We're running a Policy Server and we get the error :
10840/55][Thu Jan 28 2021
10:53:12][SmDsLdapFunctionImpl.cpp:1367][ERROR][sm-Ldap-00880]
(SetUserProp) DN:
'cn=jsmith,dc=training,dc=com',
PropName: 'myProp', PropValue:
'202101010101:mydomain\myuser:[NDSEnc-J]fasdfsdfFSDfsdfsfsd44fsd1fsd'
. Status: Error 50 . Insufficient access
which shows that the Policy Server still search for an Attribute of
the name myProp. You have removed UCG library from our Authscheme and
Response.
More, the other Authentication Scheme has this URL configured :
URL=https://myhost.mydomain.com/siteminderagent/login.fcc;ATTR=myProp;DOMAIN=mydomain;USERNAMEATTR=cn;ENCKEY=[NDSEnc-B]sfdfFSdFSDFFSDFRETGergbDFgDf121dszd45as4d;UPDATEWINDOW=-1
How can we fix this ?
At first glance, if you remove the libraries for UGC, this means you
won't use UGC anymore, and as such you should remove configuration for
UGC. Looking at the files you provided, it seems that you have
installed that component on Web Server too. We see in the URL
"ucgupdate" which is default URI when installing that module on the
Web Server.
Reading the documentation, when you install and configure UGC, you
need to create a Custom Authentication Scheme :
eTrust SiteMinder User Context Gateway Installation and Configuration
Guide Version 1.4
1. Custom Authentication Scheme
- The Custom Authentication Scheme takes the SiteMinder
user password and checks it against the User Directory.
If it is correct, it adds the password to the user attribute
designated for the user's NT credentials and stores it in
the required format.4
If the User Directory credentials are not the same as of NT
domain used by the Web Server, this component should not
be used.
2. Active Response
- The Active Response provides the configuration
information to the ISAPI filter. This component is
always used.
p.6
When running the installer on Windows 2000 or 2003 the
installer offers to automatically configure IIS to use the UCG
ISAPI filter and/or Wildcard Extension Map. The same dialog
offers to create a virtual directory (named /ucgupdate/) to host
the "update credentials" ASP file. Generally there is no reason
to disable either of these options.
p.14
When a user logs into a realm protected with the UCG Authentication
Scheme the scheme will automatically capture the user's credentials
and store them, in an encrypted form, in a user attribute. The
setting ATTR is used to specify the attribute that the UCG should
use for this purpose.
p.17
https://ftpdocs.broadcom.com/phpdocs/7/5262/User_Context_Gateway_14.pdf