In using Dynamic Group, there is difference LDAP search logic between 12.51 and 12.7 Policy Server

book

Article ID: 104908

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

There is difference LDAP search logic between 12.51 and 12.7 Policy Server.
In 12.7,  Login user stored in Dynamic Group is AuthAccept and AzReject, while 12.51 is NOT AzReject, this mean Authenticate/Authorization are succesfully.

Each configuration of CA SSO and LDAP User Store is as following:

Dynamic Group Configuration:
dn: cn=testGroup,ou=groups,o=cajapan,dc=example,dc=com
cn: testGroup
memberURL: ldap:///dc=example,dc=com??sub?(&(employeenumber=dynamic))
objectClass: groupOfUniqueNames
objectClass: groupOfUrls
objectClass: top

Login User Configuration:
login user configuration:
dn: uid=user01,ou=people,o=cajapan,dc=example,dc=com
objectClass: inetOrgPerson
userPassword: passwordsn: testuser
cn: 10330740
givenName: 10330740
employeenumber: dynamic
uid: user01

User Directory Configuration in AdminUI:

<Please see attached file for image>


Domain Policy Configuration in AdminUI:

<Please see attached file for image>

User-added image

smaccess.log:
AuthAccept XXXX-XXXX [27/Jun/2018:16:11:29 +0900] "::1 uid=user01,ou=people,o=cajapan,dc=example,dc=com" "XXXX-XXXX-spsagent GET /basic/_dumpvars.asp" [idletime=3600;maxtime=7200;authlevel=5;] [0]  [] []
AzReject XXXX-XXXX [27/Jun/2018:16:11:30 +0900] "::1 uid=user01,ou=people,o=cajapan,dc=example,dc=com" "XXXX-XXXX-spsagent GET /basic/_dumpvars.asp" [18763142-f738d707-1043b0dd-a6b138d8-d001a3ee-ab] [0]  [] []

Environment

ProductName=CA Single Sign-On Policy Server
FullVersion=12.70.0.1194

Resolution

This is product bug in 12.51 Policy Server, It was a product bug and fixed in 12.52 sp1 CR01 and applicable for current version 12.7 as well.
As product design, Policy Server should search users info under "LDAP Search" Root DN, so "memberURL" should exist under this Root DN.

Attachments

1559330725692000104908_rtaImage.png get_app
1558696094107000104908_sktwi1f5rjvs16iee.png get_app