How to utilize an LDAP User Directory with a custom ObjecClass in a Single Sign On (fka SiteMinder) environment.

Document ID : KB000009795
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

By default, the CA Single Sign On Policy Server using an LDAP User Directory will perform searches against the LDAP directory for Users using the default ObjectClasses of "inetOrgPerson" , "organizationalPerson", and "person".

Some organizations create a custom ObjectClass for their User Directory to only include specific attributes. Out of the Box, CA Single Sign On (fka SiteMinder) will not be able to locate users in this User Directory for Authentication or Authorization purposes.

In order to allow users to be Authenticated and Authorized from the User Directory, the CA Single Sign On Registry needs to be configured to utilize the custom ObjectClass.

 

Environment:
CA Single Sign OnLDAP User Directory with a Custom ObjectClass
Instructions:

Windows:

 

1.) Open a command prompt with 'Run as Administrator' and run 'regedit'.

2.) Navigate to "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\Siteminder\CurrentVersion\Ds\PolicyClassFilters".

3.) Right-click on "LDAP:" and select "Modify...".

4.) Add the name of the custom ObjectClass to the 'Value data:' field.

5.) Click 'OK'.

6.) Navigate to "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\Siteminder\CurrentVersion\Ds\UserClassFilters".

7.) Right-click on "LDAP:" and select 'Modify...'.

8.) Add the name of the custom ObjectClass to the 'Value data:' field.

9.) Click 'OK'.

10.) Navigate to "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\Siteminder\CurrentVersion\Ds\PolicyResolution".

11.) Right-click on the 'PolicyResolution' folder and select 'New>DWORD (32-bit) value'.

12.) Enter the name of the custom ObjectClass as the 'Name' of the DWORD. 

13.) Right-Click on the new Custom ObjectClass DWORD, and select 'Modify...'.

14.) Enter "1" in the 'Value data:' field.

15.) Click 'OK'.

16.) Close the Registry Editor.

17.) Restart the Policy Server to pick up the Registry changes.

 

Unix:

 

1.) Navigate to the 'CA/siteminder/registry' directory.

2.) Open the sm.registry file in a text editor.

3.) Add the Custom ObjectClass to the LDAP entry for the following keys;

  • HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\PolicyClassFilters
  • HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\UserClassFilters

for example,  

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\UserClassFilters=929345282

LDAP:=                inetOrgPerson,organizationalPerson,person,MyCustomObjClass;REG_SZ

 

4.) Add the Custom ObjectClass as a "0x1;REG_DWORD"  to the following key;

  • HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\PolicyResolution

for example,

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\PolicyResolution=56099019

container=                                       0x5;       REG_DWORD

DN Attribute=                                  0xa;       REG_DWORD

Group=                                            0x2;       REG_DWORD

Group Attribute=                              0x8;       REG_DWORD

groupOfNames=                               0x2;       REG_DWORD

groupOfUniqueNames=                     0x2;       REG_DWORD

inetOrgPerson=                                0x1;       REG_DWORD

Org Attribute=                                  0x9;       REG_DWORD

organization=                                   0x5;       REG_DWORD

organizationalPerson=                       0x1;       REG_DWORD

organizationalRole=                          0x4;        REG_DWORD

organizationalUnit=                           0x5;       REG_DWORD

person=                                            0x1;       REG_DWORD

Query=                                             0x6;       REG_DWORD

residentialPerson=                             0x1;       REG_DWORD

User=                                               0x1;        REG_DWORD

User Attribute=                                 0x3;        REG_DWORD

MyCustomObjClass                        0x1;       REG_DWORD

 

5.) Save and close the sm.registry file.

6.) Restart the Policy server to pick up the changes.