Symantec Access Management

Expand all | Collapse all

RODC user store for CA SiteMinder Policy server

  • 1.  RODC user store for CA SiteMinder Policy server

    Posted 06-21-2018 02:54 PM

    Could a read only Microsoft AD work as user store for CA SiteMinder Single sign on policy server?

     

    We are trying to configure a AD server which is read only(not writable ) as user store for SiteMinder policy servers, but its not working. Any one has tried that?

     

    We have policy server version as R12.52Sp1Cr06

     

    Regards,

    Vikash#



  • 2.  Re: RODC user store for CA SiteMinder Policy server

    Posted 06-22-2018 06:39 AM

    Hi Vikash,

     

    I think we would need write permissions for the admin user since we update couple of attributes in AD during the authentication.

    For ex: passwordblob, lastlogintime etc

     

    Thanks,
    Sharan



  • 3.  Re: RODC user store for CA SiteMinder Policy server

    Posted 06-22-2018 06:52 AM

    Hi Vikash,

     

    Refer : Directory Attributes Overview - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

     

    Some features require read or write access to seven CA Single Sign-On attributes. The attribute values are in the user directories that are connected to the Policy Server. You map the directory user attributes to CA Single Sign-On attributes in the User Attributes section. You can also use attribute mapping to define your own common names. You can map each name to user attribute names in multiple user directories.

    Each CA Single Sign-On attribute is associated with a data type and one or more directory types that are described in the following table. (R) indicates that the attribute requires read access. (RW) indicates that the attribute requires read/write access.

     

    Attribute NameData TypeDirectory TypesDescription
    Universal ID (R)stringLDAP
    Database
    WinNT
    Specifies the universal ID or user identifier that CA Single Sign-On passes to protected applications to maintain a user’s identity. This feature is a bridge between CA Single Sign-On and legacy applications, which often use attributes to identify a user.
    The universal ID is also used in configuring Directory mapping.
    Disabled Flag (RW)stringLDAP
    Database
    Specifies the user’s account status.
    Password Attribute (RW)binaryLDAP
    Database
    Specifies the user’s password.
    Password Data (RW)binaryLDAP
    Database
    Is used to track password policy information.
    Anonymous ID (RW)stringLDAP
    Database
    Stores the DN of users who are authenticated using an anonymous authentication scheme.
    Email (R)stringLDAP
    Database
    This attribute is not currently used by a CA Single Sign-On feature.
    Challenge/Response (RW)stringLDAPSpecifies the question and answer pair that is used by the Forgotten Password feature in Password Services and DMS. The Challenge string is the password hint that is passed to the user.
    Note: You can specify the administrator credentials that the Policy Server uses to access the directory. These credentials have the same read and write access as the corresponding user attributes in the table.

    Regards,

    Leo Joseph.



  • 4.  Re: RODC user store for CA SiteMinder Policy server

    Posted 06-22-2018 10:00 AM

    Vikash Vikash.Singh

     

    Theoretically, if we are not using any PASSWORD SERVICES functionality then a read only AD should work. But this is something CA would not have tested. Hence though we may be using an AD which succeeds on the criterion of Support Matrix Compatibility Check, if we run into issues CA would have the right to highlight this factor of a Read Only AD (not tested / not supported).

     

    A read only AD may suffice in the scenario where we are not using CA SSO Password Policy and we are not utilizing inbuilt AD Password Services (and / or AD Enhanced Password Services). But again there may be scope creeps. What do I mean by that, 'what if AD has set an account as must change password and user logs in'?  So if I see in overall perspective you may end up having to need some level of RW access.

     

    But whatever you opt to choose, test it comprehensively to avoid pitfalls.



  • 5.  Re: RODC user store for CA SiteMinder Policy server

    Posted 06-22-2018 11:43 AM

    Thank you All !!

     

    I guess conclusion is we need to have RW AD to configure it as user store. I will work with my AD admins to promote the server as RW and then try again.

     

    Thanks again!

    Vikash



  • 6.  Re: RODC user store for CA SiteMinder Policy server

    Posted 07-23-2018 04:10 PM

    Hi All,

     

    We did promoted our AD servers as RW, but still SiteMinder is not able to make connection to AD server and its not working. 

     

    We did check the certificate in cert8 DB, created host entries in etc hosts. but noting worked out.

     

    Any suggestions?

     

    Regards,

    Vikash



  • 7.  Re: RODC user store for CA SiteMinder Policy server

    Broadcom Employee
    Posted 07-23-2018 04:35 PM

    Vikas,

     

    1. Is there any firewall between Policyserver and AD server ? are you able to ping/telnet ?

    2. If SSL is an issue, did you try to connect using Non-SSL port from adminUi ?

    3. Did you try to make connection from any of the LDAP browsers(eg: jXplorer, softerra) ?

     

    Regards

    Ashok