Security / LDAP Server Configuration / Creating Role and AOR Custom Attributes in the LDAP Active Directory
Creating Role and AOR Custom Attributes in the LDAP Active Directory
If you use the LDAP server for authorization without groups, you must update the Microsoft Active Directory (AD) to add the custom attributes NmRoles and NmAors for roles and areas of responsibility (AORs), respectively.
This procedure assumes you are familiar with Microsoft Management Console (MMC) and Microsoft Active Directory (AD).
Before performing this task, you must obtain two unique object identifiers: one for the roles attribute and one for the AOR attribute.
Note: If you have more than just a few users, it is recommended that you perform authorization using LDAP groups. If you use groups, you do not need to perform this task, but you do need to have the groups created on the LDAP server. On SANnav, you must upload the groups and assign roles and AORs to the groups.
Perform the following steps on the LDAP server to add two new custom attributes to the AD: NmRoles and NmAors
1. On the LDAP server, install the Active Directory Schema.
a. Select Start > Run.
b. Type regsvr schmmgmt.dll and press Enter.
2. Open the MMC, and add the Active Directory Schema into the MMC console.
3. Expand the Active Directory Schema tree in the MMC console, right-click the Attributes folder, and select Create Attribute.
4. Enter values for the Roles attribute in the Create New Attribute dialog box, and click OK.
Common Name = NmRoles
LDAP Display Name = NmRoles
Unique X500 Object ID = the unique OID you obtained previously
Syntax = Case Insensitive String
5. Repeat step 4 to add the NmAors attribute.
Common Name = NmAors
LDAP Display Name = NmAors
Unique X500 Object ID = the unique OID you obtained previously
Syntax = Case Insensitive String
6. Add the new attributes to the user class.
a. Expand the Classes folder, right-click user, and select Properties.
b. Click the Attributes tab, and then click Add.
c. Select the NmRoles attribute, and click OK.
d. Click Add again, select the NmAors attribute, and click OK.
e. Click OK to close the user Properties dialog box.
7. Close the MMC, and restart the Active Directory service.