Microsoft Active Directory Lightweight Directory Service (AD LDS) concerns

Microsoft Active Directory Lightweight Directory Service (AD LDS) concerns

The following concerns are specific to Microsoft Active Directory Lightweight Directory Service (AD LDS).

In the Policy Server configuration, we can select either a standard data model or a minimal data model for the user registry. If We use AD LDS, we must select the minimal data model, because AD LDS allows only a single naming attribute when creating LDAP objects. When AD LDS is selected as the user registry, ISAM always uses the minimal data model even if the standard data model is selected during the Policy Server configuration.
The common name (cn) attribute is a single-value attribute and can store only one value. The AD LDS registry requires the value of cn to be the same as the cn naming attribute in the distinguished name (dn) attribute. When creating a user or group in ISAM, specify the same value for cn as the cn naming attribute in the dn. ISAM ignores the value of the cn attribute if it is different from the value of the cn naming attribute in the dn. For example, we cannot use the following command to create a user because the value of the cn attribute, fred, is different from the cn naming attribute in the dn, user1:
pdadmin user create user1 cn=user1,o=ibm,c=us fred smith password1

Parent topic: LDAP concerns