What LDAP queries does Single Sign-On (formerly SiteMinder) execute upon clicking the View Contents button in User Directory Properties dialog box?

Document ID : KB000024837
Last Modified Date : 14/02/2018
Show Technical Document Details

Summary:

When the “View Contents” button is clicked on a user directory definition, the user store is searched iterating through the configured object class types defined in the registry.  In this document we cover what those object classes are by default, and how to change them.

Background:  

The Single Sign-On policy server uses object classes to locate users, groups, and organization units within a user store for authenticating users as well as retrieving group information, or location organizational units to select among when defining policies.  When clicking “View Contents” on a user directory the ClassFilters registry is read to determine what object classes to search for and concatenate the results of all searches to display as the directory contents.

Environment:  

All Single Sign-On (formerly SiteMinder) versions

Instructions: 

By default, the registry has 5 object classes defined for ClassFilter:

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\ClassFilters=675379108
LDAP:=                 organization,organizationalUnit,groupOfNames,groupOfUniqueNames,group;  REG_SZ

This results in 5 searches being executed against the directory, for example:

base="dc=ca,dc=com" scope=2 filter="(objectClass=organization)" attrs="objectClass"
base="dc=ca,dc=com" scope=2 filter="(objectClass=organizationalUnit)" attrs="objectClass"
base="dc=ca,dc=com" scope=2 filter="(objectClass=groupOfNames)" attrs="objectClass"
base="dc=ca,dc=com" scope=2 filter="(objectClass=groupOfUniqueNames)" attrs="objectClass"
base="dc=ca,dc=com" scope=2 filter="(objectClass=group)" attrs="objectClass"

 

For example, if you know that your directory server does not utilize the groupOfUniqueNames object class, you can modify the ClassFilter registry key shown above to include or exclude object classes you want the policy server to search.  Test any changes thoroughly to assure a change has the desired result for your environment.