ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Policy Server XPSCounter and Users count from User Store

book

Article ID: 227097

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

 

When running Policy Server, when enabling LDAP search filter as

  '(&(uid= user_name ) ( !( regStatus=DEREGISTERED*)))'

XPSCounter will still count users which have regStatus set to
DEREGISTERED*.

As per documentation shouldn't XPSCounter count users from the LDAP
(CA Directory) store which are not meeting this criteria ?

 

Resolution

 

At first glance, the XPSCounter isn't based on successful login, but
rather on the amount of users in the User Store as per documentation
(1).

So the search isn't about the LDAP filter and attributes defined by in
the User Directory LDAP User DN Lookup, but rather about the
objectclasses of the users from the User Directory. As per the same
page above, it counts the objects that have the objectclass
inetOrgPerson. As Active Directory doesn't have that class, that's the
reason why you need to do a mapping of the objectclass to count users
from Active Directory (2).

The LDAP Search box has a Root parameter should used. This one
delimits the border of the User Store. Users that are within that Root
will be counted and the ones that are not, won't be counted.

So the search isn't about the LDAP filter and attributes you defined
in the lookup dn by in the User Directory, but rather about the
objectclasses of the users from the User Directory, which is delimited
by the Root parameter from the LDAP Search box.

To illustrate :

Having that LDAP User Directory configuration :

  | LDAP Search |                    |
  |-------------+--------------------|
  | Root        | dc=training,dc=com |

  | LDAP User DN Lookup |                    |
  |---------------------+--------------------|
  | Start               | (cn=               |
  | End                 | )                  |
  | Effective Lookup    | (cn=ID-From-Login) |

XPSCount will count all the users which are within the
"dc=training,dc=com", even if some have no "cn" attribute defined.

 

Additional Information

 

(1)

    XPSCounter

      To comply with the terms of your SiteMinder license, you can count
      the number of users in your SiteMinder environment.

      Determine the Number of Users Associated with SiteMinder Policies

      To comply with the SiteMinder licensing terms, you can determine how
      many users in your organization are associated with SiteMinder
      policies.

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/administrating/policy-server-tools/xpscounter.html

(2)

    Map the Active Directory inetOrgPerson Object Class

      If your SiteMinder user stores are on Microsoft Active Directory
      servers, map the inetOrgPerson in each server before counting the
      SiteMinder users

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/administrating/policy-server-tools/xpscounter.html