search cancel

User Class / LDAP Settings in User Directory not functional in AdminUI

book

Article ID: 190186

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

Per the official guide link listed below, the User Class should work as follows (1).

  User Class

    Specifies a string that is a directory-specific class filter. This value is optional and overrides the global setting in the UserClassFilters registry.

  Default: NULL  

So one would think to include the Directory specific object class in my case "TestUserClass" in the "User Class" field, applied changes, went to "view Contents" and searched for cn=user1  (which belongs to "TestUserClass" )

The expectation is that the custom user class would be visible in the search filter. Instead, the Policy Server log shows:

  • [SmDsLdapProvider.cpp:2361][CSmDsLdapProvider::Search][(Search) Base: 'dc=joeuserstore,dc=com', Filter: '(&(|(objectclass=organizationalPerson)(objectclass=inetOrgPerson)(objectclass=organization)(objectclass=organizationalUnit)(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=group))(cn=user1))'. Status: 1 entries.][][][][][Ldap Search callout succeeds.][][][][][][][][][]

The custom "TestUserClass" object class is not seen in the above filter.

Same for Auth and Az scenarios flow, the filter is not present.

When updating the Registry as indicated (2), then the "View Contents" search will show the Object class.

 

Environment

 

AdminUI 12.8SP03
Policy Server 12.8SP03

 

Resolution

 

Upgrade Policy Server and AdminUI to 12.8SP5 to benefit from the fix DE437901 (3).

 

Additional Information

 

(1)

    User Directory Dialog
    

(2)

    How to utilize an LDAP User Directory with a custom ObjecClass in a Single Sign On (fka SiteMinder) environment.

    
(3)

    Defects Fixed in 12.8.05

       20093300 DE437901 Administrative UI fails to display users in the User Directory dialog when User Class is defined in the LDAP search criteria.