ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

LDAP Stores :: How Policy Server connects and searches

book

Article ID: 49733

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER

Issue/Introduction

 

How does Policy Server maintains connection with LDAP Stores ?

 

Resolution

 

For each LDAP Server, a Policy Server opens 3 connections called:

 - Dir (search)
 - User (bind)
 - Dir (Connection Manager Ping Server).

The first Dir (search) connection is used by Policy Server to send any
search request to the Policy or User Store.

The second User (bind) connection is used only for authenticating a
user and it won't be in use for LDAP Policy Stores. This User (bind)
connection is used exclusively for LDAP simple bind calls using the
user's full distinguished name (DN) and password. If the LDAP bind
succeeds, the user credentials are valid. If the bind fails, the
credentials are invalid.

The third Dir (Connection Manager Ping Server) is a dedicated
connection. Once connected, a dedicated thread will use this
connection only to determine the health of the associated
directory. This operation is part of the LDAP Provider known as the
"Connection Manager". The dedicated thread is usually called the "Ping
Server" thread. This thread periodically pings each directory server
instance with which it is associated. The ping actually validates the
connection by doing an ldap search with Search Filter as :

     objectclass=*
     


If the search succeeds within a specified time the directory is
considered healthy. If the search fails the directory instance is
considered failed or bad. The Policy Server will not use a directory
instance while the Ping Server thread considers it bad.