When the “View Contents” button is clicked on a user directory definition, the user store is searched iterating through the configured object class types defined in the registry. In this document we cover what those object classes are by default, and how to change them.
The Single Sign-On policy server uses object classes to locate users, groups, and organization units within a user store for authenticating users as well as retrieving group information, or location organizational units to select among when defining policies. When clicking “View Contents” on a user directory the ClassFilters registry is read to determine what object classes to search for and concatenate the results of all searches to display as the directory contents.
All Single Sign-On (formerly SiteMinder) versions
By default, the registry has 5 object classes defined for ClassFilter:
LDAP:= organization,organizationalUnit,groupOfNames,groupOfUniqueNames,group; REG_SZ
This results in 5 searches being executed against the directory, for example:
base="dc=ca,dc=com" scope=2 filter="(objectClass=organization)" attrs="objectClass"
base="dc=ca,dc=com" scope=2 filter="(objectClass=organizationalUnit)" attrs="objectClass"
base="dc=ca,dc=com" scope=2 filter="(objectClass=groupOfNames)" attrs="objectClass"
base="dc=ca,dc=com" scope=2 filter="(objectClass=groupOfUniqueNames)" attrs="objectClass"
base="dc=ca,dc=com" scope=2 filter="(objectClass=group)" attrs="objectClass"
For example, if you know that your directory server does not utilize the groupOfUniqueNames object class, you can modify the ClassFilter registry key shown above to include or exclude object classes you want the policy server to search. Test any changes thoroughly to assure a change has the desired result for your environment.