How to disable LDAP Referrals on the Policy Server using EnableEnhancedReferrals and EnableReferrals registry settings

book

Article ID: 48683

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

We would like to know how to disable the LDAP referrals in the Policy Server configuration. How can we do that?

Cause

LDAP referrals provide a reference to an alternate location in which an LDAP Request may be processed. This referral can be among partitions or even to different LDAP servers in an effort to ensure the request can be fulfilled.

But there are situation where this can also cause problems. For example, latency can be introduced if the referral sends the request to a very remote server. It can also make narrowing down issues difficult as logging may not reflect the referral that has occurred. For LDAP connection performance, the Policy Server will maintain a persistent connection to the configured User Directory, but this same persistent connection may not exist to a directory that is part of a referral.

Environment

 

Policy Server all versions

 

Resolution

In order to disable the referrals on the Policy Server you need to set two registry keys:

     HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\LDAPProvider= 
       EnableEnhancedReferrals = 1; REG_DWORD       
       EnableReferrals = 0; REG_DWORD 

How they work:

EnableEnhancedReferrals controls how the Policy Server handles referrals. 
If it is disabled, 0, all referral processing is handled by the LDAP SDK.
If it is enabled, 1, the Policy Server will handle the referral processing.

EnableReferrals controls if the Policy Server will process referrals.
If it is disabled, 0, the Policy Server will not process referrals, however see note 1.
If it is enabled, 1, the Policy Server will process/follow referrals based on the EnableEnhancedReferral setting.

Note 1 - if EnableEnhancedReferrals is disabled, 0, regardless of EnableReferrals also being disabled, 0, the LDAP SDK will still process the LDAP referrals but not follow them.
Meaning it will still perform host resolution on the referral. This can cause processing delays if the DNS resolution is slow or fails. There may be additional processing as well depending on the exact referral.

Note 2 - If the Policy Server has to contact Active Directory, point the
Policy Server to the Global Catalog, which is on port 3268 in order
for the Policy Server not to receive commands from Active Directory to
follow referrals.

(http://technet.microsoft.com/en-us/library/cc978012.aspx)