Policy Server :: Active Directory : Password Policies
Article ID: 48927
CA Single Sign On Secure Proxy Server (SiteMinder)CA Single Sign On SOA Security Manager (SiteMinder)CA Single Sign-On
I am running Policy Server with Active Directory as User Store, by using Password Services, when user set a new password through SiteMinder, the native Active Directory password policy for re-using the old password is not applied, so user can set an old password on the SiteMinder side, but not when setting it by Active Directory.
How can I fix this?
SiteMinder all versions
The problem you get comes from the fact you use both password policies, ie. SiteMinder and Active Directory.
First, you need to understand that :
User Store :: Disable Flag : Behavior among AD and LDAP
"The directory server's own account status takes precedence over anything SiteMinder might configure. Therefore, if the user is disabled in Active Directory, no amount of SiteMinderconfiguration can fix that."
Further, from documentation, you need to disable the Directory Password Services if you want SiteMinder to manage it :
Password Policy Considerations
If you plan to implement password policies in your enterprise, consider the following items:
- CA Single Sign-on requires read/write access to the user directory, including exclusive use of several attributes within that directory to store passwords and password–related information.
- If your user directory has a native password policy, this policy must be less-restrictive then the password policy or it must be disabled. Otherwise the native password policy accepts or rejects passwords without notifying CA Single Sign-on. Therefore, CA Single Sign-on cannot manage those passwords.
As SiteMinder depends on the behavior of the User Store, you will find the attributes managed by the Policy Server with non-enhanced and AD enhanced mode here that will lead you to manage the SiteMinder Password Services with Active Directory :
What are the AD native attributes managed by the SiteMinder policy server? https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=50153
So to handle expired password, locked or disable field, you have to match the AD Attribute with the SiteMinder ones.
Further readings :
Using Enhanced Active Directory Integration, you need to set the following :
Pre-requisites for enhanced Active Directory integration https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=54428
General considerations on Password Services with Enhanced Active Directory Integration
User Attributes - Inside Active Directory http://www.kouti.com/tables/userattributes.htm
Note that CA delivers Advance Password Services modules that gives finer management of SiteMinder Password Services with Active Directory:
Microsoft Active Directories
APS does support Microsoft Active Directory and this support is provided using its LDAP interface. However, because Active Directory deviates so extensively from the LDAP specification, APS contains a significant amount of special processing and thus Active Directory is discussed in its own section.