Why Policy Server does wildcard searches like userAccountControl=* ?

Document ID : KB000015911
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

Why Policy Server does wildcard LDAP searches on the attributes below ?

We run a Policy Server which uses a LDAP Active Directory User Store and we see those wildcard search filters many times :

 

  userAccountControl=* 

  pwdLastSet=* 

  accountExpires=* 

  UUID=* 

  objectclass=* 

  memberOf=*

 

Answer:

You see these searches because you have enabled the "Enable Enhanced Active directory Integration" for your Policy Server and you are using LDAP namespace for your user directory configuration.

If the Active Directory User Store is configured for LDAP Namespace, you might disable "Enable Enhanced Active directory Integration" in your AdminUI in global settings in order to avoid those searches. If you are using AD Namespace you can not remove those searches.

 

You'll note that all Active Directory native attributes managed by the SiteMinder Policy Server in Enhanced and Non-enhanced attributes are described in this Knowledge Document

https://support.ca.com/us/knowledge-base-articles.tec557680.html 

 

Though the search filter is objectclass=* or userAccountControl=* or accountExpires=*, etc 

When we see those LDAP wildcard searches, we do not search for the whole User Directory, there is one more flag for  LDAP Search which tells what subset to search for. This flag doesn't show up in the traces. 

Each of the LDAP wildcard search is associated with a flag which limit the scope of the search.

 

The flag values along with their description are 

 

| Flag                | Description                                                                          |

|---------------------+--------------------------------------------------------------------------------------|

| LDAP_SCOPE_BASE     | Search the base entry only                                                           |

| LDAP_SCOPE_ONELEVEL | Search all entries in the first level below the base entry, excluding the base entry |

| LDAP_SCOPE_SUBTREE  | Search the base entry and all entries in the tree below the base                     |

 

So when LDAP_SCOPE_BASE flag is enabled the search filter is searched only for the base entry. This is the flag set to get User Object Properties for example. 

 

So because of the flag, even if the filter has a wildcard Policy

Server doesn't search all the LDAP server branches.