Layer7 Access Management

Expand all | Collapse all

Configure CA Directory user store for CA SSO

Jump to Best Answer
  • 1.  Configure CA Directory user store for CA SSO

    Posted 05-31-2017 12:18 PM

    I configured CA Directory as user store for CA SSO.

    1. Configure CA Directory User Directory Connection

    2. I try to put the below piece in my ustore.dxi file at C:\Program Files\CA\Directory\dxserver\config\servers. After inserting these lines dxserver fails to start ustore

    #SiteMinder set mimic-netscape-for-siteminder = true; set concurrent-bind-user = DN; set hold-ldap-connections = true;

     

    If I remove these lines it starts fine. Same is the case for cache lines that I add. I removed them as well.

    # cache configuration set max-cache-size = 100; set cache-index = commonName, surname, objectClass; set cache-attrs = all-attributes; set cache-load-all = true; set lookup-cache = true;

    Are the above lines important for user store configuration. Where can I access the user store in UI? I am expecting it to allow me to search users under Administration->Users-> Manage User Accounts. Is that correct?

     

    Currently, I do not see anything there.



  • 2.  Re: Configure CA Directory user store for CA SSO

    Posted 05-31-2017 01:04 PM

    Remove the following.  Typically you want to cache all attribute.

    set max-cache-size = 100;

    set cache-index = commonName, surname, objectClass;

    set cache-load-all = true;

     

    Keep these:

    set cache-attrs = all-attributes

    set lookup-cache = true;

     

     

    Make sure your username is a full DN like shown in the example screenshot below.  Of course the user needs to exist in the directory.

    View content should work if entries do exist in the directory.



  • 3.  Re: Configure CA Directory user store for CA SSO

    Posted 05-31-2017 01:35 PM

    These attributes are already present in the dxi file

    set cache-attrs = all-attributes

    set lookup-cache = true;

     

    I tries the full name of the user present in the CA Directory -

     

     

    It says 

    My dsa does not start after placing below in the file. Are the below settings mandatory to enter?

    #SiteMinder set mimic-netscape-for-siteminder = true; set concurrent-bind-user = DN; set hold-ldap-connections = true;

    Administrator user is the box administrator or CA directory Admin? 



  • 4.  Re: Configure CA Directory user store for CA SSO

    Posted 05-31-2017 02:02 PM

    Some of those settings are useful for tuning but ignore them in the file for now.

    Connect to the user store using anonymous bind by removing the check mark for Require Credentials.

     

    Click Apply

    The go back and view contents to validate if you are getting any returned results. 

    Note!  When clicking the view contents the Siteminder Admin UI will only return OUs and groups.  So be sure to create a group or organizationalUnit below your search root.



  • 5.  Re: Configure CA Directory user store for CA SSO
    Best Answer

    Posted 05-31-2017 08:25 PM

    Unfortunately, I see multiple issues here..

     

    Let's go one by one

     

    1. Here, the Username is NOT machine Administrator, it is one of the user present in CA Directory.

    So for e.g you need to create user cn=admin under cn=ustore_user,o=ustore,c=IN

    and provide full DN of that user cn=admin,cn=ustore_user,o=ustore,c=IN as UserName. For CA directory, the password is stored in userPassword field so you will need to set a password for that user in CA Directory and provide the same value in the Password field below as well.

     

     

    2. LDAP User DN lookup is NOT correct.

    for. e.g if the user provides username as "user1" then it will effectively try to lookup user : cn=ustore_user, o=ustore,c=INuser1. This is an INVALID DN.

     

    For CA directory using the uid field for lookup is usually preferred.

    So your LDAP User DN Lookup should look like this ;

     

    If you choose to look up on uid, be sure to specify the uid for all the users in your user store.

     

    3. You said " I try to put the below piece in my ustore.dxi file at C:\Program Files\CA\Directory\dxserver\config\servers. After inserting these lines dxserver fails to start ustore"

    #SiteMinder set mimic-netscape-for-siteminder = true; set concurrent-bind-user = DN; set hold-ldap-connections = true;

     

    Ujwol => This is not mandatory. I have never done this myself. This is just some advanced tuning, For now , I would suggest to skip this step and get the basic things working first.

    Also if I look at the content there, it should be something like this : (notice multiple line, and also the set concurrent-bind-user has to be actual existing DN ..something like  "cn=admin,cn=ustore_user,o=ustore,c=IN"

     

    set mimic-netscape-for-siteminder=true;
    set concurrent-bind-user=<dc com><dc ABCD><ou admins><username smadmin>;
    set ignore-name-bindings=true;
    set hold-ldap-connections=true;

     

    4. You said -" Where can I access the user store in UI? "

    Ujwol => You can search for users by clicking "View Contents" in the user directory screen.

     

    You can then further lookup specific user by providing search filter :

     

    5. You said "I am expecting it to allow me to search users under Administration->Users-> Manage User Accounts. Is that correct?"

    Ujwol => Yes, you can search users here as well. But normally you come to this screen only if you want to manager users, for e.g if you want to change user password or force them to change password etc.

    However , note that unless the user directory is associated with at least one Domain/Application you can't manage those users here.

     

    Hope this helps.

     

    Regards,

    Ujwol Shrestha