provisioning Reference Guide
.
Check this reference, and add a link:
GUAttrName[=Endpoint Type:AccountAttrName[:Offset,Length]]
The following is an example of mapping the extended attributes to a global user's custom attributes:
eTADSpayload extendedAttribute1:01:0006=value1;extendedAttribute2:01:0007=value10;extendedAttribute2:01:0008=value100 eTCustomField01=eTADSpayload:SUB(28,6) eTCustomField02=eTADSpayload:SUB(62,7) eTCustomField03=eTADSpayload:SUB(97,8)
The attribute mapping mechanism uses substring (SUB) and it specifies the offset and the length of the value.