LDAP Stores :: How Policy Server connects and searches


Article ID: 49733


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On



How does Policy Server maintains connection with LDAP Stores?


For each LDAP Server, a Policy Server opens 3 connections called:

  • Dir(search)

  • User(bind)

  • Dir (Connection Manager Ping Server).

The first Dir(search) connection is used by Policy Server to send any search request to the Policy or User Store.

The second User(bind) connection is used only for authenticating a user and it won't be in use for LDAP Policy Stores.

The User(bind) connection is used exclusively for LDAP simple bind calls using the user's full distinguished name (DN) and password. If the LDAP bind succeeds, the user credentials are valid. If the bind fails, the credentials are invalid.

The third Dir (Connection Manager Ping Server) is a dedicated connection. Once connected, a dedicated thread will use this connection only to determine the health of the associated directory. This operation is part of the LDAP Provider known as the "Connection Manager". The dedicated thread is usually called the "Ping Server" thread. This thread periodically pings each directory server instance with which it is associated. The ping actually validates the connection by doing an ldap search with Search Filter as :


If the search succeeds within a specified time the directory is considered healthy. If the search fails the directory instance is considered failed or bad. The Policy Server will not use a directory instance while the Ping Server thread considers it bad.


Component: SMPLC