Disable LDAP Referrals in Policy Server registry settings
search cancel

Disable LDAP Referrals in Policy Server registry settings

book

Article ID: 48683

calendar_today

Updated On:

Products

CA Single Sign-On SITEMINDER

Issue/Introduction

 

How to fully disable LDAP Referrals on the Policy Server using EnableEnhancedReferrals and EnableReferrals registry settings?

 

Environment

 

Policy Server all versions

 

Cause

 

LDAP referrals provide a reference to an alternate location in which an LDAP Request may be processed. This referral can be among partitions or even to different LDAP servers to ensure the request can be fulfilled.

But there are situations where this can also cause problems. For example, latency can be introduced if the referral sends the request to a very remote server. It can also make narrowing down issues difficult as logging may not reflect the referral that has occurred. For LDAP connection performance, the Policy Server will maintain a persistent connection to the configured User Directory, but this same persistent connection may not exist to a directory that is part of a referral.

 

Resolution

 

To disable the referrals on the Policy Server you need to set two registry keys:

     HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\LDAPProvider= 

     EnableEnhancedReferrals = 1; REG_DWORD       
     EnableReferrals = 0; REG_DWORD 

How they work:

EnableEnhancedReferrals controls how the Policy Server handles referrals. 

  If it is disabled, 0: all referral processing is handled by the LDAP SDK.
  If it is enabled, 1: the Policy Server will handle the referral processing, not the LDAP SDK.

EnableReferrals controls if the Policy Server will process referrals.

  If it is disabled, 0: the Policy Server will not process referrals, however, see note 1.
  If it is enabled, 1: the Policy Server will process/follow referrals based on the EnableEnhancedReferral setting.

Note 1:

If EnableEnhancedReferrals is disabled, 0, regardless of EnableReferrals also being disabled, 0, the LDAP SDK will still process the LDAP referrals but not follow them. 

Meaning it will still perform host resolution on the referral. This can cause processing delays if the DNS resolution is slow or fails. There may be additional processing as well depending on the exact referral.

EnableEnhancedReferrals to 1 will prevent the LDAP SDK to make operations related to referrals, leaving the Policy Server only to handle the referrals. In combination with EnableReferrals set to 0, Policy Server won't handle the referrals, and the LDAP SDK neither.

Note 2:

If the Policy Server has to contact Active Directory (1), point the Policy Server to the Global Catalog, which is on port 3268 in order for the Policy Server not to receive commands from Active Directory to follow referrals.

 

Additional Information

 

(1)

    Global Catalog and LDAP Searches
    

Powered by Wolken Software