search cancel

LDAP Stores :: How Policy Server connects and searches


Article ID: 49733


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER



How does Policy Server maintains connection with LDAP Stores ?




For each LDAP Server, a Policy Server opens 3 connections called:

 - Dir (search)
 - User (bind)
 - Dir (Connection Manager Ping Server).

The first Dir (search) connection is used by Policy Server to send any
search request to the Policy or User Store.

The second User (bind) connection is used only for authenticating a
user and it won't be in use for LDAP Policy Stores. This User (bind)
connection is used exclusively for LDAP simple bind calls using the
user's full distinguished name (DN) and password. If the LDAP bind
succeeds, the user credentials are valid. If the bind fails, the
credentials are invalid.

The third Dir (Connection Manager Ping Server) is a dedicated
connection. Once connected, a dedicated thread will use this
connection only to determine the health of the associated
directory. This operation is part of the LDAP Provider known as the
"Connection Manager". The dedicated thread is usually called the "Ping
Server" thread. This thread periodically pings each directory server
instance with which it is associated. The ping actually validates the
connection by doing an ldap search with Search Filter as :


If the search succeeds within a specified time the directory is
considered healthy. If the search fails the directory instance is
considered failed or bad. The Policy Server will not use a directory
instance while the Ping Server thread considers it bad.