Previous Topic: Configure the Session StoreNext Topic: How to Configure SSL Support

Policy Server GuidesPolicy Server Administration GuideConfiguring Policy Server Data Storage OptionsConfigure LDAP Storage Options

Configure LDAP Storage Options

Use the LDAP context–sensitive storage controls to point CA SiteMinder® to an LDAP directory server that is configured as:

Consider the following items:

Configure an LDAP Database

To configure an LDAP database

  1. Specify the Server name or IP address of the LDAP server in the LDAP IP Address field. For performance reasons, the IP address is preferred.

    Note: You can specify multiple servers in this field to allow for LDAP server failover.

  2. Specify the LDAP branch under which the CA SiteMinder® schema is located in the Root DN field (for example, o=myorg.org).
  3. If your Policy Server communicates with the LDAP directory over SSL, select the Use SSL check box.

    Note: If you select this option, you must specify a certificate database in the Netscape Certificate Database File field.

  4. Specify the DN of the LDAP directory administrator (for example, cn=Directory Manager) in the Admin Username field.
  5. Enter the administrative password for the LDAP directory in the Admin Password field.
  6. Confirm the administrative password for the LDAP directory in the Confirm Password field.
  7. Click Test LDAP Connection to verify that the parameters you entered are correct and that the connection can be made.
Configure LDAP Failover

If you have multiple LDAP directories, you can configure directories for failover. To enable failover, enter LDAP server IP addresses and port numbers in the LDAP Server field as a space-delimited list of LDAP server addresses. You can specify a unique port for each server. If your LDAP servers are running on a non-standard port (389 for non SSL/ 636 for SSL), append the port number to the last server IP address using a ‘:’ as a delimiter. For example, if your servers are running on ports 511 and 512, you can enter the following:

123.123.12.11:511 123.123.12.22:512

If the LDAP server 123.123.12.11 on port 511 did not respond to a request, the request is automatically passed to 123.123.12.22 on port 512.

If all of your LDAP servers are running on the same port, you can append the port number to the last server in the sequence. For example, if all of your servers are running on port 511, you can enter the following:

123.123.12.11 123.123.12.22:511
Configure Enhanced LDAP Referral Handling

Enhancements have been made to CA SiteMinder®’s LDAP referral handling to improve performance and redundancy. Previous versions of CA SiteMinder® supported automatic LDAP referral handling through the LDAP SDK layer. When an LDAP referral occurred, the LDAP SDK layer handled the execution of the request on the referred server without any interaction with the Policy Server.

CA SiteMinder® now includes support for non-automatic (enhanced) LDAP referral handling. With non-automatic referral handling, an LDAP referral is returned to the Policy Server rather than the LDAP SDK layer. The referral contains all of the information necessary to process the referral. The Policy Server can detect whether the LDAP directory specified in the referral is operational, and can terminate a request if the appropriate LDAP directory is not functioning. This feature addresses performance issues that arise when an LDAP referral to an offline system causes a constant increase in request latency. Such an increase can cause CA SiteMinder® to become saturated with requests.

To configure LDAP referral handling

  1. Open the Policy Server Management Console.

    Important! If you are accessing this graphical user interface on Windows Server 2008, open the shortcut with Administrator permissions. Use Administrator permissions even if you are logged in to the system as an Administrator. For more information, see the release notes for your CA SiteMinder® component.

  2. Select the Data tab.
    Enable Enhanced Referrals

    Mark this check box to allow the Policy Server to use enhanced handling LDAP referrals at the Policy Server, rather than allowing LDAP referral handling by the LDAP SDK layer.

    Max Referral Hops

    Indicates the maximum number of consecutive referrals that will be allowed while attempting to resolve the original request. Since a referral can point to a location that requires additional referrals, this limit is helpful when replication is misconfigured, causing referral loops.

  3. Modify the values as required.
  4. Restart the Policy Server.
Configure Support for Large LDAP Policy Stores

Large LDAP policy stores can cause Administrative UI performance issues.

To prevent these problems, you can modify the values of the following registry settings:

Max AdmComm Buffer Size

Specifies the Administrative UI buffer size (the maximum amount of data [bytes] that is passed from the Policy Server to the Administrative UI in one packet).

Configure this setting at the following registry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion
\PolicyServ\

We recommend using caution when setting this value. Allocation of a larger buffer decreases overall performance.

Range: 256 KB to 2,097,000 KB

Default: 256 KB (also applies when this registry setting does not exist).

SearchTimeout

Specifies the search timeout, in seconds, for LDAP policy stores.

Configure this setting at the following registry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion
\LdapPolicyStore\SearchTimeout

Examples of factors which influence the appropriate value for this setting include (but are not limited to) the following items:

A large enough value prevents any LDAP timeouts when fetching large amounts of policy store data.

Limit: Use hexadecimal numbers.

Default: 0x14 (20 seconds). This value is also used when the registry setting does not exist.

Example: 0x78 (120 seconds)

More information:

Configure the Policy Store Database

Configure a Separate Database for the Key Store