What are the AD native attributes managed by the SiteMinder policy server?

book

Article ID: 50153

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Description:

When you integrate SiteMinder with Active Directory as user store you may be interested in the attributes managed by the Policy Server with non-enhanced and AD enhanced mode.

Solution:

The PS reads the following LDAP parameters in both non-enhanced and AD enhanced mode

  • userAccountControl
  • pwdlastSet
  • sAMAccountName
  • SM password data (blob)

The PS reads the following additional LDAP parameters in AD enhanced mode Only:

  • accountExpires
  • maxPwdAge
  • lockoutTime
  • lockoutDuration

The PS writes the following parameters in both non-enhanced and AD enhanced mode:

  • userAccountControl
  • SM password data (blob)
  • pwdlastSet

The PS writes the following parameters in AD enhanced mode only:

  • unicodePwd
  • lockoutTime

Note: A login failure will trigger AD to modify the following user attributes.
These attributes are not currently used by SM:
logonCount
badPasswordTime

Environment

Release:
Component: SMPLC