In pre 6.0SP5 CR24 release of SiteMinder Policy Server, even if a Policy Domain has several User Stores configured, the search for a User will stop the moment the search finds the user disabled in a directory. It won't search for the user in the other directories in the list.
But in more recent version, this is not the case anymore. If the user is disabled in one directory, Policy Server will search for the user in the next directory in the list.
How can I disable this new behaviour?
This problem is specific to a remote case of having the SAME USER in MULTIPLE DIRECTORIES and having the SAME PASSWORD, but DISABLED in one of the UDs (User Directories). As per the current design of the Policy Server, when a user is "found" (with valid user name and valid password) in one of the user directories, it breaks from the loop to iteratively search through other UDs.
This behavior has been changed in 6.0 SP5 CR24.
If a user is found, but is disabled, it would still continue to lookup through the other UDs configured. When a protected resource is accessed with the same valid user and same password present in both the ud's (UD1 and UD2) configured in multiple user directory format, it saves the reject reason (user disabled reason), the redirection URL etc. from the processed user state of UD1 until all the uds are processed. Essentially, the status of user being "found" is rolled back.
When the user is found in UD1, but it is disabled; the bAuthenticateUserFound status is set to false. If the user does not get authenticated from the 2nd user directory, it returns the saved reject reason, redirection URL and other parameters saved/fetched from the 1st directory search. But if the user can be authenticated from subsequent UDs, redirection url and error message from the last UD is overwritten.
A new registry Key has been introduced:
When this key is set to 1 and the user is found disabled in first UD, Policy Server will not look into other configured User Directories and declare the user as "Not Authenticated".
This has also been mentioned in the 6.0 SP5 CR24 release notes:
77175 The policy server will now continue to process additional user directories if the user is disabled in the previous ones with LDAP namespace.