Symantec Access Management

  • Private Community
 View Only

  • 1.  SiteMinder Advanced Password Services APS

    Posted Jun 08, 2020 10:38 AM

    I have a User Group in LDAP Directory by name 123-All-Bricks-56789 (cn=123-All-Bricks-56789 ,ou=groups,ou=Masters,dc=contoso,dc=corp)

     

     

    for which I setup overwrite in APS.CFG  for Max Failures on SiteMinder Policy Server 12.8.2 (I have only one SM Policy Server in this environment pointing to only 1 LDAP User Store)

     

     

    While my override for example works as in the below example where givenName is for example my last name:

     

    Max Failures=3


    //WORKS 

    Max Failures={givenName="Smith"}9

     

     

     

    It does not work for 123-All-Bricks-56789 group for some reason.

     


    I tried different ways because I really want to set up override for all groups which end with 56789.

     

     

    This is what I tried:

     
    //For all users:

    Max Failures=3

    //Then for the specific group of users cn=123-All-Bricks-56789,ou=groups,ou=Masters,dc=contoso,dc=corp


    //I tired each of the bellow of course commenting out and testing one by one:

    Max Failures={CONTAINS:cn="123-All-Bricks-56789,ou=groups,ou=Masters,dc=contoso,dc=corp"}6

     

    Max Failures={ENDSWITH:cn="56789"}7


    Max Failures={ENDS_WITH:cn="56789"}7

      

    Max Failures={EndsWith:cn~"56789"}7

     

    Max Failures={IsInGroup"cn=123-All-Bricks-56789,ou=groups,ou=Masters,dc=contoso,dc=corp")7

     

     

    Max Failures={cn=123-All-Bricks-56789}7

     

    Max Failures={cn="123-All-Bricks-56789"}7

     

     

    I think the problem is with APS syntax.

     

    What am I missing please?

    Thank you,
    Eddie



    ------------------------------
    Systems Engineer
    ------------------------------


  • 2.  RE: SiteMinder Advanced Password Services APS

    Broadcom Employee
    Posted Jun 09, 2020 02:39 AM
    Hi Eddie,

    From which KD or Documentation do you see the configuration syntax :

    Max Failures={givenName="Smith"}9

    ?

    As per APS config file and by documentation, "Max Failures" seems to
    require a positive integer :

    APS.cfg

    ##FAILURE COUNT##

    ///////////////////////////////////////////////////////////////////////
    // The maximum consecutive password failures ("n" strikes and you're
    // out). This value can be zero, or 3-9 inclusive. The recommended
    // setting is 5. This setting is *separate* from the SMRETRY setting
    // supported on SiteMinder authentication forms. Please see the APS
    // documentation for details.
    //
    // This affects failures both on login and change password (change
    // password only if Max Failures On Change is not set).
    //
    // This setting supports overrides.
    ///////////////////////////////////////////////////////////////////////

    Max Failures=4

    Looking at the documentaton, it states the limit for the values :

    Configure the Max Failures Parameter

    Max Failures

    Specifies the maximum number of consecutive failed passwords that
    can be supplied before an account is disabled.

    Default: 0

    Limits: Positive integer

    Example

    Max Failures=3

    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/configuring/advanced-password-services-configuration/aps-configuration-file/run-time-password-checking/how-to-configure-a-separate-maximum-failure-counter-and-threshold-for-otp-authentication/configure-required-parameters-in-the-aps-cfg-file/configure-the-max-failures-parameter.html

    Best Regards,
    Patrick
    Original Message


  • 3.  RE: SiteMinder Advanced Password Services APS

    Posted Jun 09, 2020 10:07 AM
    Hi Patrick,
    Thanks for your replay. There are many articles and kdbs I read. What I posted in the community is sanitized (Of course I won't share real group or user names because of security reasons). So to answer your question givenName could be anyone, it is just an example I came up with, here is one of the articles I read where they use similar syntax. https://knowledge.broadcom.com/external/article?articleId=26079

    Max Failures is just one of many policy settings in APS.cfg (D:\Program Files\CA\siteminder\bin) , really this could be any that accepts override and not just Max Failures.  I got override, meaning same policy like in this case Max Failures to work for user bases on user mail, givenName, cn (LDAP User Store attributes), but I cannot get it to work for user groups. It has to work for user groups. I provided some of the examples how and what I tried in my initial post. This is something that exists since 1990s, unfortunetly I always used BPS (Basic Password Services) and not APS (Advanced Password Services).

    I hope this helps better understand.

    Maybe the issue is with my syntax?

    Is it something you can try in your test enviroment and let me know please?

    Thank you,
    Eddie


    ------------------------------
    Systems Engineer
    ------------------------------

    Original Message


  • 4.  RE: SiteMinder Advanced Password Services APS

    Posted Sep 03, 2020 12:38 PM
    You might want to explain things further with me 🙂
    Original Message