Environment
NetIQ Access Manager 4.x
NetIQ eDirectory 8.x
NetIQ eDirectory 8.x
Situation
When implementing an User Store for OAuth 2.0 OpenIDConnect in NetIQ access Manager 4.x using an 3rd party LDAP Server, an Attribute to store user consent might have to be defined. When using NetIQ eDirectory as an LDAP Server, this is an Attribute of type 'stream'.
See the Access Manager Admin Guide, Chapter 5 Configuring OAuth and OpenID Connect, Paragraph 'Extending a User Store for OAuth 2.0 Authorization Grant Information':
Access Manager OAuth 2.0 implementation stores the information about a client application, which a user authorizes to access attributes and resources. This information is unique per user. So, you need to store as part of a User Object in the user store. If you already have an attribute, you can use it in Authorization Grant LDAP Attribute while defining Global Settings.If a free attribute is not available, then extend the User Object schema to add a new single-valued stream attribute with a name. Access Manager will store an XML object in this attribute for each user authorization
Resolution
The type 'stream' Attribute has an OID (Object IDentifier) of 1.3.6.1.4.1.1466.115.121.1.5. According to the LDAP Attribute Syntax Definitions RFC2252 (https://www.ietf.org/rfc/rfc2252.txt),
the name of this syntax is 'binary'.
Cause
Instead of the NetIQ eDirectory server, a 3rd party LDAP server is used, which does not support an Attribute type 'stream'.