Policy server checks directory type when the connection establishment. Depending on the directory type policy server will add different functionality specific for the directory type returned. In the case where the customers point to AD Global Catalog the first AD search does not return objectclass of domainDNS. Policy server continues to check other types, packet traces and logs showed that the search to check for SiemensDix is successful causing AD Global catalog to be identified as SiemensDirX.
Result: Policy server does not process group membership as expected specifically not taken advantage of code for Active Directory domains – this is causing failed authorizations
Bug introduced in R12.7 for directory type identification. Instead of being detected as Global catalog for Active Directory the directory type was SiemensDirX was used instead. This resulted in the improved search for Active Directory membership not being invoked.
Provided dev-fix from DE313293
GA Release will be in r12.7.02
Remove the code for the unsupported Siemens Store check, this will allow the policy server to check for Global Catalog
When facing backend LDAP issue it’s always good to log in the trace what the policy server thinks it’s talking to. In order to trace the type you need to include Directory_Access component and ReturnValue
components: Server/Connection_Management, Server/Policy_Server_General, Login_Logout/Function_Begin_End, Login_Logout/Authentication, IsAuthorized/Function_Begin_End, Directory_Access, LDAP
data: Pid, Tid, Date, PreciseTime, SrcFile, Function, ReturnValue, Message, ExecutionTime
version: 1.1
[20708][15][09/15/2017][09:05:05.013][SmDsDir.cpp:1082][CSmDsDir::GetDirectoryVersionInfo][16][Leave function CSmDsDir::GetDirectoryVersionInfo][00:00:00.000012]
Cross refence of directory types
#define SmldapPs_DirUnknown 0 // unknown directory server
#define SmldapPs_DirNS3 1 // Netscape v3
#define SmldapPs_DirNS4 2 // Netscape v4
#define SmldapPs_DirAD 3 // Active Directory
#define SmldapPs_DirOID 4 // Oracle Internet Directory
#define SmldapPs_DirDomino 5 // Domino
#define SmldapPs_DirNDS 6 // NDS
#define SmldapPs_SecurityIntegration 7 // RACF, etc.
#define SmldapPs_DirNS5 8 // Netscape v5
#define SmldapPs_DirSun5 9 // Sun One v5
#define SmldapPs_DirADAM 10 // ADAM
#define SmldapPs_DirADGC 11 // Active Directory Global Catalog
#define SmldapPs_DirETrustAdmin 12 // eTrust Admin
#define Smldap_DirISSRACF 13 // IBM LDAP Server for z/OS (RACF)
#define Smldap_DirCA 14 // CA Directory
#define Smldap_DirOpenLDAP 15 // OpenLDAP
#define Smldap_DirSiemensDirx 16 // Siemens Dirx
#define Smldap_DirIBMDirectoryServer 17 // IBM (Tivoli)
#define SmldapPs_DirOUD 18 // Oracle Unified Directory