LDAP User Directory with a custom ObjecClass in Policy Server
Article ID: 9795
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
CA Single Sign-On
SITEMINDER
Issue/Introduction
By default, the SiteMinder (CA Single Sign On) Policy Server using an LDAP User Directory will perform searches against the LDAP directory for Users using the default ObjectClasses of "inetOrgPerson", "organizationalPerson", and "person".
Some organizations create a custom ObjectClass for their User Directory to only include specific attributes. Out of the Box, the Policy Server will not be able to locate users in this User Directory for Authentication or Authorization purposes.
In order to allow users to be Authenticated and Authorized from the User Directory, the Policy Server registry needs to be configured to utilize the custom ObjectClass.
Environment
Policy Server using a LDAP User Directory with a Custom ObjectClass
Resolution
Windows:
- Open a command prompt with 'Run as Administrator' and run 'regedit';
- Navigate to "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\Siteminder\CurrentVersion\Ds\PolicyClassFilters";
- Right-click on "LDAP:" and select "Modify...";
- Add the name of the custom ObjectClass to the 'Value data:' field;
- Click 'OK';
- Navigate to "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\Siteminder\CurrentVersion\Ds\UserClassFilters";
- Right-click on "LDAP:" and select 'Modify...';
- Add the name of the custom ObjectClass to the 'Value data:' field;
- Click 'OK';
- Navigate to "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\Siteminder\CurrentVersion\Ds\PolicyResolution";
- Right-click on the 'PolicyResolution' folder and select 'New>DWORD (32-bit) value';
- Enter the name of the custom ObjectClass as the 'Name' of the DWORD;
- Right-Click on the new Custom ObjectClass DWORD, and select 'Modify...';
- Enter "1" in the 'Value data:' field;
- Click 'OK';
- Close the Registry Editor;
- Restart the Policy Server to pick up the Registry changes;
Unix:
- Navigate to the 'CA/siteminder/registry' directory;
- Open the sm.registry file in a text editor;
- Add the Custom ObjectClass to the LDAP entry for the following keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\PolicyClassFilters
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\UserClassFilters
for example,
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\UserClassFilters=929345282
LDAP:= inetOrgPerson,organizationalPerson,person,MyCustomObjClass;REG_SZ - Add the Custom ObjectClass as a "0x1;REG_DWORD" to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\PolicyResolution
for example,
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\PolicyResolution=56099019
container= 0x5; REG_DWORD
DN Attribute= 0xa; REG_DWORD
Group= 0x2; REG_DWORD
Group Attribute= 0x8; REG_DWORD
groupOfNames= 0x2; REG_DWORD
groupOfUniqueNames= 0x2; REG_DWORD
inetOrgPerson= 0x1; REG_DWORD
Org Attribute= 0x9; REG_DWORD
organization= 0x5; REG_DWORD
organizationalPerson= 0x1; REG_DWORD
organizationalRole= 0x4; REG_DWORD
organizationalUnit= 0x5; REG_DWORD
person= 0x1; REG_DWORD
Query= 0x6; REG_DWORD
residentialPerson= 0x1; REG_DWORD
User= 0x1; REG_DWORD
User Attribute= 0x3; REG_DWORD
MyCustomObjClass 0x1; REG_DWORD - Save and close the sm.registry file;
- Restart the Policy Server to pick up the changes.
Feedback
Yes
No
Powered by
