Blog Viewer

Tech Tip - CA Single Sign-On: SiteMinder SDK failing to search user post r12.52SP1 upgrade

By Ujwol posted 01-21-2016 12:47 AM


Posted by Ujwol Shrestha - Principal Support Engineer in CA Security on Jan 21, 2016



Customer was using SiteMinder SDK to perform user search in the directory using SmDmsSearch API.

It was working and able to fetch the user in r12.51 Policy server but after upgrade to r12.52SP1 it failed to work.

However, from the Admin UI , they were still able to search the user even in r12.52SP1.

The search root they were setting in the API call was : "dc=dn1";

The search root in their user directory definition in Admin UI was : "dc=dn2,dn1"


Their SDK code was as below (algorithm only):


String SEARCH_ROOT = "dc=dn1";

SmDmsDirectoryContext dirContext = SiteminderUtils.getDirectoryContext()

Directory dmsDirectory = dirContext.getDmsDirectory();

SmDmsOrganization orgRoot = dmsDirectory.newOrganization(SEARCH_ROOT);

SmApiResult result = new SmApiResult();


String filter = "uid=testuser";

SmDmsSearch search = new SmDmsSearch(filter, SEARCH_ROOT);


result =, 10);

Vector results = search.getResults();




Policy Server : r12.52 SP1 CR2



Starting with r12.52SP1, for security reasons, SiteMinder now limits the user directory search root via API call to the search root specified in the User Directory definition in Admin UI.


For e.g

If the User Directory definition in Admin UI has search root : dc=dn2,dc=dn1

Then, using the Siteminder SDK API , the topmost level you can specify as the search root is dc=dn2,dc=dn1.

In the earlier SiteMinder release, it used to allow even searching to a level even higher (for e.g. dc=dn1) which could have security concerns.

In other words, it is now requirement that the, search root specified in the User Directory definition is contained (<=) within the search root specified in the API call.

If no search root is specified in the API call, it will default to the search root from the User Directory definition.


So the resolution for the customer was to modify the search root in the API call to "dc=dn2,dc=dn1" instead of "dc=dn1".