Question:
We're setting the Policy Server registry to connect to the LDAP Policy
Store with a plain text password, then the Policy Server still can
connect to the LDAP Policy Store.
We'd like to know if this is as expected and the underlined reason for
that behavior.
In the Policy Server registry, we've modified the following
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\LdapPolicyStore=281504719
AdminDN= cn=Directory Manager; REG_SZ
AdminPW= {RC2}88/212fUIqNTlL0iZDPAJ4WgRuR8+juL; REG_SZ
to
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\LdapPolicyStore=281504719
AdminDN= cn=Directory Manager; REG_SZ
AdminPW= password; REG_SZ
and we can start the Policy Server as this one connects succesfully to
the LDAP Policy Store still.
smps.log
[1539/140436049700672][Wed Oct 03 2018 16:22:57][SmObjProvider.cpp:243][INFO][sm-Server-02830] Initializing policy store provider 'LDAP:'
[1539/140436049700672][Wed Oct 03 2018 16:22:57][SmObjProvider.cpp:282][INFO][sm-Server-02840] Loading of policy store provider extension DLL: 'smobjldapims' succeeded.
[1539/140436049700672][Wed Oct 03 2018 16:22:57][SmLdapPs.cpp:253][INFO][sm-Ldap-02140] SSL client init will not be attempted - no certificate database defined
[1539/140436049700672][Wed Oct 03 2018 16:22:58][smldaputils.cpp:523][INFO][sm-Ldap-00540] Opening policy store connection to LDAP server: ' 127.0.0.1:389 '
[1539/140436049700672][Wed Oct 03 2018 16:22:58][SmLdapBulkSearch.cpp:174][CreateRoot][INFO][sm-xpsxps-01160] LDAP Provider Info String =
Sun-Directory-Server/11.1.1.7.171017 B2017.1007.1406
[1539/140436049700672][Wed Oct 03 2018 16:22:58][SmLdapBulkSearch.cpp:228][CreateRoot][INFO][sm-xpsxps-01120] LDAP Provider Version: supportedLDAPVersion = 2
[1539/140436049700672][Wed Oct 03 2018 16:22:58][SmLdapBulkSearch.cpp:228][CreateRoot][INFO][sm-xpsxps-01120] LDAP Provider Version: supportedLDAPVersion = 3
[1539/140436049700672][Wed Oct 03 2018 16:22:58][SmLdapBulkSearch.cpp:236][CreateRoot][INFO][sm-xpsxps-01130] LDAP Provider Vendor: vendorName = Oracle Corporation
[1539/140436049700672][Wed Oct 03 2018 16:22:58][SmLdapBulkSearch.cpp:228][CreateRoot][INFO][sm-xpsxps-01120] LDAP Provider Version: vendorVersion =
Sun-Directory-Server/11.1.1.7.171017
[1539/140436049700672][Wed Oct 03 2018 16:22:58][SmLdapBulkSearch.cpp:228][CreateRoot][INFO][sm-xpsxps-01120] LDAP Provider Version: dataversion =
020181003142123020181003142123
Answer:
Indeed, if you put the password in plain text it will still be able to
connect to the Policy Store. This is as expected. And we recommend to
set it using the smconsole in order to have it encrypted. You can use
also smldapsetup command line to set it encrypted too. This facility
is there to help to make connection to the Policy Store when only
editing the sm.registry file is possible.
KB : KB000117752