LDAP User Directory with a custom ObjecClass in Policy Server
search cancel

LDAP User Directory with a custom ObjecClass in Policy Server


Article ID: 9795


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER



By default, the SiteMinder (CA Single Sign On) Policy Server using an LDAP User Directory will perform searches against the LDAP directory for Users using the default ObjectClasses of "inetOrgPerson", "organizationalPerson", and "person".

Some organizations create a custom ObjectClass for their User Directory to only include specific attributes. Out of the Box, the Policy Server will not be able to locate users in this User Directory for Authentication or Authorization purposes.

In order to allow users to be Authenticated and Authorized from the User Directory, the Policy Server registry needs to be configured to utilize the custom ObjectClass.




Policy Server using a LDAP User Directory with a Custom ObjectClass





  1. Open a command prompt with 'Run as Administrator' and run 'regedit';

  2. Navigate to "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\Siteminder\CurrentVersion\Ds\PolicyClassFilters";

  3. Right-click on "LDAP:" and select "Modify...";

  4. Add the name of the custom ObjectClass to the 'Value data:' field;

  5. Click 'OK';

  6. Navigate to "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\Siteminder\CurrentVersion\Ds\UserClassFilters";

  7. Right-click on "LDAP:" and select 'Modify...';

  8. Add the name of the custom ObjectClass to the 'Value data:' field;

  9. Click 'OK';

  10. Navigate to "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\Siteminder\CurrentVersion\Ds\PolicyResolution";

  11. Right-click on the 'PolicyResolution' folder and select 'New>DWORD (32-bit) value';

  12. Enter the name of the custom ObjectClass as the 'Name' of the DWORD;

  13. Right-Click on the new Custom ObjectClass DWORD, and select 'Modify...';

  14. Enter "1" in the 'Value data:' field;

  15. Click 'OK';

  16. Close the Registry Editor;

  17. Restart the Policy Server to pick up the Registry changes;


  1. Navigate to the 'CA/siteminder/registry' directory;

  2. Open the sm.registry file in a text editor;
  3. Add the Custom ObjectClass to the LDAP entry for the following keys:


    for example,  


    LDAP:=                inetOrgPerson,organizationalPerson,person,MyCustomObjClass;REG_SZ

  4. Add the Custom ObjectClass as a "0x1;REG_DWORD"  to the following key:


    for example,

    container=                                     0x5;       REG_DWORD
    DN Attribute=                                  0xa;       REG_DWORD
    Group=                                         0x2;       REG_DWORD
    Group Attribute=                               0x8;       REG_DWORD
    groupOfNames=                               0x2;       REG_DWORD
    groupOfUniqueNames=                     0x2;       REG_DWORD
    inetOrgPerson=                                 0x1;       REG_DWORD
    Org Attribute=                                 0x9;       REG_DWORD
    organization=                                  0x5;       REG_DWORD
    organizationalPerson=                       0x1;       REG_DWORD
    organizationalRole=                           0x4;      REG_DWORD
    organizationalUnit=                           0x5;       REG_DWORD
    person=                                        0x1;       REG_DWORD
    Query=                                         0x6;       REG_DWORD
    residentialPerson=                             0x1;       REG_DWORD
    User=                                       0x1;      REG_DWORD
    User Attribute=                                0x3;       REG_DWORD
    MyCustomObjClass                         0x1;       REG_DWORD
  5. Save and close the sm.registry file;

  6. Restart the Policy Server to pick up the changes.