Dynamic LDAP groups for user store Oracle iPlanet LDAP directories ONLY

Article Id: 36944
Status: Published
Updated On: 14-02-2018 07:36
Legacy Id: TEC1676115
Products:
CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On CA Single Sign-On
Issue/Introduction:

Problem 

Does SiteMinder support dynamic groups if so how to configure

Resolution

Yes for Oracle LDAP ONLY - see below

Dynamic group support is not documented nor is it tested.  Single Sign-on (SiteMinder) uses Mozilla LDAP SDK to access LDAP directories, LDAP Object classes/Attributes names are not standardized.  Dynamic groups needed to be added on individual namespace bases, because siteminder uses the Mozilla LDAP SDK dynamic groups can work with Siteminder for Oracle LDAP user stores only out of box.  Changes to the siteminder registry branch are required.  See below for details on how too.


Example use case:  For Siteminder (SingleSignon) to find a group in LDAP, the group must contain the objectClass of "groupOfUniqueNames." [and be a static group].  However, once Siteminder discovers a group, it determines next if the group meets a dynamic profile first then static one second.  If a group only contains the "GroupOfUrls" objectCLass, Siteminder is unable to find the group in LDAP.
Use case: User AUser50 to access resource /site2/test.html


Support confirmed Dynamic LDAP groups by following the steps below

Steps to add dynamic group

Modify sm.registry or regedit add the groupofurls where indicated below

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\LdapMatchUserDN
group=                                member; REG_SZ
groupOfNames=                         member; REG_SZ
groupofurls=            uniqueMember; REG_SZ
groupOfUniqueNames=             uniqueMember; REG_SZ
organizationalRole=             roleOccupant; REG_SZ


HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\GroupClassFilters
LDAP:=                 groupofurls,groupOfNames,groupOfUniqueNames,group; REG_SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\ClassFilters
LDAP:=                 organization,organizationalUnit,groupofurls,groupOfNames,groupOfUniqueNames,group; REG_SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\PolicyClassFilters=987838512
LDAP:=                 organizationalPerson,inetOrgPerson,organization,organizationalUnit, groupofurls,groupOfNames,groupOfUniqueNames,group; REG_SZ
ODBC:=                           Group, User; REG_SZ

Add new entry for groupofurls with REG_DWORD type and value of 2 just like groupofuniquenames in PolicyResolution.

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\PolicyResolution=1035617422
container=                               0x5; REG_DWORD
DN Attribute=                            0xa; REG_DWORD
Group=                                   0x2; REG_DWORD
Group Attribute=                         0x8; REG_DWORD
groupOfurls=                            0x2; REG_DWORD
groupOfNames=                            0x2; REG_DWORD
groupOfUniqueNames=                      0x2; REG_DWORD
inetOrgPerson=                           0x1; REG_DWORD

Restart policy server and use view content (to make sure you can see the dynamic group name that you created) for any user directory that points to this ldap instance.

LDAP side:
Created Dynamic Group: Test2
Objectclass: groupofurls
MemberURL:  ldap:///ou=APSUsers,dc=ca,dc=com??sub?(&(employeenumber=A))

LDAP Access log – for the authorization
[11/Dec/2015:14:40:02 -0500] conn=2 op=6 msgId=7 - SRCH base="cn=test2,dc=ca,dc=com" scope=0 filter="(uniqueMember=cn=AUser50,ou=APSUsers,dc=ca,dc=com)" attrs="objectClass"
[11/Dec/2015:14:40:02 -0500] conn=2 op=6 msgId=7 - RESULT err=0 tag=101 nentries=0 etime=0
[11/Dec/2015:14:40:02 -0500] conn=2 op=7 msgId=8 - SRCH base="cn=test2,dc=ca,dc=com" scope=0 filter="(memberURL=*)" attrs="memberURL"
[11/Dec/2015:14:40:02 -0500] conn=2 op=7 msgId=8 - RESULT err=0 tag=101 nentries=1 etime=0
[11/Dec/2015:14:40:02 -0500] conn=2 op=8 msgId=9 - SRCH base="ou=apsusers,dc=ca,dc=com" scope=2 filter="(&(cn=AUser50)(&(employeeNumber=A)))" attrs="objectClass"
[11/Dec/2015:14:40:02 -0500] conn=2 op=8 msgId=9 - RESULT err=0 tag=101 nentries=1 etime=0 notes=U


SMTRACE -  Has relationship function

[12/11/2015][14:39:41.826][25346][2898586480][            Start of call HasRelationship.][14:39:41][SmDsUser.cpp:898][CSmDsUser::ResolvePolicyObject][Policy resolution for user: 'cn=AUser50,ou=APSUsers,dc=ca,dc=com', filter: 'cn=Test2,dc=ca,dc=com', type: 2, recursive: No]
[12/11/2015][14:39:41.826][25346][2898586480][              Enter ImproveLDAPConnection][14:39:41][SmDsLdapFunctionImpl.cpp:1949][ImproveLDAPConnection]
[12/11/2015][14:39:41.826][25346][2898586480][             Exit ImproveLDAPConnection][14:39:41][ImproveLDAPConnection]
[12/11/2015][14:39:41.826][25346][2898586480][              Enter SearchExts][14:39:41][SmDsLdapFunctionImpl.cpp:3124][SearchExts]
[12/11/2015][14:39:41.827][25346][2898586480][              LDAP search of uniqueMember=cn=AUser50,ou=APSUsers,dc=ca,dc=com took 0 seconds and 700 microseconds][14:39:41][SmDsLdapConnMgr.cpp:1201][CSmDsLdapConn::SearchExts]
[12/11/2015][14:39:41.827][25346][2898586480][              Exit SearchExts][14:39:41][SearchExts]
[12/11/2015][14:39:41.827][25346][2898586480][              Ldap SearchCount callout succeeds.][14:39:41][SmDsLdapProvider.cpp:2549][CSmDsLdapProvider::SearchCount][(SearchCount) Base: 'cn=Test2,dc=ca,dc=com', Filter: 'uniqueMember=cn=AUser50,ou=APSUsers,dc=ca,dc=com'. Status: 0 entries]
[12/11/2015][14:39:41.827][25346][2898586480][              Enter GetUserProp][14:39:41][SmDsLdapFunctionImpl.cpp:1097][GetUserProp]
[12/11/2015][14:39:41.827][25346][2898586480][              Enter ImproveLDAPConnection][14:39:41][SmDsLdapFunctionImpl.cpp:1949][ImproveLDAPConnection]
[12/11/2015][14:39:41.827][25346][2898586480][              Exit ImproveLDAPConnection][14:39:41][ImproveLDAPConnection]
[12/11/2015][14:39:41.827][25346][2898586480][              szUserPath << szPropName (cn=Test2,dc=ca,dc=com, memberURL)][14:39:41][SmDsLdapFunctionImpl.cpp:1105][GetUserProp]
[12/11/2015][14:39:41.827][25346][2898586480][              Enter SearchExts][14:39:41][SmDsLdapFunctionImpl.cpp:3124][SearchExts]
[12/11/2015][14:39:41.828][25346][2898586480][              LDAP search of memberURL=* took 0 seconds and 360 microseconds][14:39:41][SmDsLdapConnMgr.cpp:1201][CSmDsLdapConn::SearchExts]
[12/11/2015][14:39:41.828][25346][2898586480][              Exit SearchExts][14:39:41][SearchExts]
[12/11/2015][14:39:41.828][25346][2898586480][              Exit GetUserProp][14:39:41][GetUserProp]
[12/11/2015][14:39:41.828][25346][2898586480][              Enter ImproveLDAPConnection][14:39:41][SmDsLdapFunctionImpl.cpp:1949][ImproveLDAPConnection]
[12/11/2015][14:39:41.828][25346][2898586480][              Exit ImproveLDAPConnection][14:39:41][ImproveLDAPConnection]
[12/11/2015][14:39:41.828][25346][2898586480][              search filter is : (&(cn=AUser50)(&(employeenumber=A)))][14:39:41][SmDsLdapProvider.cpp:1729][CSmDsLdapProvider::SearchImpl]
[12/11/2015][14:39:41.828][25346][2898586480][              Enter SearchExts][14:39:41][SmDsLdapFunctionImpl.cpp:3124][SearchExts]
[12/11/2015][14:39:41.829][25346][2898586480][              LDAP search of (&(cn=AUser50)(&(employeenumber=A))) took 0 seconds and 716 microseconds][14:39:41][SmDsLdapConnMgr.cpp:1201][CSmDsLdapConn::SearchExts]
[12/11/2015][14:39:41.829][25346][2898586480][Exit SearchExts][14:39:41][SearchExts]
[12/11/2015][14:39:41.829][25346][2898586480][Ldap Search callout succeeds.][14:39:41][SmDsLdapProvider.cpp:2244][CSmDsLdapProvider::Search][(Search) Base: 'ou=APSUsers,dc=ca,dc=com', Filter: '(&(cn=AUser50)(&(employeenumber=A)))'. Status: 1 entries]
[12/11/2015][14:39:41.829][25346][2898586480][Return from call HasRelationship.][14:39:41][SmDsUser.cpp:905][CSmDsUser::ResolvePolicyObject][1]

 
 

Environment:

Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus
Component: