Policy Server Guides › Policy Server Administration Guide › Adjusting Global Settings › How to Enable Enhanced Active Directory Integration

How to Enable Enhanced Active Directory Integration

The process of enabling enhanced active directory integration involves the following three steps:

1. Create the IgnoreADpwdLastSet registry key
2. Enable enhanced active directory integration
3. Configure a user directory connection

Create the IgnoreADpwdLastSet registry key

If the version of Active Directory in use does not include the pwdLastSet attribute, then create the Policy Server registry key IgnoreADpwdLastSet.

Important! Create the IgnoreADpwdLastSet registry key and set a value of 1, only for those installations that do not have the pwdLastSet attribute defined.

Follow these steps:

1. Access the Policy Server host system and complete one of the following steps:
   • (Windows) Open the Registry Editor and navigate to the following location:

     SiteMinder\CurrentVersion\Ds\LDAPProvider
     

   • (UNIX) Open the sm.registry file. The default location of this file is siteminder_home/registry.

     siteminder_home

     Specifies the Policy Server installation path.

2. Create IgnoreADpwdLastSet with a registry value type of REG_DWORD.

   Value: 1

3. Do one of the following steps:
   • (Windows) Exit the Registry Editor.
   • (UNIX) Save the sm.registry file.
4. Restart the Policy Server.

Enable Enhanced Active Directory Integration

Active Directory 2008 has several user and domain attributes that are specific to the Windows network operating system (NOS) and are not required by the LDAP standard. These attributes are:

• accountExpires
• userAccountControl
• pwdLastSet
• unicodePwd
• lastLogon
• lastLogonTimestamp
• badPasswordTime
• badPwdCount
• lockoutTime
• lockoutDuration
• pwdMaxAge

If you configure the Policy Server to use Active Directory as a user store, enable Enhanced Active Directory Integration from the Policy Server Global Tools task available from the Administrative UI. This option improves the integration between the Policy Server’s user management feature and Password Services with Active Directory by synchronizing Active Directory user attributes with SiteMinder mapped user attributes.

Follow these steps:

1. Log into the Administrative UI.
2. Click Administration, Policy Server, Global Tools.

   The Global Tools pane opens.

3. Select Enhance Active Directory Integration. By default this feature is disabled.

   Note: After enabling this feature, you must have administrator credentials to modify the AD user store and have privileges to update AD attributes. If you do not have these credentials and privileges, the Policy Server returns an error message.

4. Click Submit.

   The Policy Server enables enhanced Active Directory integration.

5. Navigate to the User Directory dialog on the Infrastructure tab.
6. Open the Active Directory object for editing.
7. In the Root field, enter the default Windows domain’s DN as the user directory root. For example:

   dc=WindowsDomain,dc=com
   

   Note: If the Root field is set to another value, AD-specific features may not work.

8. Click Submit.

Configure a User Directory Connection

After you enable enhanced active directory integration, configure a user directory connection.

Follow these steps:

1. Click Infrastructure, Directory.
2. Click User Directories.
3. Click Create User Directory.

   The Create User Directory page appears with the required settings to configure an LDAP connection.

4. Complete the required connection information in the General and Directory Setup sections.

   Note: If the Policy Server is operating in FIPS mode and the directory connection is to use a secure SSL connection when communicating with the Policy Server, the certificates used by the Policy Server and the directory store must be FIPS compliant.

5. (Optional) Do the following in the Administrator Credentials section:
   1. Select Require Credentials.
   2. Enter the credentials of an administrator account.
6. Configure the LDAP search and LDAP user DN lookup settings in the LDAP Settings section.

   LDAP User DN Lookup

   Specifies the parameters for locating users in an LDAP user store.

   Start

   Specifies the text string that acts as the beginning of an LDAP search expression or user DN. When a user attempts to login, the Policy Server prepends this string to the beginning of the username.

   Value: (sAMAccountName=

7. Set the specified values for the following attributes in the User Attributes section:

   Universal ID

   Specifies the name of the attribute SiteMinder uses as the Universal ID.

   Value: sAMAccountName

   Disabled Flag

   Specifies the name of the user directory attribute that holds the disabled state of the user.

   Value: carLicense (or any integer attribute)

   Password

   Specifies the name of the user directory attribute that SiteMinder should use to authenticate a user’s password.

   Value: unicodePwd

   Password Data

   Specifies the name of the user directory attribute that SiteMinder can use for Password Services data.

   Value: audio

   The value for Password Data can be any large binary attribute. A value is needed only if you are using Basic Password Services.

   Note: For more information about the other fields, see the Administrative UI Help.

8. (Optional) Click Create in the Attribute Mapping List section to configure user attribute mapping.
9. Click Submit.

   The user directory connection is created.