Policy Server connects CA Directory without password


Article ID: 209557


Updated On:


SITEMINDER CA Single Sign On Federation (SiteMinder) CA Directory



When updating the "AdminDN" name to connect to the Policy Store with
any random name in place sm.registry file, strangely the Policy Server
still can connect to the LDAP Policy Store at start time and no error
is logged in the smps.log.




When looking at the logs, the CA Directory Policy Store gives
anonymous access to the Policy Server, if the first login fails.

Policy Server is configured to connect to CA Directory Policy Store
with test_dummy user :

sm.registry :

  AdminDN=               cn=test_dummy,dc=training,dc=com; REG_SZ
  AdminPW=               {RC2}7yM7VHdasdWSdasaWEtcnW/3hVWo; REG_SZ
  AppSdk=                                  0x0; REG_DWORD
  CertDbPath=            /opt/CA/siteminder/cert8.db; REG_SZ
  Enabled=                                 0x1; REG_DWORD
  PSRootDN=              dc=training,dc=com; REG_SZ
  Server=      ; REG_SZ

The Policy Server still can get a connection to the CA Directory
Policy Store :

smps.log :

  [25895/140133872510752][Fri Jan 29 2021
  12:49:40][smldaputils.cpp:525][INFO][sm-Ldap-00540] Opening policy
  store connection to LDAP server: ' '

  [25895/140133872510752][Fri Jan 29 2021
  LDAP Provider Info String = CA Directory

  [25895/140133872510752][Fri Jan 29 2021
  LDAP Provider Version: supportedLdapVersion = 3

  [25895/140133872510752][Fri Jan 29 2021
  LDAP Provider Version: dxServerVersion = dxserver 14.0.00 

And at this time, the CA Directory Policy Store reports the login as
anonymous :

mydxc_summary.log :

  [4] 20210129.124940.272 #013.000 BIND : (anonymous) 

CA Directory 14.0 is in use :

mydxc_dxinfo.log :

  **** DXinfo Version ****
  dxinfo 14.0.00 (build 14803) Linux 64-Bit

  **** DXserver Version ****
  DXserver Version=dxserver 14.0.00 (build 14803) Linux 64-Bit

And the instance is configured to allow anonymous access :

where mydxc should be the CA Directory instance name :


  set dsa "mydxc" = 
     prefix              = <dc training><dc com>
     dsa-name            = <dc training><dc com><cn mydxc>
     address             = tcp "mydxc" port 10000
     auth-levels         = anonymous, clear-password

  # operational settings
  set min-auth = none;




  Policy Server 12.8SP3 on RedHat 7;
  Policy Store on CA Directory 14.0;




In the Policy Store instance, remove the anonymous access
possibility to solve this issue :

       auth-levels         = anonymous, clear-password
       auth-levels         = clear-password