In the documentation 7.2.2 there is this:

For Auth Matching Rules, add the same attribute from Active Directory
that you specified for Login Attribute in Step 3.c.

Do not delete dn. For example, the setting should now list dn and

OK, if I add sAMAccountName *below* dn in the Auth Matching Rules
column, what should I add to the Auth Attribute Map column?
I have no idea where for example the dn:name mapping comes from?

If I don't add anything to the Auth Attribute Map I get this in the log:

[WARNING] 2018-02-23 15:56:24 com.netiq.iac.server.j2ee.AuthFilter init
- [IG-SERVER] Will not use invalid matching rule
iac.auth.matching.rule.2.attrs=sAMAccountName. Contains unmapped
attributes: sAMAccountName. Provide a map for the attributes using the
iac.auth.attr.map property.


The login with AD credentials works with and without sAMAccountName in
the Auth Matching Rules column for me.


I'm also getting random authentication failures while working in the
application and clicking on different links which manifest themselves by
a big red banner.
For example I did a test collection from eDirectory and wanted to look
at the results:

[INFO] 2018-02-23 15:42:42
startDataCollectionExecution - [IG-SERVER] Successfully invoked data
test collection execution service for test collection id = 32, collector
id = 8
[INFO] 2018-02-23 15:42:44
com.netiq.daas.nativeldapservice.PagedLDAPCollecto r setRequestControls -
[DAAS] Using Paged collection controls
[INFO] 2018-02-23 15:42:45
com.netiq.daas.nativeldapservice.NativeLDAPService shutdown - [DAAS]
Received service shutdown from DaaS
[WARNING] 2018-02-23 15:44:01 com.netiq.iac.server.j2ee.AuthFilter
doFilter - [IG-SERVER] User Service: null (null) is authenticated and
logged in, but does not have access to the Identity Governance application.


This is IG 3.0, OSP 6.2.0 on Windows 2012 R2.