Description:

When you integrate SiteMinder with Active Directory as user store you may be interested in the attributes managed by the Policy Server with non-enhanced and AD enhanced mode.

Solution:

The PS reads the following LDAP parameters in both non-enhanced and AD enhanced mode

• userAccountControl
• pwdlastSet
• sAMAccountName
• SM password data (blob)

The PS reads the following additional LDAP parameters in AD enhanced mode Only:

• accountExpires
• maxPwdAge
• lockoutTime
• lockoutDuration

The PS writes the following parameters in both non-enhanced and AD enhanced mode:

• userAccountControl
• SM password data (blob)
• pwdlastSet

The PS writes the following parameters in AD enhanced mode only:

• unicodePwd
• lockoutTime

Note: A login failure will trigger AD to modify the following user attributes.
These attributes are not currently used by SM:
logonCount
badPasswordTime