Policy Server connects CA Directory without password
search cancel

Policy Server connects CA Directory without password

book

Article ID: 209557

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Federation (SiteMinder) CA Directory

Issue/Introduction

 

When updating the "AdminDN" name to connect to the Policy Store with
any random name in place sm.registry file, strangely the Policy Server
still can connect to the LDAP Policy Store at start time and no error
is logged in the smps.log.

 

Environment

 

  Policy Server 12.8SP3 on RedHat 7;
  Policy Store on CA Directory 14.0;

 

Cause

 

When looking at the logs, the CA Directory Policy Store gives
anonymous access to the Policy Server, if the first login fails.

Policy Server is configured to connect to CA Directory Policy Store
with test_dummy user :

sm.registry :

  HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\LdapPolicyStore=553041693
  AdminDN=               cn=test_dummy,dc=training,dc=com; REG_SZ
  AdminPW=               <EncryptedPassword>; REG_SZ
  AppSdk=                                  0x0; REG_DWORD
  CertDbPath=            /opt/CA/siteminder/cert8.db; REG_SZ
  Enabled=                                 0x1; REG_DWORD
  PSRootDN=              dc=training,dc=com; REG_SZ
  Server=                10.0.0.1:10000; REG_SZ

The Policy Server still can get a connection to the CA Directory
Policy Store :

smps.log :

  [25895/140133872510752][Fri Jan 29 2021
  12:49:40][smldaputils.cpp:525][INFO][sm-Ldap-00540] Opening policy
  store connection to LDAP server: ' 10.0.0.1:10000 '

  [25895/140133872510752][Fri Jan 29 2021
  12:49:40][SmLdapBulkSearch.cpp:174][CreateRoot][INFO][sm-xpsxps-01160]
  LDAP Provider Info String = CA Directory

  [25895/140133872510752][Fri Jan 29 2021
  12:49:40][SmLdapBulkSearch.cpp:228][CreateRoot][INFO][sm-xpsxps-01120]
  LDAP Provider Version: supportedLdapVersion = 3

  [25895/140133872510752][Fri Jan 29 2021
  12:49:40][SmLdapBulkSearch.cpp:228][CreateRoot][INFO][sm-xpsxps-01120]
  LDAP Provider Version: dxServerVersion = dxserver 14.0.00 

And at this time, the CA Directory Policy Store reports the login as
anonymous :

mydxc_summary.log :

  [4] 20210129.124940.272 #013.000 BIND : 10.0.0.2 (anonymous)

CA Directory 14.0 is in use :

mydxc_dxinfo.log :

  **** DXinfo Version ****
  dxinfo 14.0.00 (build 14803) Linux 64-Bit

  **** DXserver Version ****
  DXserver Version=dxserver 14.0.00 (build 14803) Linux 64-Bit

And the instance is configured to allow anonymous access :

where mydxc should be the CA Directory instance name :

/path_to_dxserver/dxserver/config/knowledge/mydxc.dxi

  set dsa "mydxc" = 
  {
     prefix              = <dc training><dc com>
     dsa-name            = <dc training><dc com><cn mydxc>
     address             = tcp "mydxc" port 10000
     auth-levels         = anonymous, clear-password

  # operational settings
  set min-auth = none;

 

Resolution

 

In the Policy Store instance, remove the anonymous access
possibility to solve this issue :

  from 
       auth-levels         = anonymous, clear-password
  to 
       auth-levels         = clear-password

 

Powered by Wolken Software