Symantec Access Management

We are trying to read/analyze our SiteMinder Policy store using Splunk (SIEM tool). This would allow us to produce a role-resource mapping configured in SiteMinder for our various applications. Our Policy Store Database is Active Directory Lightweight Directory Services (AD LDS). Splunk has been successfully able to read our AD LDS policy store using an AD LDS administrator account. 

We do not however want to have to create administrator AD LDS accounts in our policy stores if we don't need to. Splunk simply needs to read the Policy Store and not write or make changes to it. Therefore we would rather create a read-only account for this purpose.

The issue we are facing is that an AD LDS read-only account is unable to read the AD LDS Partition in which the policy store objects are found. We have tried various levels of access on the read-only account with no success.

Why can't an AD LDS read-only account even see the contents of the AD LDS partition for our SiteMinder Policy Store? Has CA done anything to make this partition only viewable by Administrator accounts with full policy store privilages? Is there anyway we can configure a read-only account to view the contents of the policy store AD LDS partition?

--------------------------------

Policy Store Database: AD LDS on Windows Server 2008 R2 64-bit

Policy Server: 12.52.101.640

Policy Server OS: Windows Server 2008 R2 64-bit

Hi Jamie,

What error do you get when you try to read the Policy store partition with this user ?

I don't think we have any special restriction set.

Can you try using our Policy reader tool using this user and see if that works ? If that works then , it should not be permission related issues.

Siteminder Policy Reader

Cheers,

Ujwol Shrestha

Hi Ujwol,

Thanks for the response.

We do not receive an error when reading the policy store partition. However we are not able to view the contents of the partition using a read-only ADLDS account. We can read every other branch of the AD LDS directory tree except for the Policy Store branch.

As far as I am aware, the Policy Reader tool does not connect directly to the policy store but rather reads an export file (xml or smdif) of the policy store. This is different from what we are trying to achieve. We are trying to connect directly to the policy store via an LDAP connection.

Thanks,

Jaime

Hi Jaime,

The latest version of the Policy reader tool can directly connect to the live policy store.

Regards,

Ujwol

Thanks for that clarification.

Ujwol,

I am receiving the following error using the Policy Reader tool when trying to connect to the policy store using the same Read Only AD LDS account.

Exception Name: LDAPSearchException(resultCode=32 (no such object), numEntries=0, numReferences=0, errorMessage='0000208D: NameErr

Error Message: : : DSID-031522C9, problem 2001 (NO_OBJECT), data 0, best match of:    'OU=XX,DC=yy,DC=zz' ', matchedDN='OU=XX,DC=yy,DC=zz')

The same account allows me to connect to the policy store using an LDAP browser. It allows navigation to and drilling down into the Configuration and Schema Partitions  but does not allow me to drill down into the policy store partition.

One difference: The LDAP browser  does not require a root DN to be entered while the Policy Reader requires a root DN.

Thanks,

Jaime

Are you setting 'OU=XX,DC=yy,DC=zz' as the root DN?

If you use 'DC=yy,DC=zz' did it make a difference?

Hi SungHoon,

Yes the root DN of the policy store partition is 'OU=XX,DC=yy,DC=zz'

I receive the following error when I use DC=yy,DC=zz'

Exception Name: LDAPSearchException(resultCode=10 (referral), numEntries=0, numReferences=0, errorMessage='0000202B: RefErr: DSID-031007EF, data 0, 1 access points              ref 1

Error Message : 'yy.zz' ', referralURLs={'ldap://yy.zz/ou=PolicySvr4,ou=Siteminder,ou=Netegrity,DC=yy, DC=zz'}, responseControls={SimplePagedResultsControl(pageSize=0, isCritical=false)})

The admin account (with full privileges) does not return any error when using the root DN as 'OU=XX,DC=yy,DC=zz' but does return the above error when trying to use ‘DC=yy,DC=zz' as the root DN.

Thanks,

Jaime

Hi Jaime,

It seems like some referral stuff causing the issue. Try use ldapsearch command to check if that return the same error.

active directory - Domain Controller returns LDAP Referral for it's own domain - Server Fault

Regards,

Kar Meng

This sounds more like a question for Microsoft regarding ADLDS than for CA Siteminder.  It's CA Siteminder data, however, Siteminder does not control the access to the data.  That is ADLDS.  What re your concerns that Splunk will do to the data if it is granted additional privileges?