SiteMinder Policy Server is not failing over to the next server in the list when the ldap server is eTrust Directory Server.

Document ID : KB000054432
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Our Siteminder Policy Server was unable to connect to the User Directory and therefore users were not able to get access to protected resources.

We are running SiteMinder Policy Server 6 SP5 on Windows, using eTrust Directory as User Store and We have configured the user directory as follows:

ldapserver1:20689 ldapserver2:20689

SiteMinder Policy Server Log shows both servers as down, but the ldap servers were up and running:

<- Begin
 
Status: Error 91 . Can't connect to the LDAP server
Status: Error 91 . Can't connect to the LDAP server
Failed to resolve user identity. Denying access.
 
-> End

Solution:

In this scenario, the policy server is running out of connections. The operating system was trying to create a new socket, but it failed because the connections to the eTrust Directory was not being closed.

You can check the number of connection using the netstat command.

In Unix systems the amount of sockets that a system can open is directly related to the number of file descriptors.

On Windows systems, connections can use only port numbers 1024 through 5000 by default.

But even though you can increase the number of connections in your system, the issue is because connections from SiteMinder Policy Server to the eTrust Directory Server are not being closed.

In order to configure eTrust Directory Server to handle Siteminder specific LDAP connections, the following configuration settings need to be defined for the router DSAs:

# CA Siteminder specific settings
set mimic-netscape-for-siteminder = true;
set concurrent-bind-user = <Siteminder BIND DN>;
set ignore-name-bindings = true;
set hold-ldap-connections = true;

Where <Siteminder BIND DN> is the full DN of the user CA Siteminder uses to connect to CA Directory - e.g. <c US><o ACME><ou administrators><uid smuseradmin>) for the User store and <c US><o ACME><ou smpolicy><uid smpolicyadmin> for the Policy store. It is suggested to add these settings to the end of the relevant router DSA settings file (i.e. $DXHOME/config/settings).

It should like:

# CA Siteminder specific settingsset mimic-netscape-for-siteminder = true;
set concurrent-bind-user = <dc com><dc mycompany><ou myou><ou administrator><uid smadmin>
set ignore-name-bindings = true;
set hold-ldap-connections = true;