search cancel

Siteminder password policies not working

book

Article ID: 201771

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running a Policy Server and when a user logs in, the Policy
Server doesn't seem to apply the Password Policy, and as such, we
don't see the account being locked and user can still browse the Web
Site.

How can we fix that ?

 

Cause

 

You've configured the Password Policy that way :

  Directory : myCorporateUserStore

  Password Policy applies to part of the Directory

  | Path  | c=mycountry  |
  |-------+--------------|
  | Class | Search Users |
  |       |              |

When Policy Server tries to find the user applying the filter c=mycountry,
then the LDAP Server returns no entry, and as such the Policy Server
cannot apply the Password Policy and thus, it won't update the
Disabled Flag :

  [10/14/2020][12:59:29.429][12:59:29][34916][139798886967040][SmDsUser.cpp:95]
  [CSmDsUser::CSmDsUser][][][][][][][][][][][][][][][][][][]
  [About to initialize User 'cn=myuser,o=myteam,c=mycountry' 
  in dir 'myCorporateUserStore'][][Start of call InitUser.][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

  [10/14/2020][12:59:29.429][12:59:29][34916][139798886967040][SmDsUser.cpp:903]
  [CSmDsUser::ResolvePolicyObject][][][][][][][][][][][][][][][][][][]
  [Policy resolution for user: 'cn=myuser,o=myteam,c=mycountry', 
  filter: 'c=mycountry', type: 3, recursive: No][][Start of call HasRelationship.][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

  [10/14/2020][12:59:29.431][12:59:29][34916][139798886967040][SmDsLdapConnMgr.cpp:1218]
  [CSmDsLdapConn::SearchExts][][][][][][][][][][][][][][][][][][][][]
  [LDAP search of c=mycountry took 0 seconds and 1684 microseconds][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][]

  [10/14/2020][12:59:29.431][12:59:29][34916][139798886967040][SmDsLdapProvider.cpp:2641]
  [CSmDsLdapProvider::SearchCount][][][][][][][][][][][][][][][][][][]
  [(SearchCount) Base: 'cn=myuser,o=myteam,c=mycountry', 
  Filter: 'c=mycountry'. Status: 0 entries][][Ldap SearchCount callout succeeds.][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

Environment

 

Policy Server 12.8SP2 build 1992 on Linux;
LDAP User Store on ODSEE;

 

Resolution

 

Investigate with the LDAP Administrator the reason why the LDAP
request return 0 entry :

  'cn=myuser,o=myteam,c=mycountry', Filter: 'c=mycountry'. Status: 0 entries