Symantec Access Management

  • 1.  Explaining SiteMinder/LDAP communication

    Posted Mar 01, 2013 05:38 PM
    Starting this thread is to understand communication between Policy Server and LDAP user store in-depth. Please share your experiences in this regard.

    Few questions to start with:

    I understand each of my policy server has 3 connections(persistent?) to each Directory Server configured. 1 for Bind, 1 Search, 1 for Ping.
    Are these 3 connections opened to each of the Directory Server configured in User Directory object? assuming we have 3 servers providing round-robin feature.
    Are the connections only opened for User Directory objects that are 'BOUND' to a Domain/Policy? or the connections are opened for each User Directory object created in WAM UI?
    Is there a concept of idle timeout for 'Bind'/any connections? where is it controlled?
    What happens when there is excessive load and multiple backend operations are required? How/wheredo we control the number of connections between the 2?
    I have read about adding the same LDAP host name again to increase the connections, have nt tried it yet though.


  • 2.  RE: Explaining SiteMinder/LDAP communication

    Broadcom Employee
    Posted Mar 04, 2013 03:29 PM
    I understand each of my policy server has 3 connections(persistent?) to each Directory Server configured. 1 for Bind, 1 Search, 1 for Ping.

    YES persistent


    Are these 3 connections opened to each of the Directory Server configured in User Directory object?

    YES assuming you have 3 servers list for the User Directory Object in round-robin = 9 connections

    Are the connections only opened for User Directory objects that are 'BOUND' to a Domain/Policy? Or the connections are opened for each User Directory object created in WAM UI?

    First - connections are opened to LDAP user store when request is made for login ()

    Second - User Directory Connections are bound to the User Directory Object Name not Domain/Policy – if the same user directory object (3 servers) is used in all domains there will be 9 connections


    Is there a concept of idle timeout for 'Bind'/any connections? where is it controlled?

    No policy server does not close the connection to the User Store unless one of the following occurs:


    An LDAP request returns with a network error. The connections are then re- initialized.

    The ping thread detects that an LDAP server in the same fail-over group located before the current server is now available. For example, if a user and a search connection to S2 were created and at some point S1 becomes available, then the connections will be re- initialized to S1.

    The ping thread detects that the server is unavailable. The connections are then re- initialized.


    What happens when there is excessive load and multiple backend operations are required? How/where do we control the number of connections between the 2?

    With HIGH load it maybe necessary to add more servers to open the pipeline to the user store.

    I have read about adding the same LDAP host name again to increase the connections, have not tried it yet though.

    YES this will increase the pipeline to the user store, however by giving the same hostname can be programmatic, if an error occurs on one of the connections the Policy server will mark all connections to that servers with the same name BAD. A better approach if the goal is to increase the pipeline is to configure different names mapped to the same IP_address of the user store


  • 3.  RE: Explaining SiteMinder/LDAP communication

    Posted Mar 19, 2013 09:51 AM
    Hi Stephen,

    What would be the behaviour if the user store does not support re-bind like AD.

    Thanks
    Rahul.


  • 4.  RE: Explaining SiteMinder/LDAP communication

    Posted Jun 24, 2013 05:27 PM
    I would like to revive this thread as I am also curious about smuser22's questions about no support of re-bind (like active directory).

    Thanks,


  • 5.  RE: Explaining SiteMinder/LDAP communication

    Posted Jun 25, 2013 09:07 AM

    smuser22 wrote:

    Hi Stephen,

    What would be the behaviour if the user store does not support re-bind like AD.

    Thanks
    Rahul.
    would depend if SiteMinder understands the directory.

    For AD it does calls differently because it can ID the directory as AD.

    i'm not positive beyond that. Steve M probably knows more than anyone on this save Darren Spach.... you would be best to find a way to get one of them to answer the question.


  • 6.  RE: Explaining SiteMinder/LDAP communication

    Broadcom Employee
    Posted Jun 26, 2013 02:47 PM
    What would be the behavior if the user store does not support re-bind like AD:
    Policy server understand it is communicating to AD it will re-initialize it accordingly, not using the re-bind call


    Policy server does treat directories differently -


    The policy server recognizes a number of LDAP directories. Although the LDAP protocol is a standard for talking to all LDAP directories, in some cases directory specifics are required.

    Example:

    iPlanet directory: Policy server will search search for ‘version’ attribute in ‘cn=monitor’ root.

    Oracle Internet Directory: Search for ‘cn=subschemasubentry’.

    Active Directory: Search for ‘objectclass=domainDNS’ under the directory root.

    In all case we used Mozzila SDK version 6.0.7 (NSLDAP) - unless a pure Windows envirnoment using the AD Provider, in this case the MS LDAP libraries are used


  • 7.  RE: Explaining SiteMinder/LDAP communication

     
    Posted Mar 15, 2013 03:28 PM
    Hi Sam,

    Did Stephen's responses help answer your questions? If so please mark his post as Accepted Solution.

    Thanks!
    Chris