SiteMinder Policy Server is not failing over to the next server in the list when the ldap server is eTrust Directory Server.
search cancel

SiteMinder Policy Server is not failing over to the next server in the list when the ldap server is eTrust Directory Server.

book

Article ID: 54432

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Description:

Our Siteminder Policy Server was unable to connect to the User Directory and therefore users were not able to get access to protected resources.

We are running SiteMinder Policy Server 6 SP5 on Windows, using eTrust Directory as User Store and We have configured the user directory as follows:

ldapserver1:20689 ldapserver2:20689

SiteMinder Policy Server Log shows both servers as down, but the ldap servers were up and running:

<- Begin
 
Status: Error 91 . Can't connect to the LDAP server
Status: Error 91 . Can't connect to the LDAP server
Failed to resolve user identity. Denying access.
 
-> End

Solution:

In this scenario, the policy server is running out of connections. The operating system was trying to create a new socket, but it failed because the connections to the eTrust Directory was not being closed.

You can check the number of connection using the netstat command.

In Unix systems the amount of sockets that a system can open is directly related to the number of file descriptors.

On Windows systems, connections can use only port numbers 1024 through 5000 by default.

But even though you can increase the number of connections in your system, the issue is because connections from SiteMinder Policy Server to the eTrust Directory Server are not being closed.

In order to configure eTrust Directory Server to handle Siteminder specific LDAP connections, the following configuration settings need to be defined for the router DSAs:

# CA Siteminder specific settings
set mimic-netscape-for-siteminder = true;
set concurrent-bind-user = <Siteminder BIND DN>;
set ignore-name-bindings = true;
set hold-ldap-connections = true;

Where <Siteminder BIND DN> is the full DN of the user CA Siteminder uses to connect to CA Directory - e.g. <c US><o ACME><ou administrators><uid smuseradmin>) for the User store and <c US><o ACME><ou smpolicy><uid smpolicyadmin> for the Policy store. It is suggested to add these settings to the end of the relevant router DSA settings file (i.e. $DXHOME/config/settings).

It should like:

# CA Siteminder specific settingsset mimic-netscape-for-siteminder = true;
set concurrent-bind-user = <dc com><dc mycompany><ou myou><ou administrator><uid smadmin>
set ignore-name-bindings = true;
set hold-ldap-connections = true;

Environment

Release:
Component: SMPLC
Powered by Wolken Software