DISABLING LDAP REFERRALS FROM HAPPENING FOR A CORPORATE USER STORE

book

Article ID: 49374

calendar_today

Updated On:

Products

DIRECTORY CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On SECURITY MISC CODES SINGLE SIGN ON - LEGACY CA Data Protection (DataMinder) CA User Activity Reporting

Issue/Introduction

Description:

IDM could be configured to connect to only 1 corporate user store, but in the course of processing, you may see LDAP referrals to other LDAP servers which may not be desired.

Proof of an LDAP referral can be seen in the IDM log as below:

18:59:32,357 DEBUG [ims.llsdk.directory.jndi] extraProp:[java.naming.referral]=[follow] or via any Wireshark network trace.
Active Directory in particular is well known for returning referrals with search results, often pointing to the subschema entry and site configuration data if a non-existent site or similar is defined in AD.

Solution:

To override LDAP refferrals from happening:

Put extra property in directory XML to override as follows (section should appear right after Managed Objects declarations):

<PropertyDict name="LDAP_CONNECTION_SETTINGS">
<Property name=" java.naming.referral">ignore</Property>
</PropertyDict>

Environment

Release:
Component: IDMGR