RFI-Siteminder policy Filter

Document ID : KB000121698
Last Modified Date : 29/11/2018
Show Technical Document Details
Question:
We'd like to know how the ldap searches are processed when selecting
those option in a User Directory Search Expression Editor :

  Search Users 
  Search Groups 
  Search Organizations 
  Search AnyEntry 

How are the LDAP requests done ?
Answer:
At first glance, according the documentation, the meaning of each of 
these options are : 

Search Users 

Indicates that the search is limited to matches in user entries. 

Search Groups 

Indicates that the search is limited to matches in group entries. 

Search Organizations 

Indicates that the search is limited to matches in organization 
entries (organizations and organizational units). 

Search Any Entry 

Indicates that the search includes all entries in the directory. 

https://docops.ca.com/ca-single-sign-on/12-8/en/using/administrative-ui/policy-and-related-dialogs-reference/users-screen/user-directory-search-expression-editor 

Obviously, the behavior will depend the way you configure each of them 
as this functionality allows to manually set the filter. 

As you request samples, I've configured dummy entry for each and here 
are the results : 

Test : 

If you configure the Users in the Policy as : 

  | Name                  | User Class           |
  |-----------------------+----------------------|
  | (businessCategory=ok) | Search Any Entry     |
  | (description=ok)      | Search Users         |
  | (initials=toto)       | Search Groups        |
  | (manager=ok)          | Search Organizations |


and here's what the Policy Server 12.8 will trace : 

(businessCategory=ok), filter is '(businessCategory=ok)' 

[11/13/2018][11:56:44.755][11:56:44][6586][140283421386496] 
[SmDsUser.cpp:899][CSmDsUser::ResolvePolicyObject][][][][] 
[][][][][][][][][][][][][][][Policy 
resolution for user: 'cn=jsmith,dc=training,dc=com', filter: 
'(businessCategory=ok)', type: 10, recursive: No][][Start of call 
HasRelationship.][][][][][][][][][][][][][][][][][][][][][][][][] 
[][][][][][][][][][][][][][] 

[11/13/2018][11:56:44.918][11:56:44][6586][140283421386496] 
[SmDsLdapProvider.cpp:2344][CSmDsLdapProvider::Search][][] 
[][][][][][][][][][][][][][][][][(Search) 
Base: 'dc=training,dc=com', Filter: '(businessCategory=ok)'. Status: 
0 entries.][][Ldap Search callout 
succeeds.][][][][][][][][][][][][][][][][][][][][][][][][][][] 
[][][][][][][][][][][][] 

(description=ok), filter is '(description=ok)' 

[11/13/2018][11:56:44.919][11:56:44][6586][140283421386496] 
[SmDsUser.cpp:899][CSmDsUser::ResolvePolicyObject][][][][][][] 
[][][][][][][][][][][][][Policy 
resolution for user: 'cn=jsmith,dc=training,dc=com', filter: 
'(description=ok)', type: 3, recursive: No][][Start of call 
HasRelationship.][][][][][][][][][][][][][][][][][][][][][][] 
[][][][][][][][][][][][][][][][] 

[11/13/2018][11:56:44.946][11:56:44][6586][140283421386496] 
[SmDsLdapProvider.cpp:2624][CSmDsLdapProvider::SearchCount] 
[][][][][][][][][][][][][][][][][][][(SearchCount) 
Base: 'cn=jsmith,dc=training,dc=com', Filter: 
'(description=ok)'. Status: 0 entries][][Ldap SearchCount callout 
succeeds.][][][][][][][][][][][][][][][][][][][][][][][][][] 
[][][][][][][][][][][][][] 

(initials=toto), filter is '(&(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=group))(initials=toto))' 

[11/13/2018][11:56:44.947][11:56:44][6586][140283421386496] 
[SmDsUser.cpp:899][CSmDsUser::ResolvePolicyObject][][][][][][][] 
[][][][][][][][][][][][Policy 
resolution for user: 'cn=jsmith,dc=training,dc=com', filter: 
'(initials=toto)', type: 8, recursive: No][][Start of call 
HasRelationship.][][][][][][][][][][][][][][][][][][][][][][][] 
[][][][][][][][][][][][][][][] 

[11/13/2018][11:56:44.948][11:56:44][6586][140283421386496] 
[SmDsLdapProvider.cpp:2344][CSmDsLdapProvider::Search][][][][][] 
[][][][][][][][][][][][][][(Search) 
Base: 'dc=training,dc=com', Filter: 
'(&(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=group))(initials=toto))' 
. Status: 0 entries.][][Ldap Search callout 
succeeds.][][][][][][][][][][][][][][][][][][][][][][][][][][] 
[][][][][][][][][][][][] 

(manager=ok), filter is '(&(|(objectclass=organization)(objectclass=organizationalUnit))(manager=ok))' 

[11/13/2018][11:56:44.949][11:56:44][6586][140283421386496] 
[SmDsUser.cpp:899][CSmDsUser::ResolvePolicyObject][][][][][][][] 
[][][][][][][][][][][][Policy 
resolution for user: 'cn=jsmith,dc=training,dc=com', filter: 
'(manager=ok)', type: 9, recursive: No][][Start of call 
HasRelationship.][][][][][][][][][][][][][][][][][][][][][][][][] 
[][][][][][][][][][][][][][] 

[11/13/2018][11:56:44.952][11:56:44][6586][140283421386496] 
[SmDsLdapConnMgr.cpp:1218][CSmDsLdapConn::SearchExts][][][][][] 
[][][][][][][][][][][][][][][][LDAP 
search of 
(&(|(objectclass=organization)(objectclass=organizationalUnit))(manager=ok)) 
took 0 seconds and 3332 
microseconds][][][][][][][][][][][][][][][][][][][][][][][][][][] 
[][][][][][][][][][][][] 

You should consider the following documentation section concerning the 
Policies configuration and performances : 

Policy Membership and Authorization Performance 

Policy membership is the part of a CA Single Sign-On policy that 
specifies which users apply to the policy. Policies are stored in 
domains, and as a result, you use filters to apply policy membership 
to any or all users stored in the user directories bound to the 
domain. The type of filter you define determines how the Policy Server 
evaluates policy membership. 

The following filters are listed in the order in which they have the smallest affect on performance: 

All—"All" has the smallest affect on performance. When CA Single 
Sign-On authenticates a user, the Policy Server issues a session 
ticket. The session ticket identifies the user directory in which 
the user is stored. The Policy Server only has to compare the 
session ticket with the directory bound to the policy to determine 
that the policy applies to the user. 

Distinguished name—A distinguished name (dn) has a greater affect on 
performance than "All". The organization or organizational unit, 
which contains the dn of the authenticated user, is stored in the 
session ticket. The Policy Server has to compare the session ticket 
information with the policy membership filter to determine if the 
policy applies to the user. 

Group membership or search expressions—These types of filters have a 
greater affect on performance than distinguished names. Group 
membership and search expressions consume additional system 
resources and result in a user directory search. The Policy Server 
must: Resolve the group membership or search expression Search the 
user directory to determine if the policy applies to the user. 

Nested groups—Defining policy membership with a nested group has the 
greatest affect on performance. The Policy Server must search each 
user group and all sub–groups in the directory to determine if the 
policy applies to the user. 

Important! Directories with deep group hierarchies can have a 
significant effect on the time it takes the Policy Server to 
evaluate policy membership. 

Note: You can enable the User Authorization cache to reduce the number 
of requests the Policy Server makes to user directories to resolve 
policy membership. 

https://docops.ca.com/ca-single-sign-on/12-8/en/implementing/implementing-ca-single-sign-on/performance-tuning/application-tier-performance