I am running Policy Server with Active Directory as User Store, by
using Password Services, when user set a new password through
SiteMinder, the native Active Directory password policy for re-using
the old password is not applied, so user can set an old password on
the SiteMinder side, but not when setting it by Active Directory.
How can I fix this?
SiteMinder all versions
The problem you get comes from the fact you use both password
policies, ie. SiteMinder and Active Directory.
First, you need to understand that :
User Store :: Disable Flag : Behavior among AD and LDAP
"The directory server's own account status takes precedence over
anything SiteMinder might configure. Therefore, if the user is
disabled in Active Directory, no amount of SiteMinderconfiguration can
Further, from documentation, you need to disable the Directory
Password Services if you want SiteMinder to manage it :
Password Policy Considerations
If you plan to implement password policies in your enterprise,
consider the following items:
- CA Single Sign-on requires read/write access to the user directory,
including exclusive use of several attributes within that directory
to store passwords and password–related information.
- If your user directory has a native password policy, this policy
must be less-restrictive then the password policy or it must be
disabled. Otherwise the native password policy accepts or rejects
passwords without notifying CA Single Sign-on. Therefore, CA Single
Sign-on cannot manage those passwords.
As SiteMinder depends on the behavior of the User Store, you will find
the attributes managed by the Policy Server with non-enhanced and AD
enhanced mode here that will lead you to manage the SiteMinder
Password Services with Active Directory :
What are the AD native attributes managed by the SiteMinder policy server?
So to handle expired password, locked or disable field, you have to
match the AD Attribute with the SiteMinder ones.
Further readings :
Using Enhanced Active Directory Integration, you need to set the
Pre-requisites for enhanced Active Directory integration
General considerations on Password Services with Enhanced Active
User Attributes - Inside Active Directory
Note that CA delivers Advance Password Services modules that gives
finer management of SiteMinder Password Services with Active
Microsoft Active Directories
APS does support Microsoft Active Directory and this support is
provided using its LDAP interface. However, because Active Directory
deviates so extensively from the LDAP specification, APS contains a
significant amount of special processing and thus Active Directory is
discussed in its own section.
APS supports Microsoft Active Directories running in LDAP mode only.