Policy Server Guides › Policy Server Configuration Guide › LanMan User Directories

LanMan User Directories

This section contains the following topics:

About LanMan User Directories

LanMan Directory Connection Prerequisites

Configure a LanMan Directory Connection

Failover for Windows User Directories

LanMan User Directory Search Criteria

About LanMan User Directories

In a Windows environment, the Policy Server enumerates and manages the resources in a directory service through the Microsoft Active Directory Service Interface (ADSI) layer. This layer abstracts the capabilities of directory services from different network providers in a distributed computing environment. However, the current version of ADSI has its own limitations which can adversely affect the performance of the Policy Server.

With ADSI, every Windows directory request must always pass through the Primary Domain Controller (PDC) first. This process compounds the network traffic that the PDC must handle. A custom solution to this dilemma is for the Policy Server to channel Windows directory requests to Backup Domain Controllers (BDCs) while bypassing the PDC. The Policy Server handles this sort of custom solution by using LanMan directory connections.

The LanMan user directory connection option allows you to specify a failover list of BDCs used for each user directory lookup in the Windows Registry. Using a LanMan directory connection, the Policy Server sends Windows directory requests to the first active BDC in the Registry list. The LanMan connection bypasses the PDC.

LanMan Directory Connection Prerequisites

The following conditions must be met before the Policy Server can use a LanMan directory connection to access user data in a Windows directory:

• The file SmDsLanman.dll must reside in the Policy Server installation directory. The default location is:

  installation_directory\netegrity\siteminder\bin\

• Configure a connection to the LanMan directory.

More information:

Configure a LanMan Directory Connection

Configure a LanMan Directory Connection

You can configure a LanMan user directory. The following process lists the steps for creating a user directory connection to the Policy Server.

1. Configure Registry Keys for a LanMan Directory Connection.
2. Configure a LanMan User Directory Connection.

Configure Registry Keys for a LanMan Directory Connection

The first procedure in configuring a LanMan directory connection is configuring the appropriate registry keys.

Follow these steps:

1. Select Run from the Windows Start menu.
2. Enter regedit, and click OK.
3. Modify the following registry key:
   • In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\Siteminder\CurrentVersion\Ds, the NameSpaces key is set to the following string value:

     "LDAP:,ODBC:,OCI:,WinNT:,Custom:,AD:"

   • Add the following string to the value data for the NameSpaces registry key: Lanman.
4. Create the following registry key:

   \HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\Ds\Lanman_DC

5. Create a registry key of the NT Domain Name under the Lanman_DC key:

   \HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\Ds\Lanman_DC\<NT_domain_name>

   For example:

   \HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\Ds\Lanman_DC\MyDomain

6. Create a registry value that is named NumUserDir of type DWORD under the newly created NT Domain key. For the value data, enter the actual number of separate sets of user directories (maximum 16) in this NT domain.
7. Create String registry values of UserDir0, UserDir1, …, UserDirN, in sequential order starting from 0, for each failover list of BDCs.
8. Enter comma delimited strings for each failover list. SmDsLanman reads the lists and finds the first active BDC in each failover list to look up NT users and groups.
9. Repeat steps 5 through 7 for other NT domains.
10. Restart the Policy Server services.

Configure a LanMan User Directory Connection

You can configure a user directory connection that lets the Policy Server communicate with a LanMan Directory user store.

Follow these steps:

1. Click Infrastructure, Directory.
2. Click User Directories.
3. Click Create User Directory.
4. Type the name and a description of the user directory.
5. Select LanMan from the Namespace list.
6. Type the name of the NT Domain that you configured in the registry keys in the Domain Controller Key field.
7. Click Submit.

More information:

User Directories

Configure Registry Keys for a LanMan Directory Connection

Failover for Windows User Directories

The list of registry keys you create for the LanMan user directory connection determines failover order.

LanMan User Directory Search Criteria

LanMan directory connections are a type of Windows user directory connection. A LanMan directory connection functions similarly to a regular Windows connection. The only difference is which actual Domain Controller handles requests. This configuration does not affect the procedure for executing a user directory search.

More information:

Search User Directories