Extend the Active Directory Schema by Adding Custom Attributes
The Active Directory connector lets you manage additional attributes, including an extended Active Directory schema.
imgc
This section applies to Identity Manager only.
The Active Directory connector lets you manage additional attributes, including an extended Active Directory schema.
- Extended attributes that are defined in the attribute map must be set for all managed accounts.
- The values of the extended attributes that are defined in the attribute map must have a fixed length.
- The connector applies your extensions to the entire enterprise.
The Active Directory connector cannot manage some sensitive attributes that are protected by Active Directory.
Follow these steps:
- Create theschema.extfile at the following location:<ProvisioningServer_HOME>\data\adsIf C++ Connector Server is located on a separate machine, ensure that you create theschema.extfile on the C++ Connector Server too at the following location:<ConnectorServer_HOME>\ccs\data\adsAfter creating theschema.extfile, restart C++ Connector Server.
- In the text file, list the display name of each attribute on a single line by itself. Include the following attributes:
- Any custom Active Directory Server account attributes that have been added to the Active Directory Server schema.
- Any Active Directory Server account attributes that do not actually exist in the Active Directory Server schema but are used in ADSExitUsrPreAdd.txt and ADSExitUsrPostAdd.txt.
- Restart the Provisioning Server.The Provisioning Manager now displays a new property page named Custom, for both account templates and accounts. This new page lists the extended attributes and their values.You can now map the extended Active Directory attributes to a global user's attributes and custom fields by using rule strings in Active Directory account templates.
If you delete attributes from the schema.ext file, the following actions are taken in the Provisioning Manager:
- Attributes are removed from the list of extended attributes on theCustomtab that is available on the Active Directory Server Account property sheet.
- Attributes are marked as invalid (N) in the Valid column on the Active Directory Server Account Template property sheet. You can then remove the attributes and delete them from the provisioning repository.
Example: Correlate Active Directory Extended Attributes
Extended Active Directory schema attributes that are set for a particular account are stored together with their values in the account's attribute called 'eTADSpayload' (user-friendly name 'payload') in the following format:
<extendedAttributeName1>:<reservedValue>:<valueLength>=<value>;<extendedAttributeName2>:<valueN>
<reservedValue> is a value reserved for future use. It is currently always set to 01.
Attribute mapping can be set from the managed Active Directory endpoint by specifying a mapping function substring with an offset and length.
Check this reference, and add a link:
GUAttrName[=Endpoint Type:AccountAttrName[:Offset,Length]]
The following is an example of mapping the extended attributes to a global user's custom attributes:
eTADSpayload extendedAttribute1:01:0006=value1;extendedAttribute2:01:0007=value10;extendedAttribute2:01:0008=value100 eTCustomField01=eTADSpayload:SUB(28,6) eTCustomField02=eTADSpayload:SUB(62,7) eTCustomField03=eTADSpayload:SUB(97,8)
The attribute mapping mechanism uses substring (SUB) and it specifies the offset and the length of the value.