How to configure Symantec Directory as a user store for Advanced Password Services (APS)

Any Siteminder supported Releases

1. Extend the Symantec Directory schema for APS by copying the file CA_APS-eTrust80-user.dxc from the policy server home  <Siteminder_Home>/APS_Docs to CA directory server location: /dxserver/config/schema
2. Navigate to /dxserver/config/schema.
3. Source three files in the server-instance-name.dxg file in this directory by adding the following lines to the server-instance-name.dxg file: 

source "nsroaming.dxc";

source "sunone.dxc";

source "CA_APS-eTrust80-user.dxc";

4.  Stop then start the directory instance.
5.  Add the object class smapsInfo to each user in the directory.  Please consult your LDAP administrator or vendor for directions on how to do this in bulk.
6.  Run APSExpire from the Policy Server to set the smapsNextAction and smapsBaseDate attributes for each user in the directory.
7. Edit the APS.cfg file on the policy server at /<policy-server-location>/bin
8. Find the JOBONE parameter.
9. Set JOBONE to the IP:port of the APS user directory.  (Ex:  JOBONE=10.xx.xx.xx:1489)
10. Run APSExpire from the command line on the policy server:

$ APSExpire JOBONE –v –lapsexpire_log.txt –oapsexpire_out.txt –e apsexpire_errors.txt

1. View the three logs created to confirm there are no errors.

Examples of APS specific user attributes:

[root@xxxxxxxxxxxxxx ]# ldapsearch -h xxxxxxxxxxxxxx -p 7777  -D "cn=Directory Manager" -w xxxxxxx -b "dc=example,dc=com" "uid=VDAAAA"
ldap_simple_bind: Success
version: 1
dn: cn=VDAAAA,ou=OrgUnit0,dc=example,dc=com
carLicense: VDAAAA
carLicense: |HOW ARE YOU|FINE
carLicense: |HOW DO YOU DO|FINE
carLicense: |WHAT IS THE TIME|FINE
cn: VDAAAA
departmentNumber: 4067
description: This is VDAAAA's description
employeeType: Contract
facsimileTelephoneNumber: 1-330-xxxxx
givenName: VDAAAA
homePhone: 1-373-xxxxx
initials: D. A.
l: Natick
mail: VDAAAA@dc=example,dc=com
manager: cn=VDAAAA 
mobile: +1 213xxxxxx
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: smapsinfo
ou: OrgUnit0
pager: 1-xxxxxxx
postalAddress: cn=VDAAAA,ou=OrgUnit0,dc=example ,dc=com 100 nowhere Drive USA
roomNumber: 6xxx
secretary: cn=ABCDE
sn: VDAAAA
telephoneNumber: 1-xxxxx
title:: IE9yxxxxxx==
uid: VDAAAA
userPassword: {SSHA}puxxxxxxxxxxxxxxxxx
smapsFailuresSincePreviousLogin:
smapsGraceLoginsUsed: 2
smapsMaxFailures:
smapsBaseDate: 20240910135002Z
smapsFailureCount: 0 20240917140800Z
smapsNextAction: 99999999999999Z CYCLE COMPLETE
smapsLastLogin: 20240917140800Z 10.36.50.9
smapsPreviousLogin: 20240910134536Z 10.36.50.9
smapsTotalLogins: 451
smapsDisableUntil:
smapsFailuresSinceLastLogin:
smapsLoginHistory:
smapsTotalFailures:
[root@xxxxxxxxxxxxxx APS]#  

If you are not able to Start the DSA after the changes above, please make sure you Follow the below steps to fix it.

Unable to Start Symantec Directory Instance (166740)

Symptom:
Unable to start the DSA instance after sourcing the APS Schema i.e., CA_APS-eTrust80-user.dxc.
Solution:
To resolve the issue, follow these steps:
Open the schema file CA_APS-eTrust80-user.dxc.
Delete the line subclass-of-subschema under object-class (1.3.6.1.4.1.2552.1.1.9.1).
Restart the instance.
Note: The solution is applicable to Symantec Directory version R12 SP14 and later.

Reference --> https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/release-notes/known-issues/known-issues-for-policy-server.html#concept.dita_c30a346faa0cc09c960740a3e1dc4b6289a43f27_UnabletostartSymantecDirectoryInstance