How to configure CA LDAP Server R15 for z/OS (RACF) as User Store with SiteMinder Policy Server R12 SP3.

Document ID : KB000050621
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

This document describes the settings that need to be done in order to configure CA LDAP Server R15 for z/OS (RACF) as User Store with SiteMinder Policy Server R12 SP3.

Solution:

  1. Policy Server Registry Changes

    The CA LDAP Server R15 for z/OS (RACF) contains a different set of object classes as compared to other LDAP servers. Before configuring a user directory connection for this server following Policy Server registry entries need to be modified. Listed below are these registry entries along-with their updated values:

    1. HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\ClassFilters

      Replace the value in the LDAP: namespace in this registry entry with the following value as shown:

      Default value:
      LDAP:
      organization,organizationalUnit,groupOfNames,groupOfUniqueNames,group


      Replace this value with:
      LDAP:
      *


    2. HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\GroupClassFilters

      Replace the value in the LDAP: namespace in this registry entry with the following value as shown:

      Default value:
      LDAP:
      groupOfNames,groupOfUniqueNames,group


      Replace this value with:
      LDAP:
      *


    3. HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\PolicyClassFilters

      Replace the value in the LDAP: namespace in this registry entry with the following value as shown:

      Default value:
      LDAP:
      organizationalPerson,inetOrgPerson,organization,organizationalUnit,groupOfNames,groupOfUniqueNames,group


      Replace this value with:
      LDAP:
      *


    4. HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\PolicyResolution

      Add eTRACUserid and eTRACAdminGrp to this registry entry:
      Name                          Type                          DataeTRACUserid                   REG_DWORD                     0x00000001(1)eTRACAdminGrp                 REG_DWORD                     0x00000002(2)
      There is another registry entry specific to UNIX platforms which need to be added under:
      HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Debug
      LDAPPingTimeout=             300;                                REG_DWORD
      The value of this registry key can be varied as per the response time of the CA LDAP Server R15 for z/OS (RACF).

  2. Configure Directory Connection

    To configure a CA LDAP Server R15 for z/OS (RACF) directory connection:

    1. Open the User Directory Dialog.

    2. In the Directory Setup tab, select LDAP from the namespace dropdown list.

    3. In the Directory Setup tab, enter connection information for your LDAP directory as described in User Directory Dialog?LDAP Namespace Directory Setup Tab in the CA eTrust SiteMinder Policy Design Reference Guide.

    4. Failover is not supported for this server.

    5. In the LDAP Search box, in the Max Time field, specify a value of 300 seconds. A greater timeout value is needed since the Policy Server is known to take more time to retrieve the results from the CA LDAP Server R15 for z/OS (RACF).

    6. In the Credentials and Connection tab, specify administrator credentials that the Policy Server will use to connect to the CA LDAP Server R15 for z/OS (RACF). Specifying administrator credentials is mandatory as anonymous binds to the user store are not allowed with CA LDAP Server R15 for z/OS (RACF).

  3. Non supported features

    1. Password services are not supported with this server.

    2. Anonymous binds to the CA LDAP Server R15 for z/OS (RACF) are not allowed. Therefore in the "Credentials and Connection" tab in the User-Directory Dialog, make sure to provide the Administrator Credentials.

    3. The following characters are not valid characters for a logon-id in CA LDAP Server R15 for z/OS (RACF):

      '(', ')', ',', ''', '\', ' '.

    4. Adding a user group to the policy and then trying to authorize a user from that group will not work.

    5. LDAP Failover and Replication is not supported.