ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

In using Dynamic Group, there is difference LDAP search logic between 12.51 and 12.7 Policy Server


Article ID: 104908


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


There is difference LDAP search logic between 12.51 and 12.7 Policy Server.
In 12.7,  Login user stored in Dynamic Group is AuthAccept and AzReject, while 12.51 is NOT AzReject, this mean Authenticate/Authorization are succesfully.

Each configuration of CA SSO and LDAP User Store is as following:

Dynamic Group Configuration:
dn: cn=testGroup,ou=groups,o=cajapan,dc=example,dc=com
cn: testGroup
memberURL: ldap:///dc=example,dc=com??sub?(&(employeenumber=dynamic))
objectClass: groupOfUniqueNames
objectClass: groupOfUrls
objectClass: top

Login User Configuration:
login user configuration:
dn: uid=user01,ou=people,o=cajapan,dc=example,dc=com
objectClass: inetOrgPerson
userPassword: passwordsn: testuser
cn: 10330740
givenName: 10330740
employeenumber: dynamic
uid: user01

User Directory Configuration in AdminUI:

<Please see attached file for image>

Domain Policy Configuration in AdminUI:

<Please see attached file for image>

User-added image

AuthAccept XXXX-XXXX [27/Jun/2018:16:11:29 +0900] "::1 uid=user01,ou=people,o=cajapan,dc=example,dc=com" "XXXX-XXXX-spsagent GET /basic/_dumpvars.asp" [idletime=3600;maxtime=7200;authlevel=5;] [0]  [] []
AzReject XXXX-XXXX [27/Jun/2018:16:11:30 +0900] "::1 uid=user01,ou=people,o=cajapan,dc=example,dc=com" "XXXX-XXXX-spsagent GET /basic/_dumpvars.asp" [18763142-f738d707-1043b0dd-a6b138d8-d001a3ee-ab] [0]  [] []


ProductName=CA Single Sign-On Policy Server


This is product bug in 12.51 Policy Server, It was a product bug and fixed in 12.52 sp1 CR01 and applicable for current version 12.7 as well.
As product design, Policy Server should search users info under "LDAP Search" Root DN, so "memberURL" should exist under this Root DN.


1559330725692000104908_rtaImage.png get_app
1558696094107000104908_sktwi1f5rjvs16iee.png get_app