Sunday, January 30, 2011

Extending/Creating CA e-trust directory schema

For CA Identity Manager user e-trust directory is must to use ldap. In the post I am writing few basic things which are require to know in CA-etrust Directory

1. Creating new schema -

After you install the etrust directory open the command prompt and run the following command

dxnewdsa <> <> "<>"


dxnewdsa corpstore 11389 "dc=com"

where "dc=com" is root dn
corpstore is directory name and 11389 is the port number

2. Extending the e-trust scehma

for extending the etrust schema create a new file with extenstion .dxc. The contents of file will be in following format

schema set attribute (1.1) = {

name = employeeID

ldap-names = employeeID

syntax = caseIgnoreString



schema set object-class (1.1) ={

name = CAPerson

ldap-names = CAPerson

subclass-of inetOrgPerson

must-contain objectclass




The syntax is very simple in the first section you have to write all the attributes with schema set attribute(1.2) and then the properties of the attribute and in the second section write the name of the new class and the attribute comma separated after "may contain"
After the file is created add the new schema file in default.dxg file in schema folder


  1. Need some help with configuring CA identity manager r12.5.

    Am trying to extend the schema to add few additional attributes(as per my authoritative source).

    Below are the steps I followed:
    1) Updated the directory configuration(using xml file) to add the new attributes through Management console.
    2) Created a new file extendcadir.dxc(contents as below)

    schema set oid-prefix caAtPrefix = (2.5.4);

    schema set attribute caAtPrefix:59 = {

    name = employeestatus

    ldap-names = employeestatus

    syntax = caseIgnoreString



    3) Referenced the extendcadir.dxc in default1.dxc.(as config/schema/default.dxg was read-only)

    4) Updated config/server/directoryfile.dxi to refer to default1.dxc

    The first step worked and the attributes are listed under cadir/user tab.
    However when I try to create a user from CA IAM user console(logged in as Admin),
    I get the following error:

    Create User task, User shubha: Create user "shubha" in organization "Employee": Failed to execute CreateUserEvent. ERROR MESSAGE: [LDAP: error code 17 - employeestatus]

    Am I missing any steps? or is there a different way to achieve this?

    Please Advice.

  2. Error code 17 represents that CA IDM is not able to find the new ldap attribute created, have you tired restarting the ldap directory after creating the new attribute. You can also view the new attribute if created or not properly before trying to add user, i think using some dx viewer avialable with ca idm.

  3. What is the default admin account in CA Directory? In Oracle/SunOne it is cn=Directory Manager

    - Prem