Policy Server XPSCounter and Users count from User Store
Article ID: 227097
Updated On:
Products
Issue/Introduction
When running Policy Server, when enabling LDAP search filter as
'(&(uid= user_name ) ( !( regStatus=DEREGISTERED*)))'
XPSCounter will still count users which have regStatus set to DEREGISTERED*.
As per documentation, shouldn't XPSCounter count users from the LDAP (CA Directory) store who are not meeting these criteria?
Resolution
The XPSCounter isn't based on successful login, but rather on the amount of users in the User Store (1).
So the search isn't about the LDAP filter and attributes defined by in the User Directory LDAP User DN Lookup, but rather about the objectclasses of the users from the User Directory.
It counts the objects that have the objectclass inetOrgPerson (1).
As Active Directory doesn't have that class, that's the reason why you need to do a mapping of the objectclass to count users from Active Directory (1).
The LDAP Search box has a Root parameter that should used.
This one delimits the border of the User Store.
Users that are within that Root will be counted and the ones that are not, won't be counted.
So the search isn't about the LDAP filter and attributes defined in the lookup DN by in the User Directory, but rather about the objectclasses of the users from the User Directory, which is delimited by the Root parameter from the LDAP Search box.
To illustrate:
Having that LDAP User Directory configuration :
| LDAP Search | |
|-------------+--------------------|
| Root | dc=example,dc=com |
| LDAP User DN Lookup | |
|---------------------+--------------------|
| Start | (cn= |
| End | ) |
| Effective Lookup | (cn=ID-From-Login) |
XPSCount will count all the users who are within the "dc=example,dc=com", even if some have no "cn" attribute defined.
Additional Information
Feedback
