Limitation of " smapsLoginHistory " for " LDAP " repository which is available in ODBC type as indicated in our documentation.
search cancel

Limitation of " smapsLoginHistory " for " LDAP " repository which is available in ODBC type as indicated in our documentation.

book

Article ID: 380999

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder)

Issue/Introduction

Customer is using " Advanced Password Services (APS) " and connected to a LDAP based backend user store (Active Directory).

As per the customer, the " smaps LoginHistory " is growing when end users give some invalid credentials while logging in so here customer would like to clear out this login history.

But when they use a "Database" (ODBC) as their backend user store, we have an option to clear out this Login History.

In the " APS.cfg " file which controls all of the behavior of the APS, we can see below.

- Snippets from APS.cfg file:




- Customer would like to understand how to clear out this data using siteminder when they use a LDAP based backend user store (Active Directory).

Environment

Component: SMPLC (Advanced Password Services (APS))
Release: 12.8 SP08 CR01 (Applicable to all the supported releases)

Resolution

" smapsLoginHistory " is a multi-valued attribute where a new entry is added for every login Success/Failure. APS does not control multi valued attributes. 

Whereas " smapsHistory " is a single valued attribute so the APS stores and updates until a maximum length. 

We can clear the " smapsLoginHistory " field from " APSAdmin UI " using "Clear" under login history.

APS does not use this field (" smapsLoginHistory ") for any reasons and we just add an login entry when loginhistory option is enabled.

As per the product design, we do NOT have any OOTB solution to clear out this Login History or limit the size like we have in the case of ODBC.

Recommendation is to use the LDAP delete command to clear the data so please use the LDAP delete command moving forward unless you have any reason to keep the data. Again, we really do not use this " smapsLoginHistory " for any reason.

Additional Information

- Help Desk Interface (APSAdmin) - 12.8.xx.xx release documentation:

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/advanced-password-services-configuration/help-desk-interface-apsadmin.html

- Help Desk Interface (APSAdmin) - 12.52.xx.xx release documentation

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-52-01/configuring/advanced-password-services-configuration/help-desk-interface-apsadmin.html

- KB Document for reference:

https://knowledge.broadcom.com/external/article?articleNumber=36068