We'd like to know if the Policy Server can understand and map thereturn codes from LDAP AD-LDS into Siteminder smauthreason codes ?
Indeed, the Policy Server is capable of that out of the box.
But you have to pay attention to existing issue about thistopic. Before the CR06, the Policy Server has issue to map correctlythe returns codes from AD into the correct smauthreason allowingdisable user to login among the others.
As such, we recommand you first to upgrade the Policy Server, PolicyStore and AdminUI to the latest 12.52SP1CR09 version :
Defects Fixed in 12.52 SP1 CR09
00919679 DE335297Policy Server incorrectly recognizes AD LDS user store as AD user store.
00882334 DE326287Policy Server fails to log in users with AD LDS as the user directory.
Defects Fixed in 12.52 SP1 CR08
00366537 DE172890After unlocking a user account, Policy Server fails to allow the user to log in to the application in the first attempt.
Defects Fixed in 12.52 SP1 CR05
The Authreason codes from Policy Server are not same as the AD response irrespective of the status of isADEnhanced.
Defects Fixed in 12.52 SP1 CR04
Policy Server Logs in a Locked Out UserPolicy Server allows the log in of a locked out user when the Enhanced AD integration is enabled.
STAR Issue: 00177871
RTC Issue: 163151/DE106953
Issue with Password AttributesUser experiences issues with the "Password expires from inactivity" and "Password expires if not changed: After Days".
STAR Issue: 00100029
RTC Issue: 157066/DE76528
Defects Fixed in 12.52 SP1 CR02
SiteMinder Returns Incorrect Smauthreasoon Code (139126) / (158072)Symptom:
CA Single Sign-On returns smauthreasoon code 0 when Illegal characters are found in username.
This issue has been fixed. CA Single Sign-On now returns smauthreasoon code 55 when Illegal characters are found in username.
More, the AD-LDS should return the same codes as the AD, as AD-LDS isbased on the same technology as the AD :
Active Directory Lightweight Directory Services
Uses the same directory service technology as AD DS. There is acommon framework for both the network operating system (NOS)services of AD DS and the application services of AD LDS, whichincreases reusability of design and code.
Finally, you'll find here further documentation about the return codesfrom AD and their mapping to the smauthreason codes :
Policy Server :: Disable Flag : SmAuthReason
KB : KB000122168