search cancel

Allow nested groups is not working in 12.7


Article ID: 8473


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


Policy server checks directory type when the connection establishment.  Depending on the directory type policy server will add different functionality specific for the directory type returned.  In the case where the customers point to AD Global Catalog the first AD search does not return objectclass of domainDNS.  Policy server continues to check other types, packet traces and logs showed that the search to check for SiemensDix is successful causing AD Global catalog to be identified as SiemensDirX.




Result: Policy server does not process group membership as expected specifically not taken advantage of code for Active Directory domains – this is causing failed authorizations


Linux Policy Server R12.7Windows Active Directory with global catalog and group membership


Bug introduced in R12.7 for directory type identification.  Instead of being detected as Global catalog for Active Directory the directory type was SiemensDirX was used instead.  This resulted in the improved search for Active Directory membership not being invoked.


Provided dev-fix from DE313293

GA Release will be in r12.7.02


Remove the code for the unsupported Siemens Store check, this will allow the policy server to check for Global Catalog 

Additional Information

When facing backend LDAP issue it’s always good to log in the trace what the policy server thinks it’s talking to.  In order to trace the type you need to include Directory_Access component and ReturnValue


components: Server/Connection_Management, Server/Policy_Server_General, Login_Logout/Function_Begin_End, Login_Logout/Authentication, IsAuthorized/Function_Begin_End, Directory_Access, LDAP

data: Pid, Tid, Date, PreciseTime, SrcFile, Function, ReturnValue, Message, ExecutionTime

version: 1.1



[20708][15][09/15/2017][09:05:05.013][SmDsDir.cpp:1082][CSmDsDir::GetDirectoryVersionInfo][16][Leave function CSmDsDir::GetDirectoryVersionInfo][00:00:00.000012]

Cross refence of directory types

#define SmldapPs_DirUnknown             0       // unknown directory server

#define SmldapPs_DirNS3                 1       // Netscape v3

#define SmldapPs_DirNS4                 2       // Netscape v4

#define SmldapPs_DirAD                  3       // Active Directory

#define SmldapPs_DirOID                 4       // Oracle Internet Directory

#define SmldapPs_DirDomino              5       // Domino

#define SmldapPs_DirNDS                 6       // NDS

#define SmldapPs_SecurityIntegration    7       // RACF, etc.

#define SmldapPs_DirNS5                 8       // Netscape v5

#define SmldapPs_DirSun5                9       // Sun One v5

#define SmldapPs_DirADAM                10      // ADAM

#define SmldapPs_DirADGC                11      // Active Directory Global Catalog

#define SmldapPs_DirETrustAdmin         12      // eTrust Admin

#define Smldap_DirISSRACF               13      // IBM LDAP Server for z/OS (RACF)

#define Smldap_DirCA                    14      // CA Directory

#define Smldap_DirOpenLDAP              15      // OpenLDAP

#define Smldap_DirSiemensDirx           16      // Siemens Dirx

#define Smldap_DirIBMDirectoryServer    17      // IBM (Tivoli)


#define SmldapPs_DirOUD                 18     // Oracle Unified Directory