Disabled User doesn't get Authorized as it was in Policy Server 6

Document ID : KB000008758
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

We're running Policy Server, and for a specific URL, the Policy Server never authorizes the User as it should. Before, the former Policy Server version 6 was authorizing this access, and there wasn't any configuration change on this.

Why do we see this behavior change? How can we fix this?

 

Environment:
Policy Server 12.52SP1 on RedHat 6 64bit; (Policy Server was upgraded from 6.0SP5CR05)AdminUI 12.52SP1 on RedHat 6 64bit;Web Agent 5QMR7CR00 on Windows 2003SP2
Cause:

The authorization fails because of the User not being found in the authorization mapping: The User is disabled.

The User is not authorized when requesting a GET on the protected resource. 

 

The Policy Server 12.52SP1 does not find it in one of the LDAP servers defined for that resource:

ldap1:389
ldap2:389
ldap3:389

 

The former Policy Server 6.0SP5CR05 had a bug which was corrected in 6.0SP5CR25, to fix a known issue for a condition that was allowing access even if the User was disabled.

 

From smps-6_0_5_35-readme.txt :

 

80437 The policy server directory mapping feature will no longer

authorize a user when the authorization user directory has disabled

the user but the authentication user directory has not disabled them.

 

 

Resolution:

Enable the User from the User Store, so the Authorization call works with the Authorization Mapping.