We'd like to know if the Policy Server can understand and map the
return codes from LDAP AD-LDS into Siteminder smauthreason codes ?
Indeed, the Policy Server is capable of that out of the box.
But you have to pay attention to existing issue about this
topic. Before the CR06, the Policy Server has issue to map correctly
the returns codes from AD into the correct smauthreason allowing
disable user to login among the others.
As such, we recommand you first to upgrade the Policy Server, Policy
Store and AdminUI to the latest 12.52SP1CR09 version :
Defects Fixed in 12.52 SP1 CR09
Policy Server incorrectly recognizes AD LDS user store as AD user store.
Policy Server fails to log in users with AD LDS as the user directory.
Defects Fixed in 12.52 SP1 CR08
After unlocking a user account, Policy Server fails to allow the user to log in to the application in the first attempt.
Defects Fixed in 12.52 SP1 CR05
The Authreason codes from Policy Server are not same as the AD response irrespective of the status of isADEnhanced.
Defects Fixed in 12.52 SP1 CR04
Policy Server Logs in a Locked Out User
Policy Server allows the log in of a locked out user when the Enhanced AD integration is enabled.
STAR Issue: 00177871
RTC Issue: 163151/DE106953
Issue with Password Attributes
User experiences issues with the "Password expires from inactivity" and "Password expires if not changed: After Days".
STAR Issue: 00100029
RTC Issue: 157066/DE76528
Defects Fixed in 12.52 SP1 CR02
SiteMinder Returns Incorrect Smauthreasoon Code (139126) / (158072)
CA Single Sign-On returns smauthreasoon code 0 when Illegal characters are found in username.
This issue has been fixed. CA Single Sign-On now returns smauthreasoon code 55 when Illegal characters are found in username.
More, the AD-LDS should return the same codes as the AD, as AD-LDS is
based on the same technology as the AD :
Active Directory Lightweight Directory Services
Uses the same directory service technology as AD DS. There is a
common framework for both the network operating system (NOS)
services of AD DS and the application services of AD LDS, which
increases reusability of design and code.
Finally, you'll find here further documentation about the return codes
from AD and their mapping to the smauthreason codes :
Policy Server :: Disable Flag : SmAuthReason