Siteminder Password Policy Is Not Firing
search cancel

Siteminder Password Policy Is Not Firing

book

Article ID: 273279

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

There is a Siteminder Password Policy in place tied to a user directory.  The password policy does not appear to be firing.  After 5 successive invalid logins, the user should be prevent from further login attempts.  However, the user is repeatedly re-prompted to authenticate regardless of the number of successive invalid login attempts.

Environment

[SITEMINDER]

Policy Server: ANY

Policy Server OS: ANY

Policy Store: ANY

User Store: ANY

Cause

When the Siteminder Password Policy is configured with "Password Policy applies to part of the Directory" the value in the 'Class' field needs to match the Object Class defined in the 'Path' field.

-> Password Policy applies to part of the Directory

PATH: ou=Users,o=enterprise,dc=example.com
Class: OrganizationalResource

In the example (above) the Path is defining the DN of an OrganizationalUnit, however the Class is defined as "OrganizationalResource".  This will cause the Password Policy to fail, since the OU doesn't have the 'OrganizationalResource' class assigned to it.  

===============================
[11524][4616][SmPasswordCheck.cpp:2773][CSmPasswordCheck::PreProcessPassword][][][][][][][][][][][][][][][][][][][][][Enter function CSmPasswordCheck::PreProcessPassword]
[11524][4616][SmPasswordCheck.cpp:2780][CSmPasswordCheck::PreProcessPassword][][][][][][][][][][][][][][][][][][][][][Pre processing the new password...]
[4616][SmPasswordCheck.cpp:400][CSmPasswordCheck::FindApplicablePasswordPolicies][][][][][][][][][][][][][][][][][][][][][Enter function CSmPasswordCheck::FindApplicablePasswordPolicies]
[11524][4616][SmPasswordCheck.cpp:1925][CSmPasswordCheck::DoesPasswordPolicyApply][][][][][][][][][][][][][][][][][][][][][Enter function CSmPasswordCheck::DoesPasswordPolicyApply]
[11524][4616][SmDsUser.cpp:895][CSmDsUser::ResolvePolicyObject][][][][][][][][][][][][][][][][][][][][][Enter function CSmDsUser::ResolvePolicyObject]
[11524][4616][SmDsObj.cpp:94][CSmDsObj::IsValid][][][][][][][][][][][][][][][][][][][][][Start of call IsValid.]
[09/10/2023][10:40:10.605][10:40:10][11524][4616][SmDsObj.cpp:96][CSmDsObj::IsValid][][][][][][][][][][][][][1][][][][][][][][Return from call IsValid.]
[09/10/2023][10:40:10.605][10:40:10][11524][4616][SmDsUser.cpp:903][CSmDsUser::ResolvePolicyObject][][][][][][][][][][][][][][][][][][][Policy resolution for user: 'cn=<name>,ou=Users,o=enterprise,dc=example,dc=com', filter: 'ou=Users,o=enterprise,dc=example,dc=com', type: 9, recursive: No][][Start of call HasRelationship.]

[09/10/2023][10:40:10.605][10:40:10][11524][4616][SmDsLdapProvider.cpp:1930][CSmDsLdapProvider::SearchImpl][][][][][][][][][][][][][][][][][][][][][search filter is : (&(|(objectclass=organization)(objectclass=organizationalUnit))(ou=Users,o=enterprise,dc=example,dc=com))]

[09/10/2023][10:40:10.605][10:40:10][11524][4616][SmDsLdapConnMgr.cpp:1211][CSmDsLdapConn::SearchExts][][][][][][][][][][][][][][][][][][][][][LDAP search of (&(|(objectclass=organization)(objectclass=organizationalUnit))(ou=Users,o=enterprise,dc=example.com)) took 0 seconds and 0 microseconds]

[09/10/2023][10:40:10.605][10:40:10][11524][4616][SmDsLdapProvider.cpp:2389][CSmDsLdapProvider::Search][][][][][][][][][][][][][][][][][][][(Search) Base: 'o=enterprise,dc=smlab1.com', Filter: '(&(|(objectclass=organization)(objectclass=organizationalUnit))(ou=Users,o=enterprise,dc=example.com))'. Status: 0 entries.][][Ldap Search callout succeeds.]

[09/10/2023][10:40:10.605][10:40:10][11524][4616][SmDsUser.cpp:910][CSmDsUser::ResolvePolicyObject][][][][][][][][][][][][][0][][][][][][][][Return from call HasRelationship.]

!!!!!!! [09/10/2023][10:40:10.605][10:40:10][11524][4616][SmDsUser.cpp:919][CSmDsUser::ResolvePolicyObject][][][][][][][][][][][][][No policy binding found][][][][][][][][Leave function CSmDsUser::ResolvePolicyObject]

[09/10/2023][10:40:10.605][10:40:10][11524][4616][SmPasswordCheck.cpp:1949][CSmPasswordCheck::DoesPasswordPolicyApply][][][][][][][][][][][][][0][][][][][][][][Leave function CSmPasswordCheck::DoesPasswordPolicyApply]
[09/10/2023][10:40:10.605][10:40:10][11524][4616][SmPasswordCheck.cpp:569][CSmPasswordCheck::FindApplicablePasswordPolicies][][][][][][][][][][][][][1][][][][][][][][Leave function CSmPasswordCheck::FindApplicablePasswordPolicies]
===============================

The Class "OrganizationalResource" was causing the password policy to fail to fire, therefore the value of the password blob 'PasswordData' wasn't being updated or read.

 

 

Resolution

If the Path in the Password Policy defines a group, then Class needs to be configured with GROUP.  If the Path is defined with an OU, then the Class needs to be defined with OU.  Change the Class to match the class of the object defined in the Path field.

EXAMPLE:

-> Password Policy applies to part of the Directory

PATH: ou=Users,o=enterprise,dc=example.com
Class: OrganizationalUnit

Powered by Wolken Software